FIPS or CNSA compatibility report

When you are considering switching the cryptography mode for your appliance, Hewlett Packard Enterprise recommends that you run the compatibility report to check for compatibility issues for a chosen cryptography mode. Compatibility reports contain information about the behavior of devices and external servers managed or configured by HPE OneView. The report lists the various resources (storage devices, network devices, servers, enclosures) managed by HPE OneView that are not compatible with the chosen cryptography mode.

You can generate the compatibility report from the Settings > Security screen.

NOTE:

Before generating the compatibility report in HPE OneView 5.5 or later releases, delete any existing compatibility reports that have been generated using HPE OneView 5.4 or earlier releases. After deleting earlier releases report, generate the compatibility report to make sure that the right data is displayed.

To understand the impact of changing the cryptography mode, use the compatibility report that has information for the following cryptography modes.

  • FIPS: To understand the impact of changing your mode of cryptography to FIPS.

  • CNSA: To understand the impact of changing your mode of cryptography to CNSA.

You can use the compatibility reports to:

  • Assess the impact of a cryptography mode change.

  • View the supported protocols and cipher suites for the chosen cryptography mode.

  • View the appliance certificates that are not compatible with the chosen cryptography mode.

  • View details of external servers that are not compatible with the chosen cryptography mode.

  • View list of managed devices that are not compatible with the chosen cryptography mode.

  • View the actions required, if any, on the appliance to make it operate in the chosen mode.

  • View the actions required, if any, on the managed devices or external servers to continue managing or communicating with them in the chosen mode.

  • View the behavior expected of managed devices and external servers if they cannot be made compliant with the chosen mode.

  • View the services or functionality that are not available in the chosen mode.

  • Determine the impact of the mode switch on various resources, such as the appliance certificates, external servers, and managed devices.

  • Understand the actions recommended to be taken before switching the cryptography mode of the appliance. Examples:

    • Reimporting a higher strength certificate signed by your certificate authority (CA).

    • Configuring the managed device or external server to be compliant with the cryptography mode of HPE OneView.

  • Determine the devices or class of devices that cannot be managed by HPE OneView in the target mode. For example, managing c7000 enclosures is not supported when HPE OneView is in the FIPS or CNSA mode.

More information