Ciphers for secure connection between HPE OneView and backup server
Establish a secure connection between the HPE OneView appliance and the backup server.
Establishing a secure connection between the appliance and a backup server requires a negotiation between the client and the server to determine the strongest cryptographic components, such as the keys and algorithms that they both support.
The following are the cryptographic ciphers used for encryption:| Cipher names | Description | Example | Additional information |
| SYMETRICKEY (Ciphers) | The symmetric cypher algorithms used to encrypt the entire connection between the client and server. | Aes256-ctr, aes192-ctr, and aes128-ctr | For these ciphers, the client provides a list of candidates in a preferred order from strongest to weakest. The server responds with the first option that it supports. |
| MAC (MACs) | The algorithms used to convert a hash of each message into the Message Authentication Code used to confirm that each message comes from the stated sender and has not been modified in transit. | Hmac-sha2-512, hmac-sha2-256, and hmac-sha1 | |
| KEYEXCHANGE (KexAlgorithms) | Key exchange algorithms used to negotiate a shared symmetric encryption key for each session based on public /private key pairs. These key pairs are generated inside the exchange algorithms that allow secured negotiation over insecure channels. | Ecdh-sha2-nistp384, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp521, diffie-hellman-group14-sha1 | |
| ASYMETRICKEYGENERATOR (HostKeyAlgorithms) | The public/private key pair used to authenticate the remote backup server as it is configured in the appliance. This key pair is only used for authentication and is unrelated to the key pairs used by the key exchange algorithm. | Dsa, rsa, and ecdsa
NOTE: Keys are specified by algorithm and length. | In the negotiation of this cipher, the server will respond by accepting the public key provided by the appliance, if it has already been accepted. If not, for version 4.2 or later, the server accepts a fingerprint and the strongest key at the current security level. |