The procedures that you follow to update an existing chassis
to support NIST 800-131A depend on the system management device that
you have installed.
Note: Not all I/O modules support NIST 800-131A. See the documentation
provided with the I/O module to determine the steps required to configure
the module to support the NIST 800-131A standard. You can find documentation
for all I/O modules at the following location:
Network switches
If you are managing a chassis
with a Chassis Management Module (CMM)
Complete the following
steps to update a chassis to be NIST 800-131-A compliant:
- Make sure that the firmware for all devices installed in the chassis
is at Flex Version 1.3.2. For information about updating firmware,
see the Flex System and IBM PureFlex Firmware Updates Best Practices,
Flex Version 1.3.2, which is available at the following location:
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5091991&brandind=5431802
- Set the cryptography mode for the CMM to be NIST SP 800-131A.
- From the Web interface, click to display and modify the cryptography settings for
NIST mode and TLS. For more information about the Cryptographic setting,
see CMM management options.
- From the command-line interface, run the crypto command. For more information about the crypto command, see CMM crypto command.
- Make sure that the CMM is using the appropriate algorithms for
the certificate authority (CA):
- If the CMM is currently using a certificate set to the default
type (RSA-2048/SHA1), a new certificate authority of type RSA-2048/SHA-256
will be generated automatically. All other certificates in the chassis
will be replaced with certificates signed by the new certificate authority.
However, you will need to import the new certificate into any browser
that is connecting to chassis elements.
- If the CMM is currently using a certificate set to the type of
RSA-2048/SHA-256, no additional configuration is required.
If you are managing a chassis
with the Lenovo XClarity Administrator
If you are managing
a chassis with the Lenovo XClarity Administrator, changing the Lenovo
XClarity Administrator cryptographic mode to be NIST compliant will
also change the settings of any managed chassis.
If the Lenovo
XClarity Administrator already is configured to be NIST compliant,
you can either go to the CMM and change the setting there or change
the Lenovo XClarity Administrator setting from NIST-compliant mode
to compatibility mode. Then, change the setting back to NIST-compliant
mode to force all managed devices to the NIST-compliant mode. If
any of the managed chassis being changed were using a certificate
that was not NIST compliant, the certificate will be regenerated automatically,
and it will be necessary to go to the Flex Chassis view in the Lenovo
XClarity Administrator and perform Resolve Untrusted Certificate.
If you are managing a chassis
with the Flex System Manager management node
Important: You cannot change the configuration of an existing
IBM Flex System Manager management node to be compliant with NIST
800-131A. Instead, you must start with a new installation of the IBM
Flex System Manager management node and configure it to be compliant
with NIST 800-131A. From an existing IBM Flex System Manager management
node, you
must complete the following steps to make it compliant
with NIST 800-131A:
- Make sure that the firmware for all devices installed in the chassis
is at Flex Version 1.3.2. For information about updating firmware,
see the IBM Flex System and IBM PureFlex Firmware Updates Best
Practices, Flex Version 1.3.2, which is available at the following
location:
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5091991&brandind=5431802
- Unmanage all chassis from the IBM Flex System Manager management
node.
- Set the cryptography mode for the CMM in each chassis to be NIST
SP 800-131A.
- From the Web interface, click to display and modify the cryptography settings for
NIST mode and TLS. For more information about the Cryptographic setting,
see CMM management options.
- From the command-line interface, run the crypto command. For more information about the crypto command, see CMM crypto command.
- Make sure that the CMM is using the appropriate algorithms for
the certificate authority (CA):
- If the CMM is currently using a certificate set to the default
type (RSA-2048/SHA1), a new certificate authority of type RSA-2048/SHA-256
will be generated automatically. All other certificates in the chassis
will be replaced with certificates signed by the new certificate authority.
However, you will need to import the new certificate into any browser
that is connecting to chassis elements.
- If the CMM is currently using a certificate set to the type of
RSA-2048/SHA-256, no additional configuration is required.
Note: Typically, you should set up the CMM to be compliant before
you manage the chassis from the IBM Flex System Manager management
node. Otherwise, you might need to export the certificate authority
from the CMM and manually import it into the IBM Flex System Manager
management node.
- Use the backup and recovery DVD for version 1.3.2 to recover the
IBM Flex System Manager (equivalent to a new installation).
Important: When you reinstall the IBM Flex System Manager management
node, all user data will be lost.
For information about
using the backup and recovery DVD, see the following topic:
Reinstalling management software components from optical
media after replacing the hard disk drive
- Configure the new IBM Flex System Manager to be compliant with
NIST 800-131A.
For information about the initial setup of the IBM
Flex System Manager management node, see the following topic:
Initial Setup of the management node
- Add users to the Flex System Manager management node.
For information
about adding users to the IBM Flex System Manager management node,
see the following topic:
Managing users and groups
- Manage all chassis from the IBM Flex System Manager management
node.
For information about managing a chassis, see the following
topic:
Managing a chassis