Workaround: Data ONTAP operating in 7-Mode: Beginning with version 8.2.5 the "high_security.enable" option will enable only the TLS v1.1 and v1.2 protocols which do not support the 3DES-CBC cipher. If you cannot patch Ontap to P2 at this time, then follow this workaround.
By-default it is 'off', so turn it on: filer> options high_security.enable on
Workaround: Data ONTAP operating in 7-Mode beginning with version 8.2.3: the command 'options rc4.enable off' will disable RC4 cipher support in the TLS and SSL protocols over HTTPS. You are already on fixed version, you just need to turn it off.
By-default it is 'on', turn it off: filer>options rc4.enable off
I managed to get get high_security enabled on one node, the other complains:
FAS6080> options high_security.enable on For enabling high-security option, it is required to have latest secure keys for SSL and SSH. System has detected the presence of supported SSL key which can support high_security protocols. Would you still like to re-generate the SSL keys [no]: n Some vfilers do not have Required SSH Keys. Generate Required ECDSA and ED25519 keys using Secure admin setup on below vfilers to enable High Security. Vfiler list : vfiler0,. Could not enable high_security option. Please check available secure keys using "keymgr list key" command. FAS6080> keymgr list key Existing key file(s): Name Type Bits Size Last Modified secureadmin.pem ECDSA NA 367 Jun 11 15:17:14 SAST 2020 secureadmin_bak.pem ECDSA NA 367 Jun 11 15:13:09 SAST 2020 dh_secureadmin.pem DH 1024 578 Jun 9 09:13:51 SAST 2020
No worries. Interesting one Node is able to enable it, I believe it's a HA Pair, so could you compare the keymgr on both nodes ? bits & size, what could be different here ? Never dealt wit this security option in 7-mode.
Maybe you need to remove that Diffie-Hellman (DH) key...
There is a KB article on this option, but it hasn't been migrated to the new KB system, yet.
This is some relevant parts:
When high_security.enable is set to ON:
SSH: Will stop advertising weaker ciphers, KEX and MAC algorithms – These MACs will not be advertised: all hmac-md5 series, hmac-ripemd series, umac series and kex: diffie-hellman-group1-sha1, curve25519
SSL: ssl.v2.enable and ssl.v3.enable will be disabled
TLS: TLS.v1.1 and TLSv1.2 will be enabled and internally negotiate TLSv1.1, TLSv1.2 only
Secure LDAP: should negotiate according to value of TLS setting (tls.v1_1.enable/tls.v1_2.enable)
How to enable:
In order to enable the high_security option, all the Vfilers must have the required ECDSA and ED25519 keys generated using Secure admin setup. If any Vfilers do not have the required SSH keys, then high security options cannot be enabled.
Consider the following when stronger SSH keys are required:
When prompted for the key size, input the number, don’t accept the default in brackets, even if the default is showing the desired key size
For ssh1 protocol, key size must be between 1024 and 16384 bits
For ssh2 protocol, RSA key size must be between 1024 and 16384 bits
DSA valid key size is 1024 bits
ECDSA valid key sizes are 256, 384, and 521 bits
ED25519 key size must be between 256 and 16384 bits
Have you tried generating those keys as Andris suggested in the previous post ?
Just on the vfiler: vfiler0 actually is your main filer. The error you see just means, you don't have any vfilers running on your filer. You are already on vfiler0 (which is your main filer). If you do 'vfiler status' it should show vfiler0 running if none others are configured, if there are other vfilers, then it will also show up.