ONTAP Discussions

ONTAP 9.3P15: Enabling FIPS Mode

duanebachi
3,197 Views

Has anyone enabled FIPS mode? We have several FAS 8060 nodes in a cluster with ONTAP 9.3P15 and we are looking to enable FIPS mode.

I am looking at this document: 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548.html

 

So if I run and reboot:

security config modify -interface SSL -is-fips-enabled true

 

Does the security config looks like this?

  • FIPS: on
  • SSL protocol = {TLSv1.2}
  • SSL ciphers = {ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4}

Any issue anyone experience?

What if we need TLS v1.1?

3 REPLIES 3

AlexDawson
3,130 Views

Hi there!

 

This page shows the output of "security config show" when FIPS is enabled - https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html

 

Which includes the line you suspected it would show, as well as showing tls1.1 is enabled.

 

ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4

 Hope this helps!

duanebachi
3,088 Views

Hi Alex,

 

Thanks for your reply. That page you showed me is for 9.5 and also that is the default when FIPS is disabled. One of the things I need to know is that if I enable FIPS, does it only allow TLS1.2? Will it let me add TLS 1.1 or would that invalidate FIPS?

AlexDawson
3,047 Views

Hi there! The page for 9.3 is the same - https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fsecurity__config__show.html - which includes showing TLS 1.1 is enabled with FIPS mode on, so you won't need to change anything.

Public