The security config modify command modifies the existing cluster-wide security configuration. If you enable FIPS-compliant mode, the cluster will automatically select only compliant TLS protocols (currently TLSv1.2 and TLSv1.1). Non-compliant protocols are not enabled when FIPS-compliant mode is disabled. Use the -supported-protocols parameter to include or exclude TLS protocols independently from the FIPS mode. All protocols at or above the lowest version specified will be enabled, even those not explicitly specified. By default, FIPS mode is disabled, and Data ONTAP supports the TLSv1.2, TLSv1.1 and TLSv1 protocols. For backward compatibility, Data ONTAP supports adding SSLv3 to the supported-protocols list when FIPS mode is disabled. Use the -supported-ciphers parameter to configure only AES, or AES and 3DES, or disable weak ciphers such as RC4 by specifying !RC4 . By default the supported-cipher setting is ALL:!LOW:!aNULL:!EXP:!eNULL . This setting means that all supported cipher suites for the protocols are enabled, except the ones with no authentication, no encryption, no exports, and low encryption cipher suites (currently those using 64-bit or 56-bit encryption algorithms). Select a cipher suite which is available with the corresponding selected protocol. An invalid configuration may cause some functionality to fail to operate properly. Refer to "https://www.openssl.org/docs/apps/ciphers.html" published by the OpenSSL software foundation for the correct cipher string syntax. After modifying the security configuration, reboot all the nodes manually.

The following command enables FIPS mode in the cluster. (Default setting for FIPS mode is false )

The following command modifies supported protocols to TLSv1.2 and TLSv1.1 in the cluster. (Default setting for supported protocols is TLSv1.2,TLSv1.1,TLSv1 )

The following command modifies supported ciphers to ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4 in the cluster. (Default setting for supported ciphers is ALL:!LOW:!aNULL:!EXP:!eNULL )