High security procedures, Security settings configured elsewhere, 73 high security settings section components – HP Secure Key Manager User Manual

Table 73 High Security Settings section components

Component

Description

Disable Creation

and Use of Global

Keys

Disables the ability to create and use global keys. Once this option is selected, global

keys cannot be created on the SKM. Any existing global keys will not be usable by

the SKM for any purpose. While the device is FIPS-compliant, you may assign an

owner to an existing global key.

Disable Non-FIPS

Algorithms and Key

Sizes

Prevents the creation or use of algorithms and key sizes that are not FIPS-compliant.

The following algorithm and key size combinations will be disallowed:

•

RC4

•

DES

•

RSA-512, RSA-768**

NOTE:

**If your server currently uses a 768-bit certificate, this option cannot be

selected. You must select, and possibly create, a different server certificate.

NOTE:

Clients with 512 or 768 bit certificates will be rejected when they try to connect

to a FIPS-compliant device. Any existing keys and certificates based on these

algorithms and key sizes will not be usable by the SKM for any purpose. The

following algorithms and keys sizes

will

continue to be available on the SKM:

•

AES-128, AES-192, AES-256

•

DES-EDE-112, DES-EDE-168

•

HMAC SHA-1

•

RSA-1024, RSA-2048

Disable RSA

Encryption and

Decryption

Prohibits the use of RSA keys for encryption and decryption and limits their usage to

sign and sign verify operations. Administrators can still modify the encryption and

decryption permissions for an RSA key, but those operations will not be supported.

Disable FTP for

Certificate Import,

Backup and Restore

Disables the use of FTP for importing certificates, downloading backup files, and

restoring backup files. Administrators can still download and upload through the

browser and via SCP.

Disable Certificate

Import through Serial

Console Paste

Prevents administrators from importing certificates through the serial console using

cut and paste.

Disable

Hotswappable RAID

Drives

Prevents administrators from changing RAID drives through the Management Console.

IMPORTANT:

You cannot replace RAID drives and remain FIPS-compliant. To change RAID

drives you must either disable FIPS or return the device for drive replacement.

This option will appear on RAID capable devices only.

Edit

Click to change the settings in this section.

IMPORTANT:

Deselecting

any

of these fields will bring SKM out of FIPS compliance.

Security Settings Configured Elsewhere

Use this section to monitor the status of security settings that are configured on other pages of the

Management Console.

158

Using the Management Console