Cryptography mode settings

You can use the Cryptography Settings option to configure the cryptography mode for your appliance. Available cryptography modes include:

  • Legacy: This is the default cryptography mode. In the legacy mode, all TLS protocol versions (1.1 and 1.2) and associated cipher suites for those versions are supported. TLS certificates are not required to have FIPS or CNSA minimum key lengths nor strong digital signatures.

  • FIPS: Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard for products performing cryptography. The FIPS 140-2 Cryptographic Module Validation Program has validated the cryptography libraries of HPE OneView. When in the FIPS mode:

    • The cryptographic modules of the appliance are configured to operate in accordance with the FIPS 140-2 level 1 specification. This setting ensures that the required FIPS self-tests are run while loading these cryptographic modules.

    • The ciphers and algorithms used for cryptographic operations by the appliance are restricted to only those approved by FIPS.

    • The appliance allows only TLS 1.1 and TLS 1.2 protocols for all TLS communications.

    • All SSH and SNMPv3 communication use only cipher suites and algorithms approved by FIPS.

    For additional information, see the FIPS-140 site.

  • CNSA: The Commercial National Security Algorithm (CNSA) cryptography mode restricts HPE OneView to use only those algorithms included in the CNSA suite. The CNSA suite is a subset of the general FIPS support and includes a set of algorithms used to protect national security systems, including information classified as "top secret". In the CNSA mode, the appliance uses only TLS 1.2 protocol and a CNSA-strength subset of the TLS 1.2 ciphers. Similarly, SSH and SNMP communication uses CNSA-compliant ciphers and algorithms.

    For additional information, see the CNSA standards site. This website uses a US Government Certificate Authority-signed certificate which is not present, by default, in most browser trust stores. For more information on establishing trust with this website, see Establishing Site Trust.

NOTE:

  • In HPE OneView releases prior to version 4.0, local user passwords are hashed using SHA-256. Starting with release version 4.0, the first time the user logs in, irrespective of the appliance cryptography mode, the password is rehashed using the SHA-384.

  • When the iLO of a managed server is in the CNSA mode, the iLO user interface or console is not accessible from HPE OneView console user interface.

  • When the appliance is in the CNSA mode, support technicians cannot establish an SSH session using the HPE RDA Support App.

For a complete list of ciphers and algorithms supported in the legacy, FIPS and CNSA modes, see Algorithms, cipher suites, and protocols for securing the appliance.

The installation scenarios and the default behavior during a mode switch are:
New installation

The appliance defaults to the legacy mode. Starting from HPE OneView 5.2 version, TLS protocol version 1.0 is disabled by default for new installations.

Upgrade

The cryptography mode of the appliance prior to upgrade is retained after the upgrade. If you upgrade from a previous version of the appliance to HPE OneView 5.2 or later version, the TLS 1.0 configuration of appliance prior to upgrade is retained in the upgraded appliance.

Factory reset

A factory reset or the Preserve network settings option does not change the cryptography mode. The cryptography mode of the appliance prior to the reset is retained. Verify that the Cryptography setting is set to required mode in the security settings panel. A full factory reset on a newly installed appliance disables the TLS 1.0 version. Factory reset on an appliance upgraded to 5.2 or later versions, retains the previous factory settings and enables the TLS 1.0 configurations. Factory reset with network settings retains the TLS 1.0 configuration prior to the reset.

Back up and restore

A restore operation restores the appliance to the same cryptography mode as the backed-up appliance.

For HPE OneView to operate in FIPS or CNSA mode, it is not required that all systems or devices that are managed or monitored by HPE OneView (for example, blade iLO) or the external servers that communicate with HPE OneView (for example, Microsoft Active Directory Server) also operate in FIPS or CNSA-approved mode only. However, HPE OneView must be able to communicate with these managed or monitored devices and external servers with the protocols and cipher suites supported by the chosen mode. For example, as long as a device supports FIPS-compliant TLS protocols, ciphers and certificates, HPE OneView in FIPS or CNSA modes can manage that device.

A restore operation restores the appliance to the same TLS 1.0 configuration (enable or disable) as the backed-up appliance.

For information on support for various devices and supported cryptography modes, see the HPE OneView Support Matrix.

Additionally, using a higher mode of cryptography requires that you use stronger certificates for all TLS communications. For example, in the CNSA mode, managed devices using RSA certificates need a minimum key length of 3,072 bits and a digital signature using SHA-384 or greater.

Not all devices that HPE OneView manages or monitors support these stronger cryptography modes. Some examples are:

  • ProLiant G6 systems have iLO versions that only support TLS 1.0 and they will not function when TLS 1.0 is disabled. These servers are not supported when the appliance is in the FIPS or CNSA modes. Even in legacy mode, these servers are not supported on a new installation of HPE OneView because TLS 1.0 is disabled by default. TLS 1.0 must be explicitly enabled in legacy mode to manage the servers from the HPE OneView 5.2 and later versions.

  • ProLiant G7 systems have iLO versions that only support TLS 1.0 and 1.1. These servers are not supported when the appliance is in the CNSA mode.

  • ProLiant Gen8 systems have iLO versions that support TLS 1.1 and 1.2, and are compatible with both FIPS and CNSA modes.

  • An HPE iPDU power devices only support TLS 1.0 and they will not function when TLS 1.0 is disabled. IPDUs are not supported when the appliance is in the FIPS or CNSA modes.

    Any external server, third-party device, or device manager that supports only TLS 1.0 does not function on a newly installed HPE OneView. This is because TLS 1.0 is disabled, by default, in HPE OneView 5.2 and later version.

You can use the following REST API to enable or disable the TLS 1.0 version. 

PUT	/rest/security-standards/protocols
NOTE:

Hewlett Packard Enterprise recommends that you do not enable TLS 1.0 as it is no longer considered to be a secure protocol. Enabling or disabling the TLS protocol reboots the appliance automatically.

When opting for a higher security mode, use the Compatibility report option to get a complete report of any currently managed or monitored devices that are not compatible with the target mode.

NOTE:

Changing the cryptography mode might regenerate the web server or RabbitMQ certificates. The newly generated RabbitMQ client certificate, along with the CA and key pair, must be applied to the RabbitMQ client. When using CA-signed certificates you must issue a new Certificate Signing Request (CSR), obtain a stronger certificate and reimport the certificate into your appliance. Check the compatibility report for details. The appliance automatically reboots as part of configuring the appliance in a different cryptographic mode.

You can view and edit an existing compatibility report from the Edit cryptography mode screen. By generating a new compatibility report for a given cryptography mode, you can understand the impact of a mode change on the appliance.

The Edit cryptography mode screen helps you view an existing compatibility report and change the active cryptography mode. By generating a new compatibility report for a given cryptography mode, you can understand the impact of a mode change on the appliance.