Enabling cluster-wide FIPS-compliant mode for KMIP server connections

You can use the security config modify command with the -is-fips-enabled option to enable cluster-wide FIPS-compliant mode for data in flight. Doing so forces the cluster to use OpenSSL in FIPS mode when connecting to KMIP servers.

Before you begin

About this task

When you enable cluster-wide FIPS-compliant mode, the cluster will automatically use only TLS1.2 and FIPS-validated cipher suites. Cluster-wide FIPS-compliant mode is disabled by default.

You must reboot cluster nodes manually after modifying the cluster-wide security configuration.

Steps

  1. Set the privilege level to advanced: set -privilege advanced
  2. Verify that TLSv1.2 is supported: security config show -supported-protocols
    For complete command syntax, see the man page.
    Example
    cluster1::> security config show
              Cluster                                              Cluster Security
    Interface FIPS Mode  Supported Protocols     Supported Ciphers Config Ready
    --------- ---------- ----------------------- ----------------- ----------------
    SSL       false      TLSv1.2, TLSv1.1, TLSv1 ALL:!LOW:         yes
                                                 !aNULL:!EXP:
                                                 !eNULL
  3. Enable cluster-wide FIPS-compliant mode: security config modify -is-fips-enabled true -interface SSL
    For complete command syntax, see the man page.
  4. Reboot cluster nodes manually.
  5. Verify that cluster-wide FIPS-compliant mode is enabled: security config show
    Example
    cluster1::> security config show
              Cluster                                              Cluster Security
    Interface FIPS Mode  Supported Protocols     Supported Ciphers Config Ready
    --------- ---------- ----------------------- ----------------- ----------------
    SSL       true       TLSv1.2, TLSv1.1        ALL:!LOW:         yes
                                                 !aNULL:!EXP:
                                                 !eNULL:!RC4