Skip to main content

Configure ONTAP network security using FIPS for all SSL connections

Contributors netapp-bhouser netapp-aaron-holt netapp-aherbin netapp-barbe
PDFs

ONTAP is compliant with the Federal Information Processing Standards (FIPS) 140-2 for all SSL connections. You can turn on and off SSL FIPS mode, set SSL protocols globally, and turn off any weak ciphers within ONTAP.

By default, SSL on ONTAP is set with FIPS compliance disabled and with the following TLS protocols enabled:

  • TLSv1.3 (beginning with ONTAP 9.11.1)

  • TLSv1.2

Previous ONTAP releases had the following TLS protocols enabled by default:

  • TLSv1.1 (disabled by default beginning with ONTAP 9.12.1)

  • TLSv1 (disabled by default beginning with ONTAP 9.8)

When SSL FIPS mode is enabled, SSL communication from ONTAP to external client or server components outside of ONTAP will use FIPS compliant crypto for SSL.

If you want administrator accounts to access SVMs with an SSH public key, you must ensure that the host key algorithm is supported before enabling SSL FIPS mode.

Note: Host key algorithm support has changed in ONTAP 9.11.1 and later releases.

ONTAP release

Supported key types

Unsupported key types

9.11.1 and later

ecdsa-sha2-nistp256

rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-dss
ssh-rsa

9.10.1 and earlier

ecdsa-sha2-nistp256
ssh-ed25519

ssh-dss
ssh-rsa

Existing SSH public key accounts without the supported key algorithms must be reconfigured with a supported key type before enabling FIPS, or the administrator authentication will fail.

For more information, see Enable SSH public key accounts.

ONTAP 9.18.1 introduces support for the ML-KEM, ML-DSA, and SLH-DSA post-quantum computing cryptographic algorithms for SSL, providing an additional layer of security against potential future quantum computer attacks. These algorithms are only available when FIPS is disabled. Post-quantum cryptographic algorithms are negotiated when FIPS is disabled and the peer supports them.

Enable FIPS

It is recommended that all secure users adjust their security configuration immediately after system installation or upgrade. When SSL FIPS mode is enabled, SSL communication from ONTAP to external client or server components outside of ONTAP will use FIPS compliant crypto for SSL.

Note When FIPS is enabled, you cannot install or create a certificate with an RSA key length of 4096.
Steps

  1. Change to advanced privilege level:

    set -privilege advanced

  2. Enable FIPS:

    security config modify * -is-fips-enabled true

  3. When prompted to continue, enter y

  4. Beginning with ONTAP 9.9.1, rebooting is not required. If you are running ONTAP 9.8 or earlier, manually reboot each node in the cluster one by one.

Example

If you are running ONTAP 9.9.1 or later, you will not see the warning message.

security config modify -is-fips-enabled true

Warning: This command will enable FIPS compliance and can potentially cause some non-compliant components to fail. MetroCluster and Vserver DR require FIPS to be enabled on both sites in order to be compatible.
Do you want to continue? {y|n}: y

Warning: When this command completes, reboot all nodes in the cluster. This is necessary to prevent components from failing due to an inconsistent security configuration state in the cluster. To avoid a service outage, reboot one node at a time and wait for it to completely initialize before rebooting the next node. Run "security config status show" command to monitor the reboot status.
Do you want to continue? {y|n}: y

Learn more about security config modify and SSL FIPS mode configuration in the ONTAP command reference.

Disable FIPS

Beginning with ONTAP 9.18.1, SSL in ONTAP supports the ML-KEM, ML-DSA, and SLH-DSA post-quantum computing cryptographic algorithms. These algorithms are only available when FIPS is disabled and the peer supports them.

Steps

  1. Change to advanced privilege level:

    set -privilege advanced

  2. Disable FIPS by typing:

    security config modify -is-fips-enabled false

  3. When prompted to continue, enter y.

  4. Beginning with ONTAP 9.9.1, rebooting is not required. If you are running ONTAP 9.8 or earlier, manually reboot each node in the cluster.

If you need to use the SSLv3 protocol, you must disable FIPS with the above procedure. SSLv3 can only be enabled when FIPS is disabled.

You can enable SSLv3 with the following command. If you are running ONTAP 9.9.1 or later, you will not see the warning message.

security config modify -supported-protocols SSLv3

Warning: Enabling the SSLv3 protocol may reduce the security of the interface, and is not recommended.
Do you want to continue? {y|n}: y

Warning: When this command completes, reboot all nodes in the cluster. This is necessary to prevent components from failing due to an inconsistent security configuration state in the cluster. To avoid a service outage, reboot one node at a time and wait for it to completely initialize before rebooting the next node. Run "security config status show" command to monitor the reboot status.
Do you want to continue? {y|n}: y

View FIPS compliance status

You can see whether the entire cluster is running the current security configuration settings.

Steps

  1. If you are running ONTAP 9.8 or earlier, manually reboot each node in the cluster one by one.

  2. View the current compliance status:

    security config show

    Example
    cluster1::> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
false      TLSv1.3,  TLS_RSA_WITH_AES_128_CCM, TLS_RSA_WITH_AES_128_CCM_8,
           TLSv1.2   TLS_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CCM,
                     TLS_RSA_WITH_AES_256_CCM_8,
                     ...

    Learn more about security config show in the ONTAP command reference.

Related information