Manage the web protocol engine


You can configure the web protocol engine on the cluster to control whether web access is allowed and what SSL versions can be used. You can also display the configuration settings for the web protocol engine.

You can manage the web protocol engine at the cluster level in the following ways:

  • You can specify whether remote clients can use HTTP or HTTPS to access web service content by using the system services web modify command with the -external parameter.

  • You can specify whether SSLv3 should be used for secure web access by using the security config modify command with the -supported-protocol parameter.

    By default, SSLv3 is disabled. Transport Layer Security 1.0 (TLSv1.0) is enabled and it can be disabled if needed.

  • You can enable Federal Information Processing Standard (FIPS) 140-2 compliance mode for cluster-wide control plane web service interfaces.


    By default, FIPS 140-2 compliance mode is disabled.

    • When FIPS 140-2 compliance mode is disabled

      You can enable FIPS 140-2 compliance mode by setting the is-fips-enabled parameter to true for the security config modify command, and then using the security config show command to confirm the online status.

    • When FIPS 140-2 compliance mode is enabled

      Both TLSv1 and SSLv3 are disabled and only TLSv1.1 and TLSv1.2 remain enabled. ONTAP prevents you from enabling both TLSv1 and SSLv3 when FIPS 140-2 compliance mode is enabled. If you enable FIPS 140-2 compliance mode and then subsequently disable it, TLSv1 and SSLv3 remain disabled, but either TLSv1.2 or both TLSv1.1 and TLSv1.2 are enabled depending on the previous configuration.

  • You can display the configuration of cluster-wide security by using the system security config show command.

If the firewall is enabled, the firewall policy for the logical interface (LIF) to be used for web services must be set up to allow HTTP or HTTPS access.

If you use HTTPS for web service access, SSL for the cluster or storage virtual machine (SVM) that offers the web service must also be enabled, and you must provide a digital certificate for the cluster or SVM.

In MetroCluster configurations, the setting changes you make for the web protocol engine on a cluster are not replicated on the partner cluster.