Skip to main content

Security mode

This topic is an overview of the security mode.

The XCC Standard license enables the users to configure their servers in one of the two Security Modes: Standard Mode and Compatibility Mode. These are available in all V4 servers.

The Lenovo XClarity Controller 3 Premier Upgrade license comes with a third Security Mode: Enterprise Strict Mode. This mode is most suitable for high-level security requirements.

Note
By default, XCC uses an ECDSA self-signed certificate and only ECDSA based algorithms are available. To use RSA based certificate, generate a CSR and sign it with an internal or external CA, then import the signed certificate to XCC.
Enterprise Strict Security Mode
  • Enterprise Strict Security Mode is the most secure mode.

  • BMC operates in FIPS 140-3 validated mode.

  • Requires enterprise strict grade certificates.

  • Only services that support enterprise strict level cryptography are allowed.

  • Requires the Lenovo XClarity Controller 3 Premier Upgrade license to enable.

  • CNSA cryptography algorithms are available for use.

Standard Security Mode
  • Standard Mode is the default security mode.

  • All cryptography algorithms used by BMC are FIPS 140-3 compliant.

  • BMC operates in FIPS 140-3 validated mode.

  • Requires standard grade certificates.

  • Services that require cryptography that do not support standard level cryptography are disabled by default.

  • CNSA algorithms are available when the Lenovo XClarity Controller 3 Premier Upgrade license is installed.

Compatibility Mode
  • Compatibility Mode is the mode to use when services and clients require cryptography that is not enterprise strict/standard compliant.

  • A wider range of cryptography algorithms are supported.

  • When this mode is enabled, BMC is NOT operating in FIPS 140-3 validated mode.

  • Allows all services to be enabled.

  • Supports a wide range of cipher suits for maximum compatibility.

Supported TLS cipher suites

The TLS Cryptography Setting is to restrict the supported TLS cipher suites against BMC services.
TLS cipher suitesSecurity ModeTLS Version
TLS_AES_256_GCM_SHA384
  • Enterprise Strict
  • Standard*
  • Compatibility*
TLS 1.3
TLS_CHACHA20_POLY1305_SHA256
  • Compatibility
TLS 1.3
TLS_AES_128_GCM_SHA256
  • Standard
  • Compatibility
TLS 1.3
TLS_AES_128_CCM_8_SHA256
  • Standard
  • Compatibility
TLS 1.3
TLS_AES_128_CCM_SHA256
  • Standard
  • Compatibility
TLS 1.3
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Enterprise Strict
  • Standard*
  • Compatibility*
TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • Enterprise Strict
  • Standard*
  • Compatibility*
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • Enterprise Strict
  • Standard*
  • Compatibility*
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Standard
  • Compatibility
TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
  • Compatibility
TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • Standard
  • Compatibility
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • Standard
  • Compatibility
TLS 1.2
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  • Compatibility
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • Compatibility
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • Compatibility
TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • Compatibility
TLS 1.2
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • Compatibility
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • Compatibility
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • Compatibility
TLS 1.2
Note
Security modes with an asterisk (*) listed in the table require Lenovo XClarity Controller 3 Premier Upgrade license.
Service matrix in three Security Modes

Feature/Service

Uses Crypto

Default State Out of Box

Supported in Strict Mode

Supported in Standard Mode

Supported in Compatibility Mode

IPMI-over-KCS

No

Enabled

Yes

Yes

Yes

IPMI-over-LAN

Yes

Disabled

No

Yes

Yes

SNMPv1 traps

No

Not Configured

No

Yes

Yes

SNMPv3 traps

Yes

Not Configured

No

Yes

If enabled, will alert for use of non-FIPS crypto

Yes

SNMPv3 agent

Yes

Not Configured

No

Yes

If enabled, will alert for use of non-FIPS crypto

Yes

Email Alerts

Yes

Not Configured

Yes

Can NOT be enabled with CRAM-MD5 Authentication

Yes

If CRAM-MD5 is required, will alert for use of non-FIPS crypto.

Yes

Syslog Alerts

No

Not Configured

No

Yes

Yes

TLS 1.2

Yes

Enabled

Yes

Yes

Yes

TLS 1.3

Yes

Enabled

Yes

Yes

Yes

Web over HTTPS

Yes

Enabled

Yes

Yes

Yes

Redfish over HTTPS

Yes

Enabled

Yes

Yes

Yes

SSDP

No

Enabled

Yes

Yes

Yes

SSH-CLI

Yes

Enabled

Yes

Yes

Yes

SFTP

Yes

Disabled

Yes

Yes

Yes

LDAP

No

Not configured

No

Yes

Yes

Secure LDAP

Yes

Not configured

Yes

Yes

Yes

Security Key Management

Yes

Not Configured

Yes

Yes

Yes

Remote Console

Yes

Enabled

Yes

Yes

Yes

Virtual media - CIFS

Yes

Not configured

No

Yes

Yes

Virtual media - NFS

No

Not configured

No

Yes

Yes

Virtual media - HTTPFS

Yes

Not configured

Yes

Yes

Yes

RDOC - Local

Yes

Not Configured

Yes

Yes

Yes

RDOC - CIFS

Yes

Not Configured

No

Yes

Yes

RDOC - HTTP

No

Not Configured

No

Yes

Yes

RDOC - HTTPS

Yes

Not Configured

Yes

Yes

Yes

RDOC - FTP

No

Not Configured

No

Yes

Yes

RDOC - SFTP

Yes

Not Configured

Yes

Yes

Yes

FFDC upload (SFTP)

Yes

Enabled

Yes

Yes

Yes

FFDC upload (TFTP)

No

Enabled

No

Yes

Yes

Update from repository – CIFS

Yes

Not configured

No

Yes

Yes

Update from repository - NFS

No

Not configured

No

Yes

Yes

Update from repository – HTTP

No

Not configured

No

Yes

Yes

Update from repository – HTTPS

Yes

Not configured

Yes

Yes

Yes

Call home

Yes

Disabled

Yes

Yes

Yes

Third-party Password

Yes

Not configured

No

Yes

Yes

Port Forwarding

N/A

Disabled

Yes

Yes

Yes