Skip to main content
A newer release of this product is available.

security config show

Contributors
Suggest changes

Display Security Configuration Options

Availability: This command is available to cluster administrators at the advanced privilege level.

Description

The security config show command displays the security configurations of the cluster in advanced privilege mode.

Default values are as follows:

  • SSL FIPS mode: disabled

  • Supported protocols: TLSv1.2,TLSv1.1

  • Supported cipher suites: All suites for the listed protocols except those that have no authentication, low encryption strength (less than 56 bits), or utilize 3DES or static DH key exchange.

Enabling FIPS mode will cause the entire cluster to use FIPS-compliant crypto operations only.

Use the security config modify command to change the protocols and cipher suites that the cluster will support. When all the nodes in the cluster are updated with the modified settings, the -cluster-security-config-ready value will be shown as yes .

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all fields.

[-interface <SSL>] - (DEPRECATED)-FIPS-Compliant Interface (privilege: advanced)
Note This parameter has been deprecated in ONTAP 9.8 and may be removed in a future release of Data ONTAP. As there only ever existed one valid value for this parameter, filtering on it has never altered the results.
Displays configurations that match the specified value for the interface.
[-is-fips-enabled {true|false}] - FIPS Mode (privilege: advanced)

Display configurations that match the specified value for FIPS mode.

[-supported-protocols {TLSv1.2|TLSv1.1|TLSv1|SSLv3}] - Supported Protocols (privilege: advanced)

Displays configurations that match the specified protocols.

[-supported-ciphers <Cipher String>] - (DEPRECATED)-Supported Ciphers (privilege: advanced)
Note This parameter has been deprecated in ONTAP 9.8 and may be removed in a future release of Data ONTAP. Use the supported-cipher-suites parameter instead.
Displays the configurations that match the specified supported ciphers.
[-supported-cipher-suites <Cipher String>,…​] - Supported Cipher Suites (privilege: advanced)

Displays the configurations that match the specified supported cipher suites.

Examples

The following example shows the default security configurations for a cluster.

cluster1::> security config show
Cluster    Supported                                           Cluster Security
FIPS Mode  Protocols Supported Cipher Suites                   Config Ready
---------- --------- ----------------------------------------  ----------------
false      TLSv1.2,  TLS_RSA_WITH_AES_128_GCM_SHA256,          yes
           TLSv1.1   TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_RSA_WITH_AES_256_CBC_SHA,
                     TLS_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
                     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
                     TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_SEED_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
                     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
                     TLS_DHE_RSA_WITH_SEED_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                     TLS_PSK_WITH_AES_128_CBC_SHA,
                     TLS_PSK_WITH_AES_128_GCM_SHA256,
                     TLS_PSK_WITH_AES_256_CBC_SHA,
                     TLS_PSK_WITH_AES_256_GCM_SHA384,
                     TLS_RSA_WITH_SEED_CBC_SHA,
                     TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_WITH_AES_256_CBC_SHA,
                     TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA

The following example shows the security configuration after FIPS mode has been enabled.

cluster1::> security config show
Cluster    Supported                                           Cluster Security
FIPS Mode  Protocols Supported Cipher Suites                   Config Ready
---------- --------- ----------------------------------------  ----------------
true       TLSv1.2,  TLS_RSA_WITH_AES_128_GCM_SHA256,          yes
           TLSv1.1   TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_RSA_WITH_AES_256_CBC_SHA,
                     TLS_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                     TLS_PSK_WITH_AES_128_CBC_SHA,
                     TLS_PSK_WITH_AES_128_GCM_SHA256,
                     TLS_PSK_WITH_AES_256_CBC_SHA,
                     TLS_PSK_WITH_AES_256_GCM_SHA384