crypto command

This command displays and configures the cryptographic settings for the CMM. These settings are required to achieve National Institute of Standards and Technology (NIST) compatibility.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or crypto command errors for a list of error messages that are specific to the crypto command.

For more information about NIST, see ../com.lenovo.acc.cmm.doc/cmm_ui_configure_NIST_compliance.html.

Table 1. crypto command.

The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.

Function What it does Command Target (see paths in Command targets)
Display CMM cryptographic settings Displays the cryptographic settings for the CMM. Return values include the currently selected CMM cipher suite, cryptographic mode, and the cryptographic mode specification version. crypto
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set CMM cipher suites Sets the allowed cipher suites for the primary CMM either to those defined by the TLS 1.2 specification (effectively limiting communication to TLS 1.2 only) or to a broader set of cipher suites that can be used with SSL 3.0, TLS 1.0, TLS 1.1, or TLS 1.2.
Important:
  • If the -cs command option is run by itself, all secure connections are closed and will need to be reestablished after a successful cipher suite change.
  • If the -cs and -m command options are run together, the CMM automatically restarts after a successful cipher suite and cryptographic mode change.
Note:
  • To set the cipher suite setting to legacy, the cryptographic mode must be set to comp (compatibility with all NIST cipher suites).
  • The cipher suite cannot be changed from tls1.2 to tls1.2srv when the cryptographic mode is set to nist800-131a.
  • The cipher suite setting (-cs) is referred to as the TLS/SSL setting in the CMM Web interface (Mgt Module Management > Security > Cryptography).
crypto -cs cipher
where cipher is:
  • legacy for legacy cryptographic settings (such as SSL)
  • tls1.2 for NIST Transport Layer Security (TLS) 1.2 cryptography on both the client and server
  • tls1.2svr for NIST Transport Layer Security (TLS) 1.2 cryptography on only the server
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set CMM cryptographic mode Sets the cryptographic mode for the primary CMM.
Note:
  • To set the cryptographic mode to nist800-131a, the cipher suite setting must be set to tls1.2 or tls1.2svr.
  • If the crypto -m option is set to comp (compatibility with all NIST cipher suites), the sslcfg -ca -csa option must be specified when generating a CA certificate (see the sslcfg command for more information).
  • The CMM automatically restarts after a successful cryptographic mode change.
crypto -m mode
where mode is:
  • comp for compatibility with all NIST cipher suites set by the cipher -cs command option.
  • nist800-131a for compatibility with only the NIST Transport Layer Security (TLS) 1.2 cipher suites set by the cipher -cs command option.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.

Example:

To display the cryptographic settings for the primary CMM, while the primary CMM in bay 1 is set as the persistent command environment, at the system:mm[1]> prompt, type
crypto
To set the cryptographic setting for the primary CMM to Transport Layer Security (TLS) 1.2, while the primary CMM in bay 1 is set as the persistent command environment, at the system:mm[1]> prompt, type
crypto -cs tls1.2
To set the cryptographic setting for the primary CMM to use the legacy settings, while the primary CMM in bay 1 is set as the persistent command environment, at the system:mm[1]> prompt, type
crypto -cs legacy

The following example shows the information that is returned from these commands, when they are run using a Telnet connection:

system:mm[1]> crypto
-cs legacy
-m comp
Version: 01.00
system:mm[1]> crypto -cs tls1.2
Affected services will now be restarted. All secure sessions will be
closed, and need to be reestablished.
OK
system:mm[1]> crypto
-cs tls1.2
-m comp
Version: 01.00
system:mm[1]> crypto -cs legacy
Affected services will now be restarted. All secure sessions will be
closed, and need to be reestablished.
OK
system:mm[1]> crypto
-cs legacy
-m comp
Version: 01.00
system:mm[1]>