Skip to main content
ONTAP REST API reference

Update the software FIPS mode or enable conversion of non-encrypted metadata volumes non-NAE aggregates

Contributors
PDFs

PATCH /security

Introduced In: 9.8

Updates the software FIPS mode or modifies software data encryption.

Platform Specifics

Unified ONTAP

The PATCH request can be used to enable conversion of non-encrypted metadata volumes to encrypted metadata volumes and non-NAE aggregates to NAE aggregates.

  • security config modify

Parameters

Name Type In Required Description

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

Request Body

Name Type Description

_links

_links

fips

fips

Cluster-wide Federal Information Processing Standards (FIPS) mode information.

management_protocols

management_protocols

Cluster-wide security protocols related information.

onboard_key_manager_configurable_status

onboard_key_manager_configurable_status

Indicates whether the Onboard Key Manager can be configured in the cluster.

software_data_encryption

software_data_encryption

Cluster-wide software data encryption related information.

tls

tls

Cluster-wide Transport Layer Security (TLS) configuration information
Example request 
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "onboard_key_manager_configurable_status": {
    "code": 65537300,
    "message": "No platform support for volume encryption in following nodes - node1, node2."
  },
  "software_data_encryption": {
    "encryption_state": "string"
  },
  "tls": {
    "cipher_suites": [
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    ],
    "protocol_versions": [
      "string"
    ]
  }
}
JSON
Copy

Response

Status: 200, Ok
Name Type Description

job

job_link
Example response 
{
  "job": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "uuid": "string"
  }
}
JSON
Copy

Response

Status: 202, Accepted

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

5636142

This operation is not supported in a mixed-release cluster.

5636145

This operation is not supported when cluster security is configured with FIPS mode.

52428817

SSLv3 is not supported when FIPS is enabled.

52428824

TLSv1 is not supported when FIPS is enabled.

52428830

Cannot enable FIPS-compliant mode because the configured minimum security strength for certificates is not compatible.

52428832

TLSv1.1 is not supported when FIPS is enabled.

52559974

Cannot enable FIPS-compliant mode because a certificate that is not FIPS-compliant is in use.

65536987

One or more key servers are unavailable.

196608047

Operation is not allowed when volume move is in progress.

196608070

Key manager is not configured on the cluster. Configure either an external Key Management Server or an onboard key manager.

196608081

Cannot start software encryption conversion while there are data volumes in the cluster.

196608082

The operation is not valid when the MetroCluster is in switchover mode.

196608368

Failed to perform the requested operation. One or more data volume in offline state.

196608369

Conversion cannot be enabled because the cluster contains read-only or primordial logical data-protection volumes. Retry the patch operation after deleting those volumes.

196608370

The PATCH request to enable conversion failed because one or more volumes are already queued for the encryption conversion operation.

196608372

An automated ONTAP update is in progress, retry the PATCH request after it is completed.

196608373

Unable to perform the encryption operation because of a mixed-release cluster. Complete the upgrade or revert operation, then try the PATCH request again.

196608374

Failed to perform the requested operation. One or more SVMs not in admin running state.

196608375

Failed to perform the requested operation. One or more volume is of temporary type.

196608376

Internal error. Could not get volume encryption information.

196608377

Internal error. The Volume Location Database (VLDB) is inconsistent. Contact support personnel to resolve this issue.

196608378

Failed to perform the requested operation. Data SVM Key manager configuration is in mixed state.

196608379

Internal error. The encryption metadata for the volume is inconsistent. Contact technical support for assistance.

196608380

Failed to perform the requested operation. Wafliron is currently active.

196608381

Failed to perform the requested operation. A clone split operation is in progress.

196608382

Failed to perform the requested operation. A volume rehost operation is in progress.

196608383

Failed to perform the requested operation. The cluster contains one or more SnapLock volume.

196608384

The PATCH request to start rekey failed because the cluster contains one or more plain text volumes. Retry the PATCH request after converting the existing plain text volumes to encrypted volumes.

196608385

Failed to perform the requested operation. Keystore configuration is being switched. Wait until the keystore is in the active state and then try the PATCH request again.

196608386

Failed to perform the requested operation. Rekey operation for one or more SVMs is in progress. Wait until the keystore is in the active state and then try the PATCH request again.

196608387

"software_data_encryption.conversion_enabled" cannot be set to "false" in a PATCH request.

196608388

Both "software_data_encryption.conversion_enabled" and "software_data_encryption.disabled_by_default" cannot be set to "true" in a single PATCH request.

196608389

Both "software_data_encryption.conversion_enabled" and "software_data_encryption.rekey" cannot be set to "true" in a single PATCH request.

196608390

"software_data_encryption.rekey" cannot be set to "false" in a PATCH request.

196608391

Both "software_data_encryption.rekey" and "software_data_encryption.disabled_by_default" cannot be set to "true" in a single PATCH request.

196608392

The PATCH request for cluster level rekey requires an effective cluster version of 9.16.1 or later.

196608393

The PATCH request for cluster level rekey is not supported on this platform.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error
Example error 
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}
JSON
Copy

Definitions

See Definitions

href

Name Type Description

href

string

_links

Name Type Description

self

href

fips

Cluster-wide Federal Information Processing Standards (FIPS) mode information.

Name Type Description

enabled

boolean

Indicates whether or not the software FIPS mode is enabled on the cluster. Our FIPS compliance involves configuring the use of only approved algorithms in applicable contexts (for example TLS), as well as the use of formally validated cryptographic module software implementations, where applicable. The US government documents concerning FIPS 140-2 outline the relevant security policies in detail.

management_protocols

Cluster-wide security protocols related information.

Name Type Description

rsh_enabled

boolean

Indicates whether or not security protocol rsh is enabled on the cluster.

telnet_enabled

boolean

Indicates whether or not security protocol telnet is enabled on the cluster.

onboard_key_manager_configurable_status

Indicates whether the Onboard Key Manager can be configured in the cluster.

Name Type Description

code

integer

Code corresponding to the status message. Returns a 0 if the Onboard Key Manager can be configured in the cluster.

message

string

Reason that Onboard Key Manager cannot be configured in the cluster.

supported

boolean

Set to true if the Onboard Key Manager can be configured in the cluster.

software_data_encryption

Cluster-wide software data encryption related information.

Name Type Description

conversion_enabled

boolean

Indicates whether or not software encryption conversion is enabled on the cluster. A PATCH request initiates the conversion of all non-encrypted metadata volumes in the cluster to encrypted metadata volumes and all non-NAE aggregates to NAE aggregates. For the PATCH request to start, the cluster must have either an Onboard or an external key manager set up and the aggregates should either be empty or have only metadata volumes. No data volumes should be present in any of the aggregates in the cluster. For MetroCluster configurations, a PATCH request enables conversion on all the aggregates and metadata volumes of both local and remote clusters and is not allowed when the MetroCluster is in switchover state.

disabled_by_default

boolean

Indicates whether or not default software data at rest encryption is disabled on the cluster.

encryption_state

string

Software data encryption state. encrypted ‐ All the volumes are encrypted. encrypting ‐ Encryption conversion operation is in progress. partial ‐ Some volumes are encrypted, and others remains in plain text. rekeying ‐ All volumes are currently being encrypted with a new key. unencrypted ‐ None of the volumes are encrypted. conversion_paused ‐ Encryption conversion operation is paused on one or more volumes. rekey_paused ‐ Encryption rekey operation is paused on one or more volumes.

rekey

boolean

tls

Cluster-wide Transport Layer Security (TLS) configuration information

Name Type Description

cipher_suites

array[string]

Names a cipher suite that the system can select during TLS handshakes. A list of available options can be found on the Internet Assigned Number Authority (IANA) website.

protocol_versions

array[string]

Names a TLS protocol version that the system can select during TLS handshakes. The use of SSLv3 or TLSv1 is discouraged.

security_config

Name Type Description

_links

_links

fips

fips

Cluster-wide Federal Information Processing Standards (FIPS) mode information.

management_protocols

management_protocols

Cluster-wide security protocols related information.

onboard_key_manager_configurable_status

onboard_key_manager_configurable_status

Indicates whether the Onboard Key Manager can be configured in the cluster.

software_data_encryption

software_data_encryption

Cluster-wide software data encryption related information.

tls

tls

Cluster-wide Transport Layer Security (TLS) configuration information
Name Type Description

_links

_links

uuid

string

The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.