Skip to main content

Configuring cryptography settings on the management server

You can configure SSL/TLS version and cipher setting for the management server.

Before you begin

Review cryptography considerations before modifying the settings on the management server (see Cryptographic management).

About this task

The cryptographic mode determines how secure communications are handled between XClarity Administrator and all managed systems. If secure communications are implemented, it sets the encryption-key lengths to be used.

Note
Regardless of the cryptography mode that you select, NIST-approved Digital Random Bit Generators are always used, and only 128-bit or longer keys are used for symmetric encryption.

To change the security setting for managed devices, see Configuring the security settings for a managed server.

Procedure

To change the cryptography settings on the management server, complete the following steps.

  1. From the XClarity Administrator menu bar, click Administration > Security.
  2. Choose one of the following the cryptographic modes to use for secure communications:
    • Compatibility. This mode is the default. It is compatible with older firmware versions, browsers, and other network clients that do not implement strict security standards that are required for compliance with NIST SP 800-131A.
    • NIST SP 800-131A. This mode is designed to comply with the NIST SP 800-131A standard. XClarity Administrator is designed to always use strong cryptography internally and, where available, to use strong cryptography network connections. However, in this mode, network connections using cryptography that is not approved by NIST SP 800-131A is not permitted, including rejection of Transport Layer Security (TLS) certificates that are signed with SHA-1 or weaker hash.

      If you select this mode:
      • For all ports other than port 8443, all TLS CBC ciphers and all ciphers that do not support Perfect Forward Secrecy are disabled.

      • Event notifications might not be successfully pushed to some mobile-device subscriptions (see Forwarding events to mobile devices). External services, such as Android and iOS, present certificates that are signed with SHA-1, which is an algorithm that does not conform to the stricter requirements of NIST SP 800-131A mode. As a result, any connections to these services might fail with a certificate exception or a handshake failure.

      For more information about NIST SP 800-131A compliance, see Implementing NIST SP 800-131A compliance.
  3. Choose the minimum TLS protocol version to use for client connections to other servers (such as the LDAP server). You can choose the following option.
    • TLS1.2. Enforces TLS v1.2 cryptography protocols.
    • TLS1.3. Enforces TLS v1.3 cryptography protocols.
  4. Choose the minimum TLS protocol version to use for server connections (such as the web server). You can choose the following option.
    • TLS1.2. Enforces TLS v1.2 cryptography protocols.
    • TLS1.3. Enforces TLS v1.3 cryptography protocols.
  5. Choose the minimum TLS protocol version to use for the XClarity Administrator operating-system deployment and OS device-driver updates. You can choose the following option.
    • TLS1.2. Enforces TLS v1.2 cryptography protocols.
    • TLS1.3. Enforces TLS v1.3 cryptography protocols.
    Note
    Only operating systems with an installation process that supports the selected cryptographic algorithm or strong can be deployed and updated through XClarity Administrator.
  6. Select the cryptographic key length and hash algorithm to use for all parts of the certificate, including the root CA certificate, server certificate, and CSR for externally signed certificates.
    • RSA 2048-bit / SHA-256 (default)

      This mode can be used when managed devices are in Compatibility, NIST SP 800-131A, or Standard Security mode. This mode cannot be used when one or more managed devices are in Enterprise Strict Security mode.

    • RSA 3072-bit / SHA-384

      This mode is required to when managed devices that are in Enterprise Strict Security mode.

      Important
      Only servers with XCC2 support RSA-3072/SHA-384 certificate signatures. After configuring XClarity Administrator with an RSA-3072/SHA-384 based certificate, non-XCC2 devices are unmanaged. To manage non-XCC2 devices, you need a separate XClarity Administrator instance.
  7. Click Apply.
  8. Restart XClarity Administrator (see Restarting XClarity Administrator).
  9. If you changed the cryptographic key length, regenerate the certificate authority root certificate using the correct key length and hash algorithm (see Regenerating or restoring the Lenovo XClarity Administrator self-signed server certificate or Deploying customized server certificates to Lenovo XClarity Administrator).

After you finish

If you receive an alert that the server certificate is not trusted for a managed device, see Resolving an untrusted server certificate.