Set-NcSecurityConfig for restricting protocol versions

badrian · ‎2019-05-23

Team,

A customer want's to automate the internal security hardening process. He works with the PowerShell Cmdlet "Set-NcSecurityConfig", but it allways throws an error, when limitting the allowed protocols. I have veryfied it internally with different versions of PowerShell and ONTAP:

Z:\> Set-NcSecurityConfig -Interface ssl -SupportedProtocols tlsv1_2
Set-NcSecurityConfig : Unexpected array element: security-supported-protocols
At line:1 char:1
+ Set-NcSecurityConfig -Interface ssl -SupportedProtocols tlsv1_2
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (xxx.xxx.xxx.xxx.com:NcController) [Set-NcSecurityConfig], EINVALIDINPUTERROR
    + FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Security.SetNcSecurityConfig

I assume, a wrong attribute name is sent here ("security-supported-protocls" instead of "supported-protocols"). The ZAPI call works:

  <security-config-modify>
    <interface>ssl</interface>
    <supported-protocols>
        <string>TLSv1.2</string>
    </supported-protocols>
  </security-config-modify>

Also, submitting it via "Invoke-NcSystemApi" works without any problem:

PS Z:> $xml = Invoke-NcSystemApi "<security-config-modify><interface>ssl</interface><supported-protocols><string>TLSv1.2</string></supported-protocols></security-config-modify>"
PS Z:> $xml.results

status
------
passed

Maybe anybody can provide a simple fix 🙂

Thanks,

Adrian

Set-NcSecurityConfig for restricting protocol versions

NetApp Support Site Wins Silver Stevie® Award

Sign-up for Software Release Notifications!