Chassis Management Module cryptography settings

There are two settings on the Chassis Management Module (CMM) that are related to NIST 800-131A compliance. The first specifies the overall cryptographic mode to be used for secure communications and the second determines the cipher suites (and effectively the SSL/TLS protocol levels) used for secure communications.

From the CMM, there are two interrelated settings that affect NIST 800-131A compliance. Both of these settings can be modified through the CMM CLI command crypto or through the CMM Web interface (click Mgt Module Management > Security > Cryptography):
Note: For more information about the crypto command, see CMM2 Crypto command.
  • Cryptographic mode:
    • nist800-131a for compatibility with only the NIST 800-131A compliant Transport Layer Security (TLS) 1.2 cipher suites. If you use this setting, the CLI crypto command cipher suite must be set to tls1.2 or tls1.2svr.

      If you are working with the CMM Web interface, set the TLS/SSL setting to TLS 1.2 Server Only or TLS 1.2 Server and Client. To access the TLS/SSL setting through the Web interface, click Mgt Module Management > Security > Cryptography.

    • comp for compatibility with a larger set of cipher suites, which are compatible with older Flex System firmware versions as well as a wider set of web browsers and other applications. These cipher suites allow connections using SSL 3.0 and TLS 1.0/1.1/1.2. If you use this setting, when you generate a CA certificate using the sslcfg -gen ca CLI command, you must specify the -csa option to select which cryptographic algorithms to use.
  • Cipher suite:
    • legacy for legacy cryptographic settings (such as SSL). If you use this setting, the cryptographic mode must be set to comp.
    • tls1.2 for only cipher suites defined by the Transport Layer Security (TLS) 1.2 protocol on both clients and servers running on the CMM.
    • tls1.2svr for only cipher suites defined by the Transport Layer Security (TLS) 1.2 protocol on servers running on the CMM.
The cryptography mode set by the managing device (CMM or Flex System Manager management node) determines the cryptography mode in which the compute node operates.
Table 1. Effect of CMM settings on the operating mode of compute nodes
CMM settings Power Systems compute nodes (FSP) X Architecture compute nodes (IMM)
nist800-131a NIST Strict mode NIST Strict mode
comp + legacy Legacy mode Legacy mode
comp + tls1.2 NIST Strict mode comp + tls1.2