security config show

Display Security Configuration Options

Availability: This command is available to cluster administrators at the advanced privilege level.

Description

The security config show command displays the security configurations of the cluster in advanced privilege mode.
Default values are as follows:
  • SSL FIPS mode: disabled
  • Supported protocols: TLSv1.2,TLSv1.1
  • Supported cipher suites: All suites for the listed protocols except those that have no authentication, low encryption strength (less than 56 bits), or utilize 3DES or static DH key exchange.

Enabling FIPS mode will cause the entire cluster to use FIPS-compliant crypto operations only.

Use the security config modify command to change the protocols and cipher suites that the cluster will support.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>, ... parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.
| [-instance ]}
If you specify the -instance parameter, the command displays detailed information about all fields.
[-interface <SSL>] - (DEPRECATED)-FIPS-Compliant Interface
Note: This parameter has been deprecated in ONTAP 9.8 and may be removed in a future release of Data ONTAP. As there only ever existed one valid value for this parameter, filtering on it has never altered the results.
Displays configurations that match the specified value for the interface.
[-is-fips-enabled {true|false}] - FIPS Mode
Display configurations that match the specified value for FIPS mode.
[-supported-protocols {TLSv1.2|TLSv1.1|TLSv1|SSLv3}, ...] - Supported Protocols
Displays configurations that match the specified protocols.
[-supported-ciphers <Cipher String>] - (DEPRECATED)-Supported Ciphers
Note: This parameter has been deprecated in ONTAP 9.8 and may be removed in a future release of Data ONTAP. Use the supported-cipher-suites parameter instead.
Displays the configurations that match the specified supported ciphers.
[-supported-cipher-suites <Cipher String>, ...] - Supported Cipher Suites
Displays the configurations that match the specified supported cipher suites.

Examples

The following example shows the default security configurations for a cluster.

cluster1::> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
false      TLSv1.2,  TLS_RSA_WITH_AES_128_GCM_SHA256,
           TLSv1.1   TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_RSA_WITH_AES_256_CBC_SHA,
                     TLS_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
                     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
                     TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_SEED_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
                     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
                     TLS_DHE_RSA_WITH_SEED_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                     TLS_PSK_WITH_AES_128_CBC_SHA,
                     TLS_PSK_WITH_AES_128_GCM_SHA256,
                     TLS_PSK_WITH_AES_256_CBC_SHA,
                     TLS_PSK_WITH_AES_256_GCM_SHA384,
                     TLS_RSA_WITH_SEED_CBC_SHA,
                     TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_WITH_AES_256_CBC_SHA,
                     TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA

The following example shows the security configuration after FIPS mode has been enabled.

cluster1::> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
true       TLSv1.2,  TLS_RSA_WITH_AES_128_GCM_SHA256,
           TLSv1.1   TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_RSA_WITH_AES_256_CBC_SHA,
                     TLS_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                     TLS_PSK_WITH_AES_128_CBC_SHA,
                     TLS_PSK_WITH_AES_128_GCM_SHA256,
                     TLS_PSK_WITH_AES_256_CBC_SHA,
                     TLS_PSK_WITH_AES_256_GCM_SHA384