Security mode

This topic is an overview of the security mode.

The XCC Standard license enables the users to configure their servers in one of the two Security Modes: Standard Mode and Compatibility Mode. These are available in all V3 servers.

The Lenovo XClarity Controller 2 Platinum Upgrade license comes with a third Security Mode: Enterprise Strict Mode. This mode is most suitable for high-level security requirements.

Note

By default, XCC uses an ECDSA self-signed certificate and only ECDSA based algorithms are available. To use RSA based certificate, generate a CSR and sign it with an internal or external CA, then import the signed certificate to XCC.

Enterprise Strict Security Mode

Enterprise Strict Security Mode is the most secure mode.
BMC operates in FIPS 140-3 validated mode.
Requires enterprise strict grade certificates.
Only services that support enterprise strict level cryptography are allowed.
Requires the Lenovo XClarity Controller 2 Platinum Upgrade license to enable.
CNSA cyrptography algorithms are available for use.

Standard Security Mode

Standard Mode is the default security mode.
All cryptography algorithms used by BMC are FIPS 140-3 compliant.
BMC operates in FIPS 140-3 validated mode.
Requires standard grade certificates.
Services that require cryptography that do not support standard level cryptography are disabled by default.
CNSA algorithms are available when the Lenovo XClarity Controller 2 Platinum Upgrade license is installed.

Compatibility Mode

Compatibility Mode is the mode to use when services and clients require cryptography that is not enterprise strict/standard compliant.
A wider range of cryptography algorithms are supported.
When this mode is enabled, BMC is NOT operating in FIPS 140-3 validated mode.
Allows all services to be enabled.
Supports a wide range of cipher suits for maximum compatibility.

Supported TLS cipher suites

The TLS Cryptography Setting is to restrict the supported TLS cipher suites against BMC services.

TLS cipher suites	Security Mode	TLS Version
TLS_AES_256_GCM_SHA384	Enterprise Strict Standard^* Compatibility^*	TLS 1.3
TLS_CHACHA20_POLY1305_SHA256	Compatibility	TLS 1.3
TLS_AES_128_GCM_SHA256	Standard Compatibility	TLS 1.3
TLS_AES_128_CCM_8_SHA256	Standard Compatibility	TLS 1.3
TLS_AES_128_CCM_SHA256	Standard Compatibility	TLS 1.3
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	Enterprise Strict Standard^* Compatibility^*	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	Enterprise Strict Standard^* Compatibility^*	TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	Enterprise Strict Standard^* Compatibility^*	TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	Standard Compatibility	TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305	Compatibility	TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	Standard Compatibility	TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	Standard Compatibility	TLS 1.2
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	Compatibility	TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	Compatibility	TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	Compatibility	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256	Compatibility	TLS 1.2
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	Compatibility	TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	Compatibility	TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	Compatibility	TLS 1.2

Note

Security modes with an asterisk (*) listed in the table require Lenovo XClarity Controller 2 Platinum Upgrade license.

Service matrix in three Security Modes

Feature/Service	Uses Crypto	Default State Out of Box	Supported in Strict Mode	Supported in Standard Mode	Supported in Compatibility Mode
IPMI-over-KCS	No	Enabled	Yes	Yes	Yes
IPMI-over-LAN	Yes	Disabled	No	Yes	Yes
SNMPv1 traps	No	Not Configured	No	Yes	Yes
SNMPv3 traps	Yes	Not Configured	No	Yes If enabled, will alert for use of non-FIPS crypto	Yes
SNMPv3 agent	Yes	Not Configured	No	Yes If enabled, will alert for use of non-FIPS crypto	Yes
Email Alerts	Yes	Not Configured	Yes Can NOT be enabled with CRAM-MD5 Authentication	Yes If CRAM-MD5 is required, will alert for use of non-FIPS crypto.	Yes
Syslog Alerts	No	Not Configured	No	Yes	Yes
TLS 1.2	Yes	Enabled	Yes	Yes	Yes
TLS 1.3	Yes	Enabled	Yes	Yes	Yes
Web over HTTPS	Yes	Enabled	Yes	Yes	Yes
Redfish over HTTPS	Yes	Enabled	Yes	Yes	Yes
SSDP	No	Enabled	Yes	Yes	Yes
SSH-CLI	Yes	Enabled	Yes	Yes	Yes
SFTP	Yes	Disabled	Yes	Yes	Yes
LDAP	No	Not configured	No	Yes	Yes
Secure LDAP	Yes	Not configured	Yes	Yes	Yes
Security Key Management	Yes	Not Configured	Yes	Yes	Yes
Remote Console	Yes	Enabled	Yes	Yes	Yes
Virtual media - CIFS	Yes	Not configured	No	Yes	Yes
Virtual media - NFS	No	Not configured	No	Yes	Yes
Virtual media - HTTPFS	Yes	Not configured	Yes	Yes	Yes
RDOC - Local	Yes	Not Configured	Yes	Yes	Yes
RDOC - CIFS	Yes	Not Configured	No	Yes	Yes
RDOC - HTTP	No	Not Configured	No	Yes	Yes
RDOC - HTTPS	Yes	Not Configured	Yes	Yes	Yes
RDOC - FTP	No	Not Configured	No	Yes	Yes
RDOC - SFTP	Yes	Not Configured	Yes	Yes	Yes
FFDC upload (SFTP)	Yes	Enabled	Yes	Yes	Yes
FFDC upload (TFTP)	No	Enabled	No	Yes	Yes
Update from repository – CIFS	Yes	Not configured	No	Yes	Yes
Update from repository - NFS	No	Not configured	No	Yes	Yes
Update from repository – HTTP	No	Not configured	No	Yes	Yes
Update from repository – HTTPS	Yes	Not configured	Yes	Yes	Yes
Call home	Yes	Disabled	Yes	Yes	Yes
Third-party Password	Yes	Not configured	No	Yes	Yes
Port Forwarding	N/A	Disabled	Yes	Yes	Yes

Give feedback