IBM Flex System Manager cryptography settings

There are two settings on the IBM Flex System Manager management node that are related to NIST 800-131A compliance. The first specifies the overall cryptographic mode to be used for secure communications and the second determines the SSL/TLS protocol level to be used for secure communications.

When you initially configure the IBM Flex System Manager management node, you can determine the system cryptographic mode to be used for secure communications:
  • Basic Compatibility Mode. This mode, also known as legacy mode, is designed to be compatible with older firmware versions, browsers, and other network clients that do not implement the stricter security standards required for compliance to NIST 800-131A.
    After installing the IBM Flex System Manager management node in Basic Compatibility Mode, you can choose the protocols and ciphers used for secure communications using the CLI command smcli setCryptoMode, which provides the following settings:
    Note: If you install the IBM Flex System Manager management node in NIST SP 800-131A Strict Compliance Mode, the CLI command smcli setCryptoMode is not available.
    • Legacy. All communication interfaces to the system can use TLS 1.0, 1.1, 1.2/SSL version 3 protocols and ciphers. You can switch from Legacy mode to a more strict mode, such as TLS 1.2 mode, which can be used to prevent a BEAST attack.
    • TLS 1.2. Only the main communication interfaces to the system (LDAPS on port 636 and HTTPS on port 8422) are restricted to use the TLS 1.2 protocol and ciphers. All other interfaces can still use TLS 1.0, 1.1, 1.2/SSL version 3 protocols and ciphers.
  • NIST SP 800-131A Strict Compliance Mode. The Flex System Manager management node complies with the NIST SP800-131A security standard. In this mode, all secure communication interfaces to the system are restricted to use the TLS 1.2 protocol and ciphers. Other restrictions include using larger keys and stronger encryption algorithms.

    When you choose this mode, you can also determine whether or not to allow IPC or DCOM communication that do not comply with the standard. If you choose to allow this communication, the IBM Flex System Manager management node will show that you are operating in NIST-800-131A-Custom mode.

    Important: After you have selected the cryptographic mode and configured the IBM Flex System Manager management node, you cannot change that setting. Instead, you must reinstall the IBM Flex System Manager by following the steps listed in Updating an existing chassis.
    Note: If you are using IBM Fabric Manager (IFM), you must also set it to TLS restrict mode separately through the IFM interface.

From the IBM Flex System Manager management node, you can also set a Security Policy that will be enforced for all chassis that are centrally managed by the Flex System Manager management node. The Security Policy is not directly related to NIST 800-131A compliance. Instead it controls areas such as the types of passwords that can be chosen and whether or not unsecure communications (such as FTP) are allowed. For more information about the Security Policies available through the IBM Flex System Manager management node, see IBM Flex System Manager security policies.