Cryptographic management

Cryptographic management is composed of communication modes and protocols that control the way that secure communication is handled between Lenovo XClarity Administrator and the managed devices (such as chassis, servers, and Flex switches).

Cryptographic mode

This setting determines the mode to use for secure communications. There are two options:
  • Compatibility. This mode is the default. It is compatible with older firmware versions, browsers, and other network clients that do not implement strict security standards that are required for compliance with NIST SP 800-131A.
  • NIST SP 800-131A. This mode is designed to comply with the NIST SP 800-131A standard. XClarity Administrator is designed to always use strong cryptography internally and, where available, to use strong cryptography network connections. However, in this mode, network connections using cryptography that is not approved by NIST SP 800-131A is not permitted, including rejection of Transport Layer Security (TLS) certificates that are signed with SHA-1 or weaker hash.

    If you select this mode:
    • For all ports other than port 8443, all TLS CBC ciphers and all ciphers that do not support Perfect Forward Secrecy are disabled.

    • Event notifications might not be successfully pushed to some mobile-device subscriptions (see Forwarding events to mobile devices). External services, such as Android and iOS, present certificates that are signed with SHA-1, which is an algorithm that does not conform to the stricter requirements of NIST SP 800-131A mode. As a result, any connections to these services might fail with a certificate exception or a handshake failure.

    For more information about NIST SP 800-131A compliance, see Implementing NIST SP 800-131A compliance.

When you change the cryptographic mode in the XClarity Administrator, the cryptographic mode for all CMMs and baseboard management controllers in the managed devices are changed to the same setting automatically. Consider the following implications of changing the cryptographic mode:
  • If you switch from compatibility mode to NIST SP 800-131A mode and the current certificate authority on the managed CMMs and baseboard management controllers use RSA-2048/SHA-1 (the default), an RSA-2048/SHA-256 certificate is regenerated on each managed chassis and server. This causes a mismatch between the newly generated server certificates on the CMMs and baseboard management controllers and the server certificate that is stored in the XClarity Administrator trust store. To resolve this issue, go to the Chassis page and Servers page, and click All Actions > Resolve Untrusted Certificate for each device (see Resolving an untrusted server certificate).
  • Not all Flex switches support NIST SP 800-131A mode. If a Flex switch does support NIST SP 800-131A mode, you might need to change the configuration for the switches through the Flex switch interface. For information about support for NIST SP 800-131A and about switching Flex switches between compatibility mode and NIST SP 800-131A mode, see the product documentation that is available for the Flex switches. For more information, see CMM Reset in the Flex Systems online documentation.

For more information about cryptography, see Configuring cryptography settings.

Minimum Client TLS version

This setting determines the minimum TLS protocol version to use for client connections to other servers (such as the LDAP client). There are two options:
  • TLSv1.2. Enforces TLS v1.2 or later cryptography protocols on both XClarity Administrator and all managed endpoints used.

Minimum Server TLS version

This setting determines the minimum TLS protocol version to use for server connections (such as the web server). There are two options:
  • TLSv1.2. Enforces TLS v1.2 or later cryptography protocols on both XClarity Administrator and all managed endpoints used.

Minimum TLS version for OS deployment and OS driver updates

This setting determines the minimum TLS protocol version to for operating-system deployment and device-driver updates. There are two options:
  • TLSv1.2. TLS v1.2 or later can be used.

    Only operating systems with an installation process that supports TLS 1.2 and stronger cryptographic algorithms can be deployed and updated through XClarity Administrator.