Skip to main content

Security considerations

Review the following considerations to help you plan for the security of Lenovo SDI Management Platform and all managed resources.

Secure-environment considerations

It is important that you evaluate the security requirements in your environment, understand all security risks, and minimize those risks. Lenovo SDI Management Platform includes several features that can help you secure your environment. Use the following information to help you implement the security plan for your environment.

Important: You are responsible for the evaluation, selection, and implementation of security features, configuration procedures, and appropriate controls for your environment. Implementing the security features that are described in this section does not secure your environment completely. Consider the following information when you are evaluating the security requirements for your environment.

  • The physical security of your environment is important. Limit access to rooms and racks where systems-management hardware is kept.

  • Use a software-based firewall to protect your network hardware and data from known and emerging security threats, such as viruses and unauthorized access.

  • Do not change the default security settings for the network switches and pass-thru modules. The manufacturing default settings for these components disable the use of unsecure protocols and enable the requirement for signed firmware updates.

  • At a minimum, ensure that critical firmware updates are installed. After making any changes, always back up the configuration.

  • Ensure that all security-related updates for DNS servers are installed promptly and kept up to date.

  • Instruct your users to not accept any untrusted certificates. For more information, see Working with security certificates in the online documentation of Lenovo SDI Management Platform.

  • Where possible and practical, place the systems-management hardware in a separate subnet. Typically, only supervisors should have access to the systems-management hardware, and no basic users should be given access.

  • When you choose passwords, do not use expressions that are easy to guess, such as "password" or the name of your company. Keep the passwords in a secure place, and ensure that access to the passwords is restricted. Implement a password policy for your company. :::tip Important: Strong password rules should be required for all users. :::

  • Establish power-on passwords for users as a way to control who has access to the data and setup programs on the servers. See the documentation that comes with your hardware for more information about power-on passwords.

Cryptography considerations

Lenovo SDI Management Platform supports TLS 1.2 and stronger cryptographic algorithms for secure network connections.

For increased security, only high-strength ciphers are supported. The client operating system and web browsers must support one of the following cipher suites.

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384

Security-certificate considerations

Lenovo SDI Management Platform uses SSL certificates to establish secure and trusted communications with resource managers (such as Lenovo XClarity Administrator) and users. By default, Lenovo SDI Management Platform and resource managers use self-signed certificates generated by Lenovo SDI Management Platform.

The default server certificate, which is uniquely generated in every instance of Lenovo SDI Management Platform, provides sufficient security for many environments. You can choose to let Lenovo SDI Management Platform manage certificates for you, or you can take a more active role by customizing and replacing the server certificates. Lenovo SDI Management Platform provides options for customizing certificates for your environment. For example, you can choose to:

  • Generate a new server key and certificate, using values that are specific to your organization.

  • Generate a certificate signing request (CSR) and send it to the selected certificate authority to create a signed certificate that can then be uploaded to Lenovo SDI Management Platform and used as an end-server certificate for all its hosted services.

  • Download the server certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.

For more information about certificates, see Working with security certificates in the online documentation of Lenovo SDI Management Platform.