Skip to main content

Manage the web protocol engine in ONTAP

Contributors netapp-dbagwell netapp-aaron-holt netapp-ahibbard netapp-barbe netapp-aherbin
PDFs

You can configure the web protocol engine on the cluster to control whether web access is allowed and what SSL versions can be used. You can also display the configuration settings for the web protocol engine.

You can manage the web protocol engine at the cluster level in the following ways:

  • You can specify whether remote clients can use HTTP or HTTPS to access web service content by using the system services web modify command with the -external parameter.

  • You can specify whether SSLv3 should be used for secure web access by using the security config modify command with the -supported-protocol parameter.
    By default, SSLv3 is disabled. Transport Layer Security 1.0 (TLSv1.0) is enabled and it can be disabled if needed.

    Learn more about security config modify in the ONTAP command reference.

  • You can enable Federal Information Processing Standard (FIPS) 140-2 compliance mode for cluster-wide control plane web service interfaces.

    Note

    By default, FIPS 140-2 compliance mode is disabled.

    • When FIPS 140-2 compliance mode is disabled
      You can enable FIPS 140-2 compliance mode by setting the is-fips-enabled parameter to true for the security config modify command, and then using the security config show command to confirm the online status.

    • When FIPS 140-2 compliance mode is enabled

      • Beginning with ONTAP 9.11.1, TLSv1, TLSv1.1 and SSLv3 are disabled, and only TSLv1.2 and TSLv1.3 remain enabled. It affects other systems and communications that are internal and external to ONTAP 9. If you enable FIPS 140-2 compliance mode and then subsequently disable, TLSv1, TLSv1.1, and SSLv3 remain disabled. Either TLSv1.2 or TLSv1.3 will remain enabled depending on the previous configuration.

      • For versions of ONTAP prior to 9.11.1, both TLSv1 and SSLv3 are disabled and only TLSv1.1 and TLSv1.2 remain enabled. ONTAP prevents you from enabling both TLSv1 and SSLv3 when FIPS 140-2 compliance mode is enabled. If you enable FIPS 140-2 compliance mode and then subsequently disable it, TLSv1 and SSLv3 remain disabled, but either TLSv1.2 or both TLSv1.1 and TLSv1.2 are enabled depending on the previous configuration.

  • You can display the configuration of cluster-wide security by using the system security config show command.

    Learn more about security config show in the ONTAP command reference.

If the firewall is enabled, the firewall policy for the logical interface (LIF) to be used for web services must be set up to allow HTTP or HTTPS access.

If you use HTTPS for web service access, SSL for the cluster or storage virtual machine (SVM) that offers the web service must also be enabled, and you must provide a digital certificate for the cluster or SVM.

In MetroCluster configurations, the setting changes you make for the web protocol engine on a cluster are not replicated on the partner cluster.