AFF

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AFF

Ask a Question

How to enable FIPS on clean reinstall AFF300

marcinmf
yesterday
155 Views

Hello, 

I have second hand AFF300 with 2 shelves 48 drives all all self encrypting SSDs.

The previous ontap was 9.11.1 I uploaded 9.15.1P7 and trying to install from scratch.

 

There is no data to be saves and I do have license keys to the controllers.

When going to special boot option 5 i see error message

 

[NODENAME-01:disk.encryptNoSupport:ALERT]: Detected FIPS-certified encrypting drive 0d.02.0, but FIPS drives are not supported on this node. 48 of 48 disks checked are FIPS-certified.

 

Obviously the FIPS are not supported on the node. How do I enable this?

There need to be some argument to set so when reboot the disk will be available.

 

Right now disks are marked as failed:

[NODENAME-01:diskown.errorReadingOwnership:notice]: error 3 ( disk failed) while reading ownership on disk 0a.01.22 (S/N 9620AXXXXXXX)

Any Ideas?

 

0 Kudos
Tags (1)
5 REPLIES 5

TMACMD
NetApp A-Team
yesterday
152 Views

a couple things here

 

 first FIPS mode won’t help. To enable

 set advanced

 security config modify -interface ssl -FIPS true

 

it sounds like you grabbed the wrong ONTAP version

 

 on the download page the first is for encryption enabled ONTAP. The second is for non-export countries that are not allowed to have encryption. 

i think you downloaded the wrong one my friend. 
try downloading again but the correct version. You may have to use the cli to push it. Have not tried in a long time (from non-enc version to enc version)

 

 the next issue: were the drives previously encrypted? If they were and you reinitialized the system did you check if the drives had the encryption key removed?

 

you really won’t be able to do much until you get the correct code anyway

 

 and if the drives are encrypted and have not been “opened” (meaning the drive is in encrypted mode) you are going to likely need to wipe again anyway

 

 easiest would be to do an option 9a on both nodes, then on one node go into maintenance mode and then sanitize the SSDs there. They can all be done at the same time and it’s pretty instant

0 Kudos

marcinmf
yesterday
In response to TMACMD
150 Views

Thank you for quick reply.

I can not really do set advanced because there is no OS installed.

 

I have access to Loader > and boot_ontap menu

Option 9a does not really do anything since getting message that there are no disks available to the controller. 

 

I will try to reverse to 9.11, this is what the system came with anyway.

 

The drives were previously encrypted. The system can not read them, getting error and fails them.

iskown.errorReadingOwnership:notice]: error 3 ( disk failed) while reading ownership

 

I am ok to erase all data from them anyway.

0 Kudos

marcinmf
yesterday
In response to TMACMD
144 Views

When booting to maintenance more i get this message. Does this mean that this version is FIPS enabled?

 

cryptomod_fips: Cryptomod FIPS version: Cryptomod FIPS 3.0
cryptomod_fips: Executing Crypto FIPS Self Tests.
cryptomod_fips: Crypto FIPS self-test: 'CPU COMPATIBILITY' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 ECB, AES-256 ECB' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 CBC, AES-256 CBC' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 GCM, AES-256 GCM' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 CCM' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128, AES-256 CMAC' passed.
cryptomod_fips: Crypto FIPS self-test: 'CTR_DRBG' passed.
cryptomod_fips: Crypto FIPS self-test: 'KDF' passed.
cryptomod_fips: Crypto FIPS self-test: 'SHA1, SHA256, SHA512' passed.
cryptomod_fips: Crypto FIPS self-test: 'SHA3-256' passed.
cryptomod_fips: Crypto FIPS self-test: 'HMAC-SHA1, HMAC-SHA256, HMAC-SHA512' passed.
cryptomod_fips: Crypto FIPS self-test: 'PBKDF2' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-XTS 128, AES-XTS 256' passed.
cryptomod_fips: Crypto FIPS self-test: 'Self-integrity' passed.
Feb 04 00:01:58 [CONTROLLER-01:raid.autoPart.disabled:ALERT]: Disk auto-partitioning is disabled on this system: the system needs a minimum of 8 usable internal hard disks.
Feb 04 00:01:58 [CONTROLLER-01:callhome.raid.adp.disabled:notice]: Disk auto-partitioning is disabled on this system: ADP DISABLED.

0 Kudos

TMACMD
NetApp A-Team
yesterday
144 Views

Try this

 boot both systems to the maintenance menu

 

 then choose option 7

 

 then it will ask for an interface, say e0M. When asked to reboot say n then choose option 7 again

 define the ip and then specify a location to grab the correct code from. let the node reboot. 

let us know

0 Kudos

TMACMD
NetApp A-Team
yesterday
134 Views

Sounds like you will need to sanitize the disks. When I get back to my laptop I can send help. But it sounds like before the clearing , the encryption key was not removed. You’re stuck until the disks are cleared

0 Kudos
Announcements
All Community Forums
Public