Skip to main content

Configure ONTAP network security using FIPS for all SSL connections

Contributors netapp-aaron-holt netapp-bhouser netapp-barbe
PDFs

ONTAP is compliant in the Federal Information Processing Standards (FIPS) 140-2 for all SSL connections. You can turn on and off SSL FIPS mode, set SSL protocols globally, and turn off any weak ciphers such as RC4 within ONTAP.

By default, SSL on ONTAP is set with FIPS compliance disabled and with the following TLS protocols enabled:

  • TLSv1.3 (beginning with ONTAP 9.11.1)

  • TLSv1.2

Previous ONTAP releases had the following TLS protocols enabled by default:

  • TLSv1.1 (disabled by default beginning with ONTAP 9.12.1)

  • TLSv1 (disabled by default beginning with ONTAP 9.8)

When SSL FIPS mode is enabled, SSL communication from ONTAP to external client or server components outside of ONTAP will use FIPS compliant crypto for SSL.

If you want administrator accounts to access SVMs with an SSH public key, you must ensure that the host key algorithm is supported before enabling SSL FIPS mode.

Note: Host key algorithm support has changed in ONTAP 9.11.1 and later releases.

ONTAP release

Supported key types

Unsupported key types

9.11.1 and later

ecdsa-sha2-nistp256

rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-dss
ssh-rsa

9.10.1 and earlier

ecdsa-sha2-nistp256
ssh-ed25519

ssh-dss
ssh-rsa

Existing SSH public key accounts without the supported key algorithms must be reconfigured with a supported key type before enabling FIPS, or the administrator authentication will fail.

For more information, see Enable SSH public key accounts.

Learn more about security config modify and SSL FIPS mode configuration in the ONTAP command reference.

Enable FIPS

It is recommended that all secure users adjust their security configuration immediately after system installation or upgrade. When SSL FIPS mode is enabled, SSL communication from ONTAP to external client or server components outside of ONTAP will use FIPS compliant crypto for SSL.

Note When FIPS is enabled, you cannot install or create a certificate with an RSA key length of 4096.
Steps

  1. Change to advanced privilege level:

    set -privilege advanced

  2. Enable FIPS:

    security config modify -interface SSL -is-fips-enabled true

  3. When prompted to continue, enter y

  4. Beginning with ONTAP 9.9.1, rebooting is not required. If you are running ONTAP 9.8 or earlier, manually reboot each node in the cluster one by one.

Example

If you are running ONTAP 9.9.1 or later, you will not see the warning message.

security config modify -interface SSL -is-fips-enabled true

Warning: This command will enable FIPS compliance and can potentially cause some non-compliant components to fail. MetroCluster and Vserver DR require FIPS to be enabled on both sites in order to be compatible.
Do you want to continue? {y|n}: y

Warning: When this command completes, reboot all nodes in the cluster. This is necessary to prevent components from failing due to an inconsistent security configuration state in the cluster. To avoid a service outage, reboot one node at a time and wait for it to completely initialize before rebooting the next node. Run "security config status show" command to monitor the reboot status.
Do you want to continue? {y|n}: y

Disable FIPS

If you are still running an older system configuration and want to configure ONTAP with backward compatibility, you can turn on SSLv3 only when FIPS is disabled.

Steps

  1. Change to advanced privilege level:

    set -privilege advanced

  2. Disable FIPS by typing:

    security config modify -interface SSL -is-fips-enabled false

  3. When prompted to continue, enter y.

  4. Beginning with ONTAP 9.9.1, rebooting is not required. If you are running ONTAP 9.8 or earlier, manually reboot each node in the cluster.

Example

If you are running ONTAP 9.9.1 or later, you will not see the warning message.

security config modify -interface SSL -supported-protocols SSLv3

Warning: Enabling the SSLv3 protocol may reduce the security of the interface, and is not recommended.
Do you want to continue? {y|n}: y

Warning: When this command completes, reboot all nodes in the cluster. This is necessary to prevent components from failing due to an inconsistent security configuration state in the cluster. To avoid a service outage, reboot one node at a time and wait for it to completely initialize before rebooting the next node. Run "security config status show" command to monitor the reboot status.
Do you want to continue? {y|n}: y

Learn more about security config status show in the ONTAP command reference.

View FIPS compliance status

You can see whether the entire cluster is running the current security configuration settings.

Steps

  1. One by one, reboot each node in the cluster.

    Do not reboot all cluster nodes simultaneously. A reboot is required to make sure that all applications in the cluster are running the new security configuration, and for all changes to FIPS on/off mode, protocols, and ciphers.

  2. View the current compliance status:

    security config show

    Example
    security config show

          Cluster                                              Cluster Security
Interface FIPS Mode  Supported Protocols     Supported Ciphers Config Ready
--------- ---------- ----------------------- ----------------- ----------------
SSL       false      TLSv1_2, TLSv1_1, TLSv1 ALL:!LOW:!aNULL:  yes
                                             !EXP:!eNULL

    Learn more about security config show in the ONTAP command reference.