Manage the TLS and SSH policy
The TLS and SSH policy determines which protocols and ciphers are used to establish secure TLS connections with client applications and secure SSH connections to internal StorageGRID services.
The security policy controls how TLS and SSH encrypt data in motion. In general, use the Modern compatibility (default) policy, unless your system needs to be Common Criteria-compliant or you need to use other ciphers.
Some StorageGRID services have not been updated to use the ciphers in these policies. |
-
You are signed in to the Grid Manager using a supported web browser.
-
You have the Root access permission.
Select a security policy
-
Select CONFIGURATION > Security > Security settings.
The TLS and SSH policies tab shows the available policies. The currently active policy is noted by a green check mark on the policy tile.
-
Review the tiles to learn about the available policies.
Policy Description Modern compatibility (default)
Use the default policy if you need strong encryption and unless you have special requirements. This policy is compatible with most TLS and SSH clients.
Legacy compatibility
Use this policy if you need additional compatibility options for older clients. The additional options in this policy might make it less secure than the Modern compatibility policy.
Common Criteria
Use this policy if you require Common Criteria certification.
FIPS strict
Use this policy if you require Common Criteria certification and need to use the NetApp Cryptographic Security Module 3.0.8 for external client connections to load balancer endpoints, Tenant Manager, and Grid Manager. Using this policy might reduce performance.
Note: After you select this policy, all nodes must be rebooted in a rolling fashion to activate the NetApp Cryptographic Security Module. Use Maintenance > Rolling reboot to initiate and monitor reboots.
Custom
Create a custom policy if you need to apply your own ciphers.
-
To see details about each policy's ciphers, protocols, and algorithms, select View details.
-
To change the current policy, select Use policy.
A green check mark appears next to Current policy on the policy tile.
Create a custom security policy
You can create a custom policy if you need to apply your own ciphers.
-
From the tile of the policy that is the most similar to the custom policy you want to create, select View details.
-
Select Copy to clipboard, and then select Cancel.
-
From the Custom policy tile, select Configure and use.
-
Paste the JSON you copied and make any changes required.
-
Select Use policy.
A green check mark appears next to Current policy on the Custom policy tile.
-
Optionally, select Edit configuration to make more changes to the new custom policy.
Temporarily revert to the default security policy
If you configured a custom security policy, you might not be able to sign in to the Grid Manager if the configured TLS policy is incompatible with the configured server certificate.
You can temporarily revert to the default security policy.
-
Log in to an Admin Node:
-
Enter the following command:
ssh admin@Admin_Node_IP
-
Enter the password listed in the
Passwords.txt
file. -
Enter the following command to switch to root:
su -
-
Enter the password listed in the
Passwords.txt
file.When you are logged in as root, the prompt changes from
$
to#
.
-
-
Run the following command:
restore-default-cipher-configurations
-
From a web browser, access the Grid Manager on the same Admin Node.
-
Follow the steps in Select a security policy to configure the policy again.