Using advanced security features, Advanced security overview, Advanced security access control – HP Secure Key Manager User Manual

Using advanced security features

Advanced security features provide the highest level of secure operation on the SKM. This section

discusses the following topics:

• Advanced Security Overview
• High Security Configuration Page
• FIPS Status Server Page
• SSL Overview
• SSL Sections

Advanced Security overview

Use the Advanced Security settings on the SKM to set the highest level of security for administrative and

cryptographic operations on the device. Depending on the SKM in use, the advanced security settings

can be configured to comply with the Federal Information Processing Standard (FIPS) 140-2, Level 2

standards. If you use a non-FIPS-compliant SKM, you can still use high security settings.
Only the following models are capable of operating in accordance with FIPS standards:

•

HP DL360 R05

All other SKM can be configured for high security but cannot be FIPS-compliant

Advanced Security Access Control

Altering the security settings on the High Security Configuration page can have a profound effect

on the security of your HP platform and alter your compliance with FIPS standards. For this reason,

administrators must have the Advanced Security Access Control to modify these settings.

FIPS Compliance

The FIPS standards describe hardware and software parameters that must be met for full compliance.

HP provides both FIPS-compliant hardware and software security settings to enable all SKMs to

operate with the highest software security settings described in the FIPS standards. However, since

FIPS compliance includes both hardware and software, FIPS compliance can only be fully achieved by

using a FIPS-capable SKM.

SKM Settings Required for FIPS Compliance

In order to comply with FIPS 140-2, Level 2, the following functionality must be disabled on the SKM:

•

Administrative options on XML interface (only if SSL is not enabled)

•

FTP transport for importing certificates and downloading and restoring backup files

•

LDAP authentication

•

LDAP administrator server

•

Use of the following algorithms: RC4, DES, RSA-512, RSA-768. These algorithms are not available

when FIPS compliance is enabled.

•

SSL 2.0 and SSL 3.0*

•

Hot-swappable drive capability

•

RSA encrypt/decrypt operations**

* We recommend running TLS over the XML interface. This requires that you generate a certificate

and enable it.

**RSA encrypt/decrypt associated with TLS handshakes and Sign and Sign Verify are permitted.

These settings are adjusted automatically when you use the Management Console’s High Security

Configuration page to enable FIPS compliance on FIPS capable SKMs.

Secure Key Manager

155