ONTAP 9.3P15: Enabling FIPS Mode

duanebachi · ‎2020-01-16

Has anyone enabled FIPS mode? We have several FAS 8060 nodes in a cluster with ONTAP 9.3P15 and we are looking to enable FIPS mode.

I am looking at this document:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548.html

So if I run and reboot:

security config modify -interface SSL -is-fips-enabled true

Does the security config looks like this?

FIPS: on
SSL protocol = {TLSv1.2}
SSL ciphers = {ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4}

Any issue anyone experience?

What if we need TLS v1.1?

AlexDawson · ‎2020-01-16

Hi there!

This page shows the output of "security config show" when FIPS is enabled - https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html

Which includes the line you suspected it would show, as well as showing tls1.1 is enabled.

ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4

Hope this helps!

duanebachi · ‎2020-01-17

Hi Alex,

Thanks for your reply. That page you showed me is for 9.5 and also that is the default when FIPS is disabled. One of the things I need to know is that if I enable FIPS, does it only allow TLS1.2? Will it let me add TLS 1.1 or would that invalidate FIPS?

AlexDawson · ‎2020-01-21

Hi there! The page for 9.3 is the same - https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fsecurity__config__show.html - which includes showing TLS 1.1 is enabled with FIPS mode on, so you won't need to change anything.