Supported devices

Use this information to understand the cryptographic modes that are provided by Lenovo Flex System components and the functions that might need to be disabled, are not supported, or do not comply with the standard, depending on the cryptographic mode that you implement.

Review Functional limitations to see a list of general limitations that apply to all Lenovo Flex System components when you choose to initiate NIST 800-131A compliance.

Table 1. IBM Flex System Cryptograhic modes.

IBM Flex System Cryptographic modes are implemented in the system that is managing the chassis to control how secure communications are handled for most devices in the chassis.
Device Crytography mode Description
Flex System Manager management node NIST SP 800-131A Strict Compliance Mode

The following considerations apply when supporting NIST 800-131A from the IBM Flex System Manager:

Important consideration: Reliable Scalable Cluster Technology (RSCT) is not supported for Power Systems being managed by the IBM Flex System Manager in NIST 800-131A strict compliance mode at this time. Therefore, if you manage a chassis containing Power Systems compute nodes from the IBM Flex System Manager management node, the system will not be in strict compliance with NIST 800-131A even if you set the cryptography mode to NIST SP 800-131A Strict Compliance Mode.

  • You must use a browser that can support the TLS1.2 protocol and SHA-256 hashing functions. Internet Explorer 9 or 10 is supported.
  • When configured in NIST 800-131A mode, the Flex System Manager management node is only able to connect to establish a secure connection to an external LDAP server by using StartTLS. StartTLS is an LDAP feature that allows secure communication using TLSv1.2 over an existing non-secure port (e.g., default LDAP port 389). Other mechanisms of establishing a secure LDAP connection, such as using LDAPS to connect to a port configured to only accept SSL/TLS connections, are not supported when in NIST 800-131A mode.
  • If you have Platform Agent or Common Agent installed on a managed endpoint and the agent is not running in 800-131A-strict mode, it will not be discovered by the IBM Flex System Manager management node.
  • Storage Control. Storage management functions are automatically disabled. No storage management functions are supported.
  • VMControl. Virtualization management functions are automatically disabled. No virtualization management functions are supported.
  • Service and Support Manager. Electronic Service Agent (ESA), which is sometimes called call home, cannot be set up due to functional limitations related to communications between the Lenovo Flex System components and the back end infrastructure required to support the functions.. The IBM Flex System Manager cannot be used to set up Electronic Service Agent (ESA) to automatically notify IBM of problems within managed chassis.
  • Update Manager. Internet-connected firmware updates are not supported. Firmware updates to the IBM Flex System Manager and devices being managed by the IBM Flex System Manager must be applied as if the IBM Flex System Manager is not connected to the Internet.
  • Managed endpoints running Windows-based operating systems cannot be managed because they require that you enable the DCOM and IPC protocols from the IBM Flex System Manager. These protocols are not compliant with NIST 800-131A.
    Note: You can choose to enable these settings using the command smcli cfgWinSecProPolicy. If you choose to enable these protocols, the IBM Flex System Manager will show as being in NIST SP 800-131A Custom mode.
  • Managed endpoints running a version of VMware ESXi earlier than version 5.5 cannot be managed by the IBM Flex System Manager. If you install VMware ESXi version 5.5 on a managed endpoint, events related to the operating system will not be displayed in the IBM Flex System Manager event log.
  • You cannot deploy certain operating systems to compute nodes using the OS deployment task.
    Note: You can choose to override the strict compliance mode to deploy operating systems by using the CLI command smcli enabledeployosoverride. If you do choose to override the strict compliance mode, the IBM Flex System Manager will show as being in NIST SP 800-131 Custom mode.
  • If you are using remote syslog, you must make sure that the syslog server is configured to handle (restrict or prioritize) TLS 1.2 and uses a NIST-compliant certificate.
NIST SP 800-131A Custom Compliance Mode The Flex System Manager is in a customized version of NIST SP800-131A security strict mode. The cryptography level is set to NIST-800-131A-Custom because one or more of the following customer-selected options are enabled (all other aspects of the system are NIST Strict compliant):
  • The IPC protocol is enabled.
  • The DCOM protocol is enabled.
  • Noncompliant protocols for operating system deployment are enabled.

You must use a browser that can support the TLS1.2 protocol and SHA-256 hashing functions. Internet Explorer 9 or 10 is supported.
Basic Compatibility Mode

This mode, also known as legacy mode, is designed to be compatible with older firmware versions, browsers, and other network clients that do not implement the stricter security standards required for compliance to NIST 800-131A.

If you enable the TLS 1.2 protocol, you must use a browser that can support the TLS1.2 protocol. Internet Explorer 9 or 10 is supported.
Chassis Management Module (CMM) NIST SP 800-131A
  • You must use a browser that can support the TLS1.2 protocol and SHA-256 hashing functions. Internet Explorer 9 or 10 is supported.
  • The CMM cannot be used to enable IBM Support, which can automatically notify IBM of problems within a chassis.
  • You should not enable unencrypted protocols, such as Telnet, FTP, SSH, and VNC for remote communications with IBM Flex System devices. You must use encrypted protocols for all communications.
Note: If you set the CMM to operate in NIST SP 800-131A mode and you have one of the following I/O modules installed, communications between the CMM and those I/O modules will not be compliant:
  • Flex System EN4023 10Gb Scalable Switch
  • Flex System EN6131 40Gb Ethernet Switch
  • Flex System FC5022 16Gb SAN Scalable Switch
  • Flex System IB6131 Infiniband Switch
Compatibility

This mode is designed to be compatible with older firmware versions, browsers, and other network clients that do not implement the stricter security standards required for compliance to NIST 800-131A

If you enable the TLS 1.2 protocol, you must use a browser that can support the TLS1.2 protocol. Internet Explorer 9 or 10 is supported.
Compute nodes and storage nodes
Flex System x220 Compute Node N/A The compute node is fully compliant with NIST 800-131A when the chassis is configured in a compliant mode. The security mode set by the CMM determines the security mode in which the compute node operates.
Flex System x222 Compute Node N/A
Flex System x240 Compute Node N/A
Flex System x440 Compute Node N/A
Flex System x880 X6 Compute Node N/A
IBM Flex System p24L Compute Node N/A
IBM Flex System p260/p460 Compute Nodes N/A
IBM Flex System p270 Compute Node N/A
IBM Flex System V7000 Storage Node None NIST 800-131A compliance is not supported on this device.
Flex System PCIe Expansion Node N/A NIST 800-131A does not apply to this device.
Flex System Storage Expansion Node N/A NIST 800-131A does not apply to this device.
I/O Modules
Cisco Nexus B22 Fabric Extender for Flex System None NIST 800-131A compliance is not supported on this device.
Flex System Fabric CN4093 10Gb Converged Scalable Switch NIST SP 800 131A The CN4093 10Gb Converged Scalable Switch can operate in two boot modes:
  • Compatibility mode (default): This is the default switch boot mode. This mode can use algorithms and key lengths that might not be allowed/acceptable by NIST SP 800-131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.
  • Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800-131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch.

By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. In strict mode, you cannot enable these protocols if the security policy on the switch is set to “secure”. In compatibility mode, these protocols can be enabled, if required.

See Application Guide for more details.
Flex System EN2092 1Gb Ethernet Scalable Switch NIST SP 800 131A The EN2092 1Gb Ethernet Scalable Switch can operate in two boot modes:
  • Compatibility mode (default): This is the default switch boot mode. This mode can use algorithms and key lengths that might not be allowed/acceptable by NIST SP 800-131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.
  • Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800-131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch.

By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. In strict mode, you cannot enable these protocols if the security policy on the switch is set to “secure”. In compatibility mode, these protocols can be enabled, if required.

See Application Guide for more details.
Flex System EN4023 10Gb Scalable Switch None NIST 800-131A compliance is not supported on this device.
Flex System Fabric EN4093 and EN4093R 10Gb Scalable Switches NIST SP 800 131A The EN4093 and EN4093R 10Gb Ethernet Scalable Switches can operate in two boot modes:
  • Compatibility mode (default): This is the default switch boot mode. This mode can use algorithms and key lengths that might not be allowed/acceptable by NIST SP 800-131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.
  • Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800-131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch.

By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. In strict mode, you cannot enable these protocols if the security policy on the switch is set to “secure”. In compatibility mode, these protocols can be enabled, if required.

See Application Guide for more details.
Flex System EN6131 40Gb Ethernet Switch NIST SP 800 131A See the documentation provided with the switch for information about ensuring that the switch is using firmware capable of complying with NIST 800-131A and configuring the switch to be compliant. Documentation for the switch is available at the following location:

Flex System EN6131 40Gb Ethernet Switch
Flex System FC3171 8Gb SAN Switch None NIST 800-131A compliance is not supported on this device.
Flex System FC5022 16Gb SAN Scalable Switch None NIST 800-131A compliance is not supported on this device.
Flex System IB6131 Infiniband Switch NIST SP 800 131A See the documentation provided with the switch for information about ensuring that the switch is using firmware capable of complying with NIST 800-131A and configuring the switch to be compliant. Documentation for the switch is available at the following location:

Flex System IB6131 Infiniband Switch
Flex System EN4091 10Gb Ethernet Pass-thru N/A This is a pass-thru module, not a switch. NIST 800-131A compliance does not apply to this device.
Flex System FC3171 8Gb SAN Pass-thru N/A This is a pass-thru module, not a switch. NIST 800-131A compliance does not apply to this device.
Flex System Fabric SI4093 System Interconnect Module NIST SP 800 131A The SI4093 System Interconnect Module can operate in two boot modes:
  • Compatibility mode (default): This is the default switch boot mode. This mode can use algorithms and key lengths that might not be allowed/acceptable by NIST SP 800-131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.
  • Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800-131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch.

By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. In strict mode, you cannot enable these protocols if the security policy on the switch is set to “secure”. In compatibility mode, these protocols can be enabled, if required.

See Application Guide for more details.
Parent topic: Implementing a NIST 800-131A compliant environment