ONTAP Discussions

FIPS Mode

TMADOCTHOMAS
4,138 Views

Hello,

 

I am researching FIPS mode on our NetApp clusters and am trying to determine whether or not to enable it. I would love to hear recommendations or insights from anyone who has done this. I plan to test on a simulator but am not sure what to test. What potential functionality could be negatively impacted by making this change? I've read the articles below. Any thoughts appreciated! Thank you.

 

https://docs.netapp.com/us-en/ontap/networking/configure_network_security_using_federal_information_processing_standards_@fips@.html?q=tr-4569#enable-...

 

https://www.netapp.com/media/10674-tr4569.pdf 

1 ACCEPTED SOLUTION

Ontapforrum
4,018 Views

Good question. Whatever I am reading so far on "SNMP & FIPS Mode": FIPS mode requires Simple Network Management Protocol version 3 (SNMPv3) with the authentication and privacy protocol option (As SNMP version 1 and version 2 use a "community" string mechanism, which is sent as clear text between an SNMP manager and an SNMP agent and hence forbidden by FIPS).

 

FIPS-Compliant Algorithm for SNMPv3 Communication:
authentication protocol = sha
privacy protocol = aes128

 

Steps to configure SNMPv3 users in a cluster for Ontap 9: (FIPS mode)
https://docs.netapp.com/us-en/ontap/networking/configure_snmpv3_users_in_a_cluster.html#snmpv3-security-parameters


To find out in my environment, I went to system manager, settings, and then under snmp, I noticed we have community string enabled with "NO SNMPv3" user configured under snmpv3 tab, so that's a clear indication that our environment is using v1 & v2 and of course FIPS disabled.

View solution in original post

9 REPLIES 9

TMACMD
4,125 Views

Generally speaking, it usually does not hurt to enable FIPS mode. It removes unsecure ciphers/exchanges for SSH and removes older SSL items. I have heard it can affect LDAP (usually in a positive way with the manipulation it provides).

I almost always enable FIPS mode when setting up a new cluster for my customers. I have never had to turn it off.

 

TMADOCTHOMAS
4,075 Views

OK thanks @TMACMD . We still have a few legacy Windows boxes and I wonder about them being affected in particular, in some unknown way. Specifically we still have a handful of Windows Server 2003/2008R2 boxes we're trying to get rid of. But from what you're saying, it sounds like this is only about our ability to SSH into NetApp clusters. I've never configured LDAP settings since we've started using NetApp so I doubt that's a factor. We still have SMB1 enabled on three older CIFS Servers but it doesn't sound like that has an impact?

 

Anyone else have a comment? Has anyone experienced issues with enabling this?

TMADOCTHOMAS
4,064 Views

@Ontapforrum this is extremely helpful! Great list of links. I read through them and they gave me a better sense of this change.

 

Couple of additional questions:

 

1. Regarding System Manager, I use HTTPS but the article says you have to have a digital cert. Even though we use a cert manager, the browser still sees them as invalid (for some reason) so we still get the warning each time we log in to a cluster. Would FIPS hiccup on that?

 

2. Would FIPS impact Active IQ Unified Manager, SnapCenter, the SnapCenter VMware Plug-In, the OnTAP Tools VMware Plug-In, or the old SnapDrive tool? (SnapDrive is unfortunately still in use on some old 2008R2 servers due to compatibility issues). NOTE: OnTAP Tools connections use TLS/443 so I think we're good there.

 

3. Any issues with PowerShell toolkit commands? I'm using version 9.11.1.2208. I'm guessing the fix mentioned in one of your links isn't needed anymore since it was posted in 2017/2018 - I'm assuming the toolkit has been patched by then to 'just work'. Am I correct?

TMACMD
4,038 Views

A couple things:

1. Anything that uses ssl may be affected. It depends on the TLS version negotiations that take place. Enabling FIPS removes older TLS versions

 2. enabling FIPS. I’di recall, 9.8 and lower requires every node to be rebooted (takeover/giveback). 9.9.1 and higher is done on the fly/no reboot needed

TMADOCTHOMAS
4,053 Views

One additional thought. The article below says (under "View FIPS Compliance Status") that "A reboot is required to make sure that all applications in the cluster are running the new security configuration, and for all changes to FIPS on/off mode, protocols, and ciphers."  This seems to imply that, despite the earlier note that reboots aren't required after 9.9.1, they actually are required if you want to "make sure" it is working. Am I missing something?

 

https://docs.netapp.com/us-en/ontap/networking/configure_network_security_using_federal_information_processing_standards_@fips@.html

TMADOCTHOMAS
4,048 Views

Just started trying to enable FIPS on the simulator and read through this error. We use SNMP but have no idea which version we are using. I suspect v1 or v2c but have no way of determining it. Any ideas?

Warning: This command will enable FIPS compliance and can potentially cause some non-compliant components to fail. MetroCluster and Vserver DR require FIPS to be enabled on both sites in order to be compatible. An SNMP users or SNMP traphosts that are non-compliant to FIPS will be deleted automatically. An SNMPv1 user, SNMPv2c user or SNMPv3 user (with none or MD5 as authentication protocol or none or DES as encryption protocol or both) is non-compliant to FIPS. An SNMPv1 traphost or SNMPv3 traphost (configured with an SNMPv3 user non-compliant to FIPS) is non-compliant to FIPS. Incoming web service requests over the insecure HTTP protocol will be rejected.

Ontapforrum
4,019 Views

Good question. Whatever I am reading so far on "SNMP & FIPS Mode": FIPS mode requires Simple Network Management Protocol version 3 (SNMPv3) with the authentication and privacy protocol option (As SNMP version 1 and version 2 use a "community" string mechanism, which is sent as clear text between an SNMP manager and an SNMP agent and hence forbidden by FIPS).

 

FIPS-Compliant Algorithm for SNMPv3 Communication:
authentication protocol = sha
privacy protocol = aes128

 

Steps to configure SNMPv3 users in a cluster for Ontap 9: (FIPS mode)
https://docs.netapp.com/us-en/ontap/networking/configure_snmpv3_users_in_a_cluster.html#snmpv3-security-parameters


To find out in my environment, I went to system manager, settings, and then under snmp, I noticed we have community string enabled with "NO SNMPv3" user configured under snmpv3 tab, so that's a clear indication that our environment is using v1 & v2 and of course FIPS disabled.

TMADOCTHOMAS
3,951 Views

Thanks @Ontapforrum . Well, we have a community string so I guess I need to do some research on SNMPv3 before moving forward with the FIPS change. Thank you for your thoughts!

Public