Cryptography modes and IBM Flex System Manager management modes

When you manage a chassis, you can choose to manage it in centralized mode or in decentralized mode. The cryptography modes and ciphers that you choose for the IBM Flex System Manager management node and the CMM will affect which management mode you choose for chassis management. It will also determine whether you can switch between decentralized mode and centralized mode.

Important: If you are managing devices through the Lenovo XClarity Administrator in any mode, it can manage a chassis that is in any mode. If the Lenovo XClarity Administrator is operating in NIST mode, the device being managed (such as the CMM) must use a NIST-compliant certificate prior to the manage operation (the key must be RSA-2048 or greater or ECDSA with a NIST-compliant curve of P-224 or stronger, and the signature must be based on a SHA-256 or longer hash). If the Lenovo XClarity Administrator is operating in NIST mode and is managing a rack server IMM2 that does not have a certificate, the Lenovo XClarity Administrator will request that the rack server generate a certificate.

Table 1 lists the cryptographic modes and cipher suite/TLS protocol settings that are available for the IBM Flex System Manager management node and the CMM. It also shows the supported management modes on the IBM Flex System Manager management node based on the specified cryptographic modes and cipher suites/TLS protocol levels. For example, if you implement NIST Strict Mode on the IBM Flex System Manager and you set the cryptographic settings on the CMM to comp and tls1.2, you can manage a chassis in decentralized mode. However, managing the chassis in centralized mode or switching between non-centralized and centralized mode is not supported.

For details about the available cryptographic modes and ciphers, see the following topics:

IBM Flex System Manager management node. See IBM Flex System Manager cryptography settings.
CMM. See Chassis Management Module cryptography settings.

Table 1. Supported chassis management modes based on cryptography settings on the IBM Flex System Manager and CMM
IBM Flex System Manager Cryptographic Mode Settings				CMM Cryptographic Settings based on the crypto command, -m (mode), and -cs (cipher suite) settings					Chassis management mode (from the IBM Flex System Manager)
NIST Strict Mode	NIST Custom Mode (DCOM and/or IPC on)	Basic Compatibility Mode - TLS 1.2 Only	Basic Compatibility Mode - Legacy	m=nist800-131a cs=tls1.2	m=nist800-131a cs=tls1.2svr	m=comp cs=tls1.2	m=comp cs=tls1.2svr	m=comp cs=legacy	Decentralized	Centralized	Switch from decentralized to centralized
X				X					X	X	X
X					X				X	X	X
X						X			X¹
X							X		X¹
X								X	X¹
	X			X					X	X	X
	X				X				X	X	X
	X					X			X¹
	X						X		X¹
	X							X	X¹
		X		X					X
		X			X				X
		X				X			X	X	X
		X					X		X	X	X
		X						X	X	X	X
			X	X					X
			X		X				X
			X			X			X
			X				X		X	X	X
			X					X	X	X	X

Notes:

CMM Certificate Authority must be set to RSA2048 SHA256