Switching between compatibility mode and NIST 800-131A mode

You can choose to switch between compatibility mode (which is not compliant with NIST 800-131A) and NIST 800-131A mode if you are managing a chassis through the Chassis Management Module (CMM) or through the Lenovo XClarity Administrator. However, if you are managing a chassis through the IBM Flex System Manager management node, you must reinstall the management node software to switch between modes.

The procedures that you follow to switch between compatibility mode and NIST 800-131A mode depend on the system management device that you have installed:
Note: Not all I/O modules support NIST 800-131A. See the documentation provided with the I/O module to determine the steps required to configure the module to support the NIST 800-131A standard. You can find documentation for all I/O modules at the following location:

Lenovo Flex System network switches

If you are managing a chassis with a Chassis Management Module (CMM)

Within the chassis, the CMM controls the security for all devices installed in the chassis. Therefore, you can switch modes using the Cryptography setting from the CMM:
  • From the Web interface, click Mgt Module Management > Security > Cryptography to display and modify the cryptography settings for NIST mode and TLS. For more information about the Cryptographic setting, see CMM management options.
  • From the command-line interface, run the crypto command. For more information about the crypto command, see CMM crypto command.
Review the following considerations when switching between compatibility and NIST 800-131A modes:
  • If you switch from compatibility mode to NIST 800-131A mode and the current certificate authority (CA) on the CMM is using RSA-2048/SHA-1 (the default), a new certificate authority using RSA-2048/SHA-256 will be generated automatically, and the other certificates in the chassis will be replaced with certificates signed by that new CA. You must ensure that the new CA certificate is imported into the trust store of any management device or browser connecting to the devices installed in the chassis. If the CMM already has been configured with a certificate authority using RSA-2048/SHA-256, there will be no impact to the CMM CA.
  • If you switch from NIST 800-131A mode to compatibility mode, there will be no impact to the CMM CA. The CA using RSA-2048/SHA-256 will continue to be used unless it is manually regenerated using the RSA-2048/SHA-1 algorithms.
  • When you switch modes in the CMM, the modes for all installed compute nodes will be switched to the same setting automatically.
  • Not all I/O modules support NIST 800-131A mode. See Supported devices to determine if a specific I/O module supports NIST 800-131A mode. If the I/O module does support NIST 800-131A mode, you might need to change the configuration for the I/O modules through the I/O module interface. For information about switching I/O module between compatibility mode and NIST 800-131A mode, see the product documentation that is available for the I/O module. You can find that documentation at the following location:

    Lenovo Flex System network switches.

If you are managing a chassis with an IBM Flex System Manager management node

When you initially configure the IBM Flex System Manager management node, you set system cryptographic mode to be used for secure communications:
  • Basic Compatibility Mode. This mode is designed to be compatible with older firmware versions, browsers, and other network clients that do not implement the stricter security standards required for compliance to NIST 800-131A.
  • NIST SP 800-131A Strict Compliance Mode. The Flex System Manager management node complies with the NIST SP800-131A security standard. In this mode, all secure communication interfaces to the system are restricted to use the TLS 1.2 protocol and NIST 800-131A-compliant ciphers. Other restrictions include using larger keys and stronger encryption algorithms.

    When you choose this mode, you can also determine whether or not to allow IPC or DCOM communication that do not comply with the standard. If you choose to allow this communication, the IBM Flex System Manager management node will show that you are operating in NIST-800-131A-Custom mode.

After configuration is complete, you cannot switch between these modes. Instead you must reinstall the IBM Flex System Manager management node. Follow the steps listed in If you are managing a chassis with the Flex System Manager management node in the Updating an existing chassis topic to switch the modes.
Important: When you reinstall the IBM Flex System Manager management node, all user data will be lost.
If you have set up the IBM Flex System Manager to run in the Basic Compatibility Mode, you can switch between the protocols and ciphers used for secure communications. Use the CLI command setCryptoMode, which provides the following settings:
  • Legacy. All communication interfaces to the system can use TLS 1.0, 1.1, 1.2/SSL version 3 protocols and ciphers. You can switch from Legacy mode to a more strict mode, such as TLS 1.2 mode, which can be used to prevent a BEAST attack.
  • TLS 1.2. Only the main communication interfaces to the system (LDAPS on port 636 and HTTPS on port 8422) are restricted to use the TLS 1.2 protocol and ciphers. All other interfaces can still use TLS 1.0, 1.1, 1.2/SSL version 3 protocols and ciphers.