Viewing the high security settings section, High security settings section components – HP Secure Key Manager User Manual
Page 173
Figure 94 Viewing the High Security Settings section
The following table describes the components of the High Security Settings section.
Table 74 High Security Settings section components
Description
Component
Disables the ability to create and use global keys. Once this option is selected, global
keys cannot be created on the SKM. Any existing global keys will not be usable by
the SKM for any purpose. While the device is FIPS-compliant, you may assign an
owner to an existing global key.
Disable Creation and
Use of Global Keys
Prevents the creation or use of algorithms and key sizes that are not FIPS-compliant.
The following algorithm and key size combinations will be disallowed:
•
RC4
•
DES
•
RSA-512, RSA-768**
NOTE:
**If your server currently uses a 768-bit certificate, this option cannot be
selected. You must select, and possibly create, a different server certificate.
NOTE:
Clients with 512 or 768 bit certificates will be rejected when they try to connect
to a FIPS-compliant device. Any existing keys and certificates based on these
algorithms and key sizes will not be usable by the SKM for any purpose. The
following algorithms and keys sizes
will continue to be available on the SKM:
•
AES-128, AES-192, AES-256
•
DES-EDE-112, DES-EDE-168
•
HMAC SHA-1
•
RSA-1024, RSA-2048
Disable Non-FIPS Al-
gorithms and Key
Sizes
Prohibits the use of RSA keys for encryption and decryption and limits their usage to
sign and sign verify operations. Administrators can still modify the encryption and de-
cryption permissions for an RSA key, but those operations will not be supported.
Disable RSA Encryp-
tion and Decryption
Disables the use of FTP for importing certificates, downloading backup files, and
restoring backup files. Administrators can still download and upload through the
browser and via SCP.
Disable FTP for Certi-
ficate Import, Backup
and Restore
Prevents administrators from importing certificates through the serial console using cut
and paste.
Disable Certificate
Import through Serial
Console Paste
Secure Key Manager
173