Considerations for session-oriented protocols
If SSL FIPS mode is enabled on a cluster where administrator accounts authenticate with an SSH public key, you must ensure that the host key algorithm is supported on the target release before upgrading ONTAP.
Note: Host key algorithm support has changed in ONTAP 9.11.1 and later releases.
ONTAP release |
Supported key types |
Unsupported key types |
---|---|---|
9.11.1 and later |
ecdsa-sha2-nistp256 |
rsa-sha2-512 |
9.10.1 and earlier |
ecdsa-sha2-nistp256 |
ssh-dss |
Existing SSH public key accounts without the supported key algorithms must be reconfigured with a supported key type before enabling upgrading, or administrator authentication will fail.