beautypg.com

Advanced security access control, Fips compliance, Skm settings required for fips compliance – HP Secure Key Manager User Manual

Page 170: Clustering, Backups, Fips self-test

background image

Only the following models are capable of operating in accordance with FIPS standards:

HP DL360 R05

All other SKM can be configured for high security but cannot be FIPS-compliant

Advanced Security Access Control

Altering the security settings on the High Security Configuration page can have a profound effect on
the security of your HP platform and alter your compliance with FIPS standards. For this reason,
administrators must have the Advanced Security Access Control to modify these settings.

FIPS Compliance

The FIPS standards describe hardware and software parameters that must be met for full compliance.
HP provides both FIPS-compliant hardware and software security settings to enable all SKMs to operate
with the highest software security settings described in the FIPS standards. However, since FIPS
compliance includes both hardware and software, FIPS compliance can only be fully achieved by
using a FIPS-capable SKM.

SKM Settings Required for FIPS Compliance

In order to comply with FIPS 140-2, Level 2, the following functionality must be disabled on the SKM:

Administrative options on XML interface (only if SSL is not enabled)

FTP transport for importing certificates and downloading and restoring backup files

LDAP authentication

LDAP administrator server

Use of the following algorithms: RC4, DES, RSA-512, RSA-768. These algorithms are not available
when FIPS compliance is enabled.

SSL 2.0 and SSL 3.0*

Hot-swappable drive capability

RSA encrypt/decrypt operations**
* We recommend running TLS over the XML interface. This requires that you generate a certificate
and enable it.
**RSA encrypt/decrypt associated with TLS handshakes and Sign and Sign Verify are permitted.

These settings are adjusted automatically when you use the Management Console's High Security
Configuration page to enable FIPS compliance on FIPS capable SKMs.

Clustering

Clustering FIPS-compliant devices with non-FIPS-compliant devices will disable FIPS for all devices in
the cluster.

Backups

FIPS and non-FIPS devices cannot share backups.

FIPS Self-Test

To run a FIPS self-test on the SKM, powercycle the device.

Using the Management Console

170

See also other documents in the category HP Storage: