Manage the web protocol engine
You can configure the web protocol engine on the cluster to control whether web access is allowed and what SSL versions can be used. You can also display the configuration settings for the web protocol engine.
You can manage the web protocol engine at the cluster level in the following ways:
You can specify whether remote clients can use HTTP or HTTPS to access web service content by using the
system services web modifycommand with the
You can specify whether SSLv3 should be used for secure web access by using the
security config modifycommand with the
By default, SSLv3 is disabled. Transport Layer Security 1.0 (TLSv1.0) is enabled and it can be disabled if needed.
You can enable Federal Information Processing Standard (FIPS) 140-2 compliance mode for cluster-wide control plane web service interfaces.
By default, FIPS 140-2 compliance mode is disabled.
When FIPS 140-2 compliance mode is disabled
You can enable FIPS 140-2 compliance mode by setting the
security config modifycommand, and then using the
security config showcommand to confirm the online status.
When FIPS 140-2 compliance mode is enabled
Both TLSv1 and SSLv3 are disabled and only TLSv1.1 and TLSv1.2 remain enabled. ONTAP prevents you from enabling both TLSv1 and SSLv3 when FIPS 140-2 compliance mode is enabled. If you enable FIPS 140-2 compliance mode and then subsequently disable it, TLSv1 and SSLv3 remain disabled, but either TLSv1.2 or both TLSv1.1 and TLSv1.2 are enabled depending on the previous configuration.
You can display the configuration of cluster-wide security by using the
system security config showcommand.
If the firewall is enabled, the firewall policy for the logical interface (LIF) to be used for web services must be set up to allow HTTP or HTTPS access.
If you use HTTPS for web service access, SSL for the cluster or storage virtual machine (SVM) that offers the web service must also be enabled, and you must provide a digital certificate for the cluster or SVM.
In MetroCluster configurations, the setting changes you make for the web protocol engine on a cluster are not replicated on the partner cluster.