beautypg.com

Viewing the high security settings section, High security settings section components – HP Secure Key Manager User Manual

Page 173

background image

Figure 94 Viewing the High Security Settings section

The following table describes the components of the High Security Settings section.

Table 74 High Security Settings section components

Description

Component

Disables the ability to create and use global keys. Once this option is selected, global
keys cannot be created on the SKM. Any existing global keys will not be usable by
the SKM for any purpose. While the device is FIPS-compliant, you may assign an
owner to an existing global key.

Disable Creation and
Use of Global Keys

Prevents the creation or use of algorithms and key sizes that are not FIPS-compliant.
The following algorithm and key size combinations will be disallowed:

RC4

DES

RSA-512, RSA-768**

NOTE:

**If your server currently uses a 768-bit certificate, this option cannot be
selected. You must select, and possibly create, a different server certificate.

NOTE:

Clients with 512 or 768 bit certificates will be rejected when they try to connect
to a FIPS-compliant device. Any existing keys and certificates based on these
algorithms and key sizes will not be usable by the SKM for any purpose. The
following algorithms and keys sizes

will continue to be available on the SKM:

AES-128, AES-192, AES-256

DES-EDE-112, DES-EDE-168

HMAC SHA-1

RSA-1024, RSA-2048

Disable Non-FIPS Al-
gorithms and Key
Sizes

Prohibits the use of RSA keys for encryption and decryption and limits their usage to
sign and sign verify operations. Administrators can still modify the encryption and de-
cryption permissions for an RSA key, but those operations will not be supported.

Disable RSA Encryp-
tion and Decryption

Disables the use of FTP for importing certificates, downloading backup files, and
restoring backup files. Administrators can still download and upload through the
browser and via SCP.

Disable FTP for Certi-
ficate Import, Backup
and Restore

Prevents administrators from importing certificates through the serial console using cut
and paste.

Disable Certificate
Import through Serial
Console Paste

Secure Key Manager

173