security config modify

Modify Security Configuration Options

Availability: This command is available to cluster administrators at the advanced privilege level.

Description

The security config modify command modifies the existing cluster-wide security configuration. If you enable FIPS-compliant mode, the cluster will automatically select only compliant TLS protocols (currently TLSv1.2 and TLSv1.1). Non-compliant protocols are not enabled when FIPS-compliant mode is disabled. Use the -supported-protocols parameter to include or exclude TLS protocols independently from the FIPS mode. All protocols at or above the lowest version specified will be enabled, even those not explicitly specified. By default, FIPS mode is disabled, and Data ONTAP supports the TLSv1.2, TLSv1.1 and TLSv1 protocols. For backward compatibility, Data ONTAP supports adding SSLv3 to the supported-protocols list when FIPS mode is disabled. Use the -supported-ciphers parameter to configure only AES, or AES and 3DES, or disable weak ciphers such as RC4 by specifying !RC4. By default the supported-cipher setting is ALL:!LOW:!aNULL:!EXP:!eNULL. This setting means that all supported cipher suites for the protocols are enabled, except the ones with no authentication, no encryption, no exports, and low encryption cipher suites (currently those using 64-bit or 56-bit encryption algorithms). Select a cipher suite which is available with the corresponding selected protocol. An invalid configuration may cause some functionality to fail to operate properly. Refer to "https://www.openssl.org/docs/apps/ciphers.html" published by the OpenSSL software foundation for the correct cipher string syntax. After modifying the security configuration, reboot all the nodes manually.

Parameters

-interface <SSL> - FIPS-Compliant Interface
Selects the FIPS-compliant interface. Default is SSL.
[-is-fips-enabled {true|false}] - FIPS Mode
Enables or disables FIPS-compliant mode for the entire cluster. Default is false.
[-supported-protocols {TLSv1.2|TLSv1.1|TLSv1|SSLv3}, ...] - Supported Protocols
Selects the supported protocols for the selected interface. Default is TLSv1.2,TLSv1.1,TLSv1
[-supported-ciphers <Cipher String>] - Supported Ciphers
Selects the supported cipher suites for the selected interface. Default is ALL:!LOW:!aNULL:!EXP:!eNULL.

Examples

The following command enables FIPS mode in the cluster. (Default setting for FIPS mode is false)

cluster1::> security config modify -interface SSL -is-fips-enabled true 

The following command modifies supported protocols to TLSv1.2 and TLSv1.1 in the cluster. (Default setting for supported protocols is TLSv1.2,TLSv1.1,TLSv1)

cluster1::*> security config modify -interface SSL -supported-protocols TLSv1.2, TLSv1.1

The following command modifies supported ciphers to ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4 in the cluster. (Default setting for supported ciphers is ALL:!LOW:!aNULL:!EXP:!eNULL)

cluster1::*> security config modify -interface SSL -supported-ciphers ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4