Skip to main content

TLS and SSL management

Contributors netapp-dbagwell
PDFs

You can enable FIPS 140-2/3 compliance mode for control plane interfaces by setting the is-fips-enabled parameter to true with the ONTAP security config modify command.

Beginning with ONTAP 9, you can enable the FIPS 140-2 compliance mode for cluster-wide control plane interfaces. By default, the FIPS 140-2-only mode is disabled. You can enable the FIPS 140-2 compliance mode by setting the is-fips-enabled parameter to true for the security config modify command. You can then use the security config show command to confirm the online status.

When FIPS 140-2 compliance is enabled, TLSv1 and SSLv3 are disabled, and only TLSv1.1 and TLSv1.2 remain enabled. ONTAP prevents you from enabling TLSv1 and SSLv3 when FIPS 140-2 compliance is enabled. If you enable FIPS 140-2 and then subsequently disable it, TLSv1 and SSLv3 remain disabled, but TLSv1.2 or both TLSv1.1 and TLSv1.2 remain enabled, depending on the previous configuration.

The security config modify command modifies the existing cluster-wide security configuration. If you enable the FIPS-compliant mode, the cluster automatically selects only TLS protocols. Use the -supported-protocols parameter to include or exclude TLS protocols independently from FIPS mode. By default, FIPS mode is disabled, and ONTAP supports the TLSv1.2, TLSv1.1, and TLSv1 protocols.

For backward compatibility, ONTAP supports adding SSLv3 to the supported-protocols list when FIPS mode is disabled. Use the -supported-cipher-suites parameter to configure only the Advanced Encryption Standard (AES) or AES and 3DES. You can also disable weak ciphers such as RC4 by specifying !RC4. By default, the supported cipher setting is ALL:!LOW:!aNULL:!EXP:!eNULL. This setting means that all supported cipher suites for the protocols are enabled, except for the ones with no authentication, no encryption, no exports, and low-encryption cipher suites. These are suites using 64-bit or 56-bit encryption algorithms.

Select a cipher suite that is available with the corresponding selected protocol. An invalid configuration might cause some functionality to fail to operate properly.

For the correct cipher string syntax, see the ciphers page on OpenSSL (published by the OpenSSL software foundation). Beginning with ONTAP 9.9.1 and later releases, you are no longer required to reboot all the nodes manually after modifying the security configuration.

Enabling FIPS 140-2 compliance has effects on other systems and communications internal and external to ONTAP 9. NetApp highly recommends testing these settings on a nonproduction system that has console access.

Note If SSH is used to administer ONTAP 9, then you must use an OpenSSH 5.7 or later client. SSH clients must negotiate with the Elliptic Curve Digital Signature Algorithm (ECDSA) public key algorithm for the connection to be successful.

TLS security can be further hardened by only enabling TLS 1.2 and using Perfect Forward Secrecy (PFS)-capable cipher suites. PFS is a method of key exchange that, when used in combination with encryption protocols like TLS 1.2, helps prevent an attacker from decrypting all network sessions between a client and server. To enable only TLS 1.2 and PFS-capable ciphers suites, use the security config modify command from the advanced privilege level as shown in the following example.

Note Before changing the SSL interface configuration, it is important to remember that the client must support the cipher's mentioned (DHE, ECDHE) when connecting to ONTAP. Otherwise, the connection is not allowed. 
cluster1::*> security config modify -interface SSL -supported-protocols TLSv1.2 -supported-cipher-suites PSK:DHE:ECDHE:!LOW:!aNULL:!EXP:!eNULL:!3DES:!kDH:!kECDH

Confirm y for each prompt. For more information on PFS, see this NetApp blog.

Beginning with ONTAP 9.11.1 and TLS 1.3 support, you can validate FIPS 140-3.

Note The FIPS configuration applies to ONTAP and the platform BMC.