8 - Managing TLS and SSL - FIPS 140-2 Enabled

Information

Beginning with ONTAP 9, you can enable the FIPS 140-2 compliance mode for clusterwide control plane interfaces. By default, the FIPS 140-2-only mode is disabled. You can enable the FIPS 140-2 compliance mode by setting the is-fips-enabled parameter to true for the security config modify command. You can then use the security config show command to confirm the online status.

When FIPS 140-2 compliance is enabled, TLSv1 and SSLv3 are disabled, and only TLSv1.1 and TLSv1.2 remain enabled. ONTAP prevents you from enabling TLSv1 and SSLv3 when FIPS 140-2 compliance is enabled. If you enable FIPS 140-2 and then subsequently disable it, TLSv1 and SSLv3 remain disabled, but TLSv1.2 or both TLSv1.1 and TLSv1.2 remain enabled, depending on the previous configuration.

Solution

The security config modify command modifies the existing clusterwide security configuration. If you enable the FIPS-compliant mode, the cluster automatically selects only TLS protocols. Use the -supported-protocols parameter to include or exclude TLS protocols independently from FIPS mode. By default, FIPS mode is disabled, and ONTAP supports the TLSv1.2, TLSv1.1, and TLSv1 protocols.

For backward compatibility, ONTAP supports adding SSLv3 to the supported-protocols list when FIPS mode is disabled. Use the -supported-ciphers parameter to configure only the Advanced Encryption Standard (AES) or AES and 3DES. You can also disable weak ciphers such as RC4 by specifying !RC4. By default, the supported cipher setting is ALL:!LOW:!aNULL:!EXP:!eNULL. This setting means that all supported cipher suites for the protocols are enabled, except for the ones with no authentication, no encryption, no exports, and low-encryption cipher suites. These are suites using 64-bit or 56-bit encryption algorithms.

Select a cipher suite that is available with the corresponding selected protocol. An invalid configuration might cause some functionality to fail to operate properly.

Refer to OpenSSL ciphers (https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html) published by the OpenSSL software foundation for the correct cipher string syntax. After modifying the security configuration, reboot all the nodes manually.

Enabling FIPS 140-2 compliance has effects on other systems and communications internal and external to ONTAP 9. NetApp highly recommends testing these settings on a nonproduction system that has console access.

Note: If SSH is used to administer ONTAP 9, then you must use an OpenSSH 5.7 or later client.

See Also

https://www.netapp.com/us/media/tr-4569.pdf

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Netapp_API

Control ID: dc43d2c88a7754024b99a4e44201d1359f33fe005d4209c6e6bbfc34e85d965c