Active IQ Unified Manager Discussions

OCI & TLS & SSL & Ontap & You


Hey all,


If you have been following the tech press over the past 6 months, you probably have heard about various SSL vulnerabilities. If you are a storage person, and not a security person, the background is that a lot of things are looking to disable the older SSL v(1,2,3) protocols, and move to using TLS instead for negotiating secure communications. Here is some relevant information for OCI customers:


#1. If you have Ontap discovered by OCI, 7 mode or clustered Data Ontap, OCI will fail to discover your Ontap array if

You have your OCI datasource configured to use https

AND you harden your Ontap array such that SSLv2 and SSLv3 are disabled


The good news is we have a patch for OCI to fix the library that was negotiating SSL (and effectively refusing to negotiate TLS against arrays that don't respond to SSL hellos due to a quirk). This patch is obtainable from NetApp support - the issue is ICI-2401.


If you are running OCI 6.4.0 or earlier, upgrade OCI to 6.4.4 or 7.0.2, and install the appropriate patch

If you are on OCI 6.4.1-3, installing the appropriate service pack 6.4.x.4 is a prerequisite for the patch, or upgrade to OCI 6.4.4 / 7.0.2 before installing the appropriate patch for your OCI version

If you are running OCI 7.0.0, upgrade OCI to 7.0.2 and install the appropriate patch

If you are on OCI 7.0.1, install service pack or upgrade to OCI 7.0.2 before installing the appropriate patch


As OCI 6.x is using Java 6, and OCI 7.0.x is using Java 7, there is an OCI 6.x version of the patch, and an OCI 7.x version. I would expect that future OCI releases and service packs will contain the fix, but we cannot comment yet on what those schedules would look like.


#2. OCI 7.0.2 has SSL disabled out of the box -only TLS 1.0 / 1.1 / 1.2 are enabled. OCI from a datasource perspective is very permissive in what we will negotiate to discover devices, but all communication to the OCI Server (web UI, Java client traffic, RAU to server traffic) will all be TLS 1.0 or higher, depending on what gets negotiated. Java 7 ships by default with TLS 1.1 and 1.2 disabled, so by default your OCI Java Client to OCI server will likely be occurring via TLS 1.0 unless you change your Java settings to enable 1.1 and 1.2