The Commercial National Security Algorithm (CNSA) security state (formerly known as Suite B mode) represents the highest level of cryptographic security for HPE ProLiant servers. Enabling this state enforces strict adherence to NSA-approved algorithms for all secure communications (including the web interface, SSH, and the RESTful API).
Licensing Requirement: The CNSA security state is classified by HPE as an Advanced Security feature . According to the HPE iLO 5, iLO 6, and iLO 7 Licensing Guides, the ability to configure and enable the CNSA security state is exclusively available with an HPE iLO Advanced license . Servers with only an iLO Standard license will not have the option to select this security state.
Prerequisites for Activation: Beyond the license, the CNSA security state can only be enabled if the FIPS (Federal Information Processing Standards) security state is already active. The process typically involves setting the server to FIPS mode, rebooting, and then elevating the security state to CNSA.
Architectural Support: While iLO 7 (Option A) introduces support for CNSA 2.0 algorithms, the CNSA security state itself has been available since HPE ProLiant Gen10 servers equipped with iLO 5. Therefore, using iLO 7 is not a requirement, as earlier iLO versions also support this state.
Certificate Nuance (Option B): While CNSA mode requires the use of highly secure certificates (specifically 384-bit ECDSA keys for SSL/TLS), having a certificate signed by a " well-known CA " (public CA) is not a prerequisite for enabling the state. Administrators can use internal CAs or even self-signed certificates, provided they meet the stringent CNSA cryptographic requirements.
Key Technical Takeaway:
If a customer requires their infrastructure to hold " Top Secret " classified data or comply with the most rigid government security standards, they must ensure their ProLiant fleet is equipped with iLO Advanced licenses to unlock the CNSA security state and the Silicon Root of Trust ' s most restrictive policies.
