Lenovo Flex SystemChassis Management Module 2 command-line interface: crypto command

This command displays and configures the cryptographic settings for the CMM. These settings are required to achieve National Institute of Standards and Technology (NIST) compatibility.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or crypto command errors for a list of error messages that are specific to the crypto command.

For more information about NIST, see ../com.lenovo.acc.cmm.doc/cmm_ui_configure_NIST_compliance.html.

Table 1. crypto command.
The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.
Function	What it does	Command	Target (see paths in Command targets)
Display CMM cryptographic settings	Displays the cryptographic settings for the CMM. Return values include the currently selected CMM cipher suite, cryptographic mode, and the cryptographic mode specification version.	`crypto`	Primary CMM: `mm[p]` `mm[P]` `mm[x]` where x is the primary CMM bay number.
Set CMM cipher suites	Sets the allowed cipher suites for the primary CMM either to those defined by the TLS 1.2 specification (effectively limiting communication to TLS 1.2 only) or to a broader set of cipher suites that can be used with SSL 3.0, TLS 1.0, TLS 1.1, or TLS 1.2. Important: If the `-cs` command option is run by itself, all secure connections are closed and will need to be reestablished after a successful cipher suite change. If the `-cs` and `-m` command options are run together, the CMM automatically restarts after a successful cipher suite and cryptographic mode change. Note: To set the cipher suite setting to `legacy`, the cryptographic mode must be set to `comp` (compatibility with all NIST cipher suites). The cipher suite cannot be changed from `tls1.2` to `tls1.2srv` when the cryptographic mode is set to `nist800-131a`. The cipher suite setting (`-cs`) is referred to as the TLS/SSL setting in the CMM Web interface (Mgt Module Management > Security > Cryptography).	`crypto -cs`cipher where cipher is: `legacy` for legacy cryptographic settings (such as SSL) `tls1.2` for NIST Transport Layer Security (TLS) 1.2 cryptography on both the client and server `tls1.2svr` for NIST Transport Layer Security (TLS) 1.2 cryptography on only the server This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: `mm[p]` `mm[P]` `mm[x]` where x is the primary CMM bay number.
Set CMM cryptographic mode	Sets the cryptographic mode for the primary CMM. Note: To set the cryptographic mode to `nist800-131a`, the cipher suite setting must be set to `tls1.2` or `tls1.2svr`. If the `crypto -m` option is set to `comp` (compatibility with all NIST cipher suites), the `sslcfg -ca -csa` option must be specified when generating a CA certificate (see the sslcfg command for more information). The CMM automatically restarts after a successful cryptographic mode change.	`crypto -m`mode where mode is: `comp` for compatibility with all NIST cipher suites set by the `cipher -cs` command option. `nist800-131a` for compatibility with only the NIST Transport Layer Security (TLS) 1.2 cipher suites set by the `cipher -cs` command option. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: `mm[p]` `mm[P]` `mm[x]` where x is the primary CMM bay number.

Example:

To display the cryptographic settings for the primary CMM, while the primary CMM in bay 1 is set as the persistent command environment, at the system:mm[1]> prompt, type

crypto

To set the cryptographic setting for the primary CMM to Transport Layer Security (TLS) 1.2, while the primary CMM in bay 1 is set as the persistent command environment, at the system:mm[1]> prompt, type

crypto -cs tls1.2

To set the cryptographic setting for the primary CMM to use the legacy settings, while the primary CMM in bay 1 is set as the persistent command environment, at the system:mm[1]> prompt, type

crypto -cs legacy

The following example shows the information that is returned from these commands, when they are run using a Telnet connection:

system:mm[1]> crypto
-cs legacy
-m comp
Version: 01.00
system:mm[1]> crypto -cs tls1.2
Affected services will now be restarted. All secure sessions will be
closed, and need to be reestablished.
OK
system:mm[1]> crypto
-cs tls1.2
-m comp
Version: 01.00
system:mm[1]> crypto -cs legacy
Affected services will now be restarted. All secure sessions will be
closed, and need to be reestablished.
OK
system:mm[1]> crypto
-cs legacy
-m comp
Version: 01.00
system:mm[1]>