Configure Secure Cryptography Mode
A GigaVUE node can be put into secure cryptography mode to improve the security of the management interface. In secure cryptography mode, weak encryption/decryption and hashing algorithms, used for accessing data and generating keys, are disabled. The secure cryptography mode limits the cryptographic algorithms, hashing algorithms, and SSH transport protocols, that are available for use on a GigaVUE node.
Initially, the secure cryptography mode is disabled. There are two steps to enabling it: configuring the mode, and then reloading either the node, if it is standalone, or the cluster, if the node is in a cluster environment.
Note: Refer to the GigaVUE Release Notes for the latest browser support information for Secure Cryptography Mode.
Enable Secure Cryptography Mode
To enable secure cryptography mode from the GigaVUE H-VUE, do the following:
- Select Settings > Global Settings > Security.
- Click Edit.
- On the Edit Security Settings page, select Secure Cryptography.
- Click Save.
The system displays the following notification:
Security settings updated successfully. Please reboot the device for the settings to take effect.
For the secure cryptography mode to take effect the node needs to be reloaded.
a. | Select Settings > Reboot and Upgrade. |
b. | Click Reboot. |
When a GigaVUE node is in secure cryptography mode, a status is displayed when you log in. For more information, refer to Status of Secure Cryptography Mode.
IMPORTANT: TLS version 1.2 is required for secure cryptography mode. When enabling secure cryptography mode, TLS version 1.2 is enabled by default. If you disable secure cryptography mode and want to change the TLS version, useGigaVUE-OSCLI command:web server ssl min-version tls<version>. Refer to the GigaVUE-OS-CLI Reference Guide for CLI guidance.
Disable Secure Cryptography Mode
By default, the secure cryptography mode is disabled. If it has been enabled, use the following steps to disabling it:
- Select Settings > Global Settings > Security.
- Click Edit.
- On the Edit Security Settings page, clear Secure Cryptography.
- Click Save.
The system displays the following notification:
Security settings updated successfully. Please reboot the device for the settings to take effect.
For the secure cryptography mode to take effect the node needs to be reloaded.
a. | Select Settings > Reboot and Upgrade. |
b. | Click Reboot. |
Enable Enhanced Cryptography Mode
To enable enhanced cryptography mode from the GigaVUEH-VUE, do the following:
- Select Settings > Global Settings > Security.
- Click Edit.
- On the Edit Security Settings page, select Enhanced Cryptography.
- Click Save
If you enable enhanced cryptography, then FIPS mode will be disabled.
Ciphers to Use with Secure Cryptography Mode
Use the following ciphers with secure cryptography mode:
Secure Cryptography Mode |
||
All Platforms |
||
AES128-CBC AES256-CBC |
Note: Refer to the GigaVUE Release Notes for the latest cipher support information in Secure Cryptography Mode.
Use the following ciphers with normal (non-secure) cryptography mode:
Normal Cryptography Mode |
||
GVCCV2 |
Other PowerPC Platforms |
Intel Platforms |
AES128-CTR AES192-CTR AES256-CTR |
AES128-CTR AES192-CTR AES256-CTR |
AES128-CTR AES192-CTR AES256-CTR AES128-CBC AES256-CBC |
Cryptographic Algorithms
When secure cryptography mode is enabled, the cryptographic algorithms are limited as follows:
SSH Host Key Algorithm |
SSH Key Exchange |
Encryption Algorithms |
Hash-based Message Authentication Code |
ECDSA |
Diffie-Hellman-group14-sha1 |
AES128-CBC, AES256-CBC |
HMAC-SHA1, HMAC-SHA2-256, HMAC-SHA2-512 |
Status of Secure Cryptography Mode
If the secure cryptography mode is configured on a GigaVUE node, once the node or cluster has been reloaded, a status is displayed when you log in.