Security mode
This topic is an overview of the security mode.
The XCC Standard license enables the users to configure their servers in one of the two Security Modes: Standard Mode and Compatibility Mode. These are available in all V4 servers.
The Lenovo XClarity Controller 3 Premier Upgrade license comes with a third Security Mode: Enterprise Strict Mode. This mode is most suitable for high-level security requirements.
Enterprise Strict Security Mode is the most secure mode.
BMC operates in FIPS 140-3 validated mode.
Requires enterprise strict grade certificates.
Only services that support enterprise strict level cryptography are allowed.
Requires the Lenovo XClarity Controller 3 Premier Upgrade license to enable.
CNSA cryptography algorithms are available for use.
Standard Mode is the default security mode.
All cryptography algorithms used by BMC are FIPS 140-3 compliant.
BMC operates in FIPS 140-3 validated mode.
Requires standard grade certificates.
Services that require cryptography that do not support standard level cryptography are disabled by default.
CNSA algorithms are available when the Lenovo XClarity Controller 3 Premier Upgrade license is installed.
Compatibility Mode is the mode to use when services and clients require cryptography that is not enterprise strict/standard compliant.
A wider range of cryptography algorithms are supported.
When this mode is enabled, BMC is NOT operating in FIPS 140-3 validated mode.
Allows all services to be enabled.
Supports a wide range of cipher suits for maximum compatibility.
Supported TLS cipher suites
TLS cipher suites | Security Mode | TLS Version |
---|---|---|
TLS_AES_256_GCM_SHA384 |
| TLS 1.3 |
TLS_CHACHA20_POLY1305_SHA256 |
| TLS 1.3 |
TLS_AES_128_GCM_SHA256 |
| TLS 1.3 |
TLS_AES_128_CCM_8_SHA256 |
| TLS 1.3 |
TLS_AES_128_CCM_SHA256 |
| TLS 1.3 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS 1.2 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS 1.2 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS 1.2 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 |
| TLS 1.2 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS 1.2 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS 1.2 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 |
| TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS 1.2 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| TLS 1.2 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS 1.2 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS 1.2 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS 1.2 |
Feature/Service | Uses Crypto | Default State Out of Box | Supported in Strict Mode | Supported in Standard Mode | Supported in Compatibility Mode |
---|---|---|---|---|---|
IPMI-over-KCS | No | Enabled | Yes | Yes | Yes |
IPMI-over-LAN | Yes | Disabled | No | Yes | Yes |
SNMPv1 traps | No | Not Configured | No | Yes | Yes |
SNMPv3 traps | Yes | Not Configured | No | Yes If enabled, will alert for use of non-FIPS crypto | Yes |
SNMPv3 agent | Yes | Not Configured | No | Yes If enabled, will alert for use of non-FIPS crypto | Yes |
Email Alerts | Yes | Not Configured | Yes Can NOT be enabled with CRAM-MD5 Authentication | Yes If CRAM-MD5 is required, will alert for use of non-FIPS crypto. | Yes |
Syslog Alerts | No | Not Configured | No | Yes | Yes |
TLS 1.2 | Yes | Enabled | Yes | Yes | Yes |
TLS 1.3 | Yes | Enabled | Yes | Yes | Yes |
Web over HTTPS | Yes | Enabled | Yes | Yes | Yes |
Redfish over HTTPS | Yes | Enabled | Yes | Yes | Yes |
SSDP | No | Enabled | Yes | Yes | Yes |
SSH-CLI | Yes | Enabled | Yes | Yes | Yes |
SFTP | Yes | Disabled | Yes | Yes | Yes |
LDAP | No | Not configured | No | Yes | Yes |
Secure LDAP | Yes | Not configured | Yes | Yes | Yes |
Security Key Management | Yes | Not Configured | Yes | Yes | Yes |
Remote Console | Yes | Enabled | Yes | Yes | Yes |
Virtual media - CIFS | Yes | Not configured | No | Yes | Yes |
Virtual media - NFS | No | Not configured | No | Yes | Yes |
Virtual media - HTTPFS | Yes | Not configured | Yes | Yes | Yes |
RDOC - Local | Yes | Not Configured | Yes | Yes | Yes |
RDOC - CIFS | Yes | Not Configured | No | Yes | Yes |
RDOC - HTTP | No | Not Configured | No | Yes | Yes |
RDOC - HTTPS | Yes | Not Configured | Yes | Yes | Yes |
RDOC - FTP | No | Not Configured | No | Yes | Yes |
RDOC - SFTP | Yes | Not Configured | Yes | Yes | Yes |
FFDC upload (SFTP) | Yes | Enabled | Yes | Yes | Yes |
FFDC upload (TFTP) | No | Enabled | No | Yes | Yes |
Update from repository – CIFS | Yes | Not configured | No | Yes | Yes |
Update from repository - NFS | No | Not configured | No | Yes | Yes |
Update from repository – HTTP | No | Not configured | No | Yes | Yes |
Update from repository – HTTPS | Yes | Not configured | Yes | Yes | Yes |
Call home | Yes | Disabled | Yes | Yes | Yes |
Third-party Password | Yes | Not configured | No | Yes | Yes |
Port Forwarding | N/A | Disabled | Yes | Yes | Yes |