REST API reference
Update the software FIPS mode or enable conversion of non-encrypted metadata volumes non-NAE aggregates
Suggest changes
PDFs
PATCH /security
Introduced In: 9.8
Updates the software FIPS mode or enables conversion of non-encrypted metadata volumes to encrypted metadata volumes and non-NAE aggregates to NAE aggregates.
Related ONTAP commands
-
security config modify
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
fips |
Cluster-wide Federal Information Processing Standards (FIPS) mode information. |
|
management_protocols |
Cluster-wide security protocols related information. |
|
onboard_key_manager_configurable_status |
Indicates whether the Onboard Key Manager can be configured in the cluster. |
|
software_data_encryption |
Cluster-wide software data encryption related information. |
|
tls |
Cluster-wide Transport Layer Security (TLS) configuration information |
|
us_federal_cybersecurity |
Cluster-wide cybersecurity compliance information as per United States federal standards. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"onboard_key_manager_configurable_status": {
"code": 65537300,
"message": "No platform support for volume encryption in following nodes - node1, node2."
},
"tls": {
"cipher_suites": [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"protocol_versions": [
"string"
]
}
}Response
Status: 200, Ok| Name | Type | Description |
|---|---|---|
job |
Example response
{
"job": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "string"
}
}Response
Status: 202, AcceptedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
5636142 |
This operation is not supported in a mixed-release cluster. |
5636145 |
This operation is not supported when cluster security is configured with FIPS mode. |
52428817 |
SSLv3 is not supported when FIPS is enabled. |
52428824 |
TLSv1 is not supported when FIPS is enabled. |
52428830 |
Cannot enable FIPS-compliant mode because the configured minimum security strength for certificates is not compatible. |
52428832 |
TLSv1.1 is not supported when FIPS is enabled. |
52559974 |
Cannot enable FIPS-compliant mode because a certificate that is not FIPS-compliant is in use. |
196608081 |
Cannot start software encryption conversion while there are data volumes in the cluster. |
196608082 |
The operation is not valid when the MetroCluster is in switchover mode. |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
fips
Cluster-wide Federal Information Processing Standards (FIPS) mode information.
| Name | Type | Description |
|---|---|---|
enabled |
boolean |
Indicates whether or not the software FIPS mode is enabled on the cluster. Our FIPS compliance involves configuring the use of only approved algorithms in applicable contexts (for example TLS), as well as the use of formally validated cryptographic module software implementations, where applicable. The US government documents concerning FIPS 140-2 outline the relevant security policies in detail. |
management_protocols
Cluster-wide security protocols related information.
| Name | Type | Description |
|---|---|---|
rsh_enabled |
boolean |
Indicates whether or not security protocol rsh is enabled on the cluster. |
telnet_enabled |
boolean |
Indicates whether or not security protocol telnet is enabled on the cluster. |
onboard_key_manager_configurable_status
Indicates whether the Onboard Key Manager can be configured in the cluster.
| Name | Type | Description |
|---|---|---|
code |
integer |
Code corresponding to the status message. Returns a 0 if the Onboard Key Manager can be configured in the cluster. |
message |
string |
Reason that Onboard Key Manager cannot be configured in the cluster. |
supported |
boolean |
Set to true if the Onboard Key Manager can be configured in the cluster. |
software_data_encryption
Cluster-wide software data encryption related information.
| Name | Type | Description |
|---|---|---|
conversion_enabled |
boolean |
Indicates whether or not software encryption conversion is enabled on the cluster. A PATCH request initiates the conversion of all non-encrypted metadata volumes in the cluster to encrypted metadata volumes and all non-NAE aggregates to NAE aggregates. For the PATCH request to start, the cluster must have either an Onboard or an external key manager set up and the aggregates should either be empty or have only metadata volumes. No data volumes should be present in any of the aggregates in the cluster. For MetroCluster configurations, a PATCH request enables conversion on all the aggregates and metadata volumes of both local and remote clusters and is not allowed when the MetroCluster is in switchover state. |
disabled_by_default |
boolean |
Indicates whether or not default software data at rest encryption is disabled on the cluster. |
tls
Cluster-wide Transport Layer Security (TLS) configuration information
| Name | Type | Description |
|---|---|---|
cipher_suites |
array[string] |
Names a cipher suite that the system can select during TLS handshakes. A list of available options can be found on the Internet Assigned Number Authority (IANA) website. |
protocol_versions |
array[string] |
Names a TLS protocol version that the system can select during TLS handshakes. The use of SSLv3 or TLSv1 is discouraged. |
us_federal_cybersecurity
Cluster-wide cybersecurity compliance information as per United States federal standards.
| Name | Type | Description |
|---|---|---|
alerts_enabled |
boolean |
Indicates whether or not the cybersecurity compliance alerts are enabled on the cluster. United States cybersecurity compliance involves configuring the ONTAP security features as per United States federal security policies. Enabling alerts will generate alerts when ONTAP security features are not configured as per United States federal security policies.
|
security_config
| Name | Type | Description |
|---|---|---|
_links |
||
fips |
Cluster-wide Federal Information Processing Standards (FIPS) mode information. |
|
management_protocols |
Cluster-wide security protocols related information. |
|
onboard_key_manager_configurable_status |
Indicates whether the Onboard Key Manager can be configured in the cluster. |
|
software_data_encryption |
Cluster-wide software data encryption related information. |
|
tls |
Cluster-wide Transport Layer Security (TLS) configuration information |
|
us_federal_cybersecurity |
Cluster-wide cybersecurity compliance information as per United States federal standards. |
job_link
| Name | Type | Description |
|---|---|---|
_links |
||
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |