Re: ONTAP 9.3P15: Enabling FIPS Mode

duanebachi · ‎2020-01-16

Has anyone enabled FIPS mode? We have several FAS 8060 nodes in a cluster with ONTAP 9.3P15 and we are looking to enable FIPS mode.

I am looking at this document:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548.html

So if I run and reboot:

security config modify -interface SSL -is-fips-enabled true

Does the security config looks like this?

FIPS: on
SSL protocol = {TLSv1.2}
SSL ciphers = {ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4}

Any issue anyone experience?

What if we need TLS v1.1?

AlexDawson · ‎2020-01-16

Hi there!

This page shows the output of "security config show" when FIPS is enabled - https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html

Which includes the line you suspected it would show, as well as showing tls1.1 is enabled.

ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4

Hope this helps!

duanebachi · ‎2020-01-17

Hi Alex,

Thanks for your reply. That page you showed me is for 9.5 and also that is the default when FIPS is disabled. One of the things I need to know is that if I enable FIPS, does it only allow TLS1.2? Will it let me add TLS 1.1 or would that invalidate FIPS?

AlexDawson · ‎2020-01-21

Hi there! The page for 9.3 is the same - https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fsecurity__config__show.html - which includes showing TLS 1.1 is enabled with FIPS mode on, so you won't need to change anything.

liu

This document states that for ONTAP versions prior to 9.11.1, if the FIPS 140-2 compliance mode is enabled, both TLSv1 and SSLv3 will be disabled, while only TLSv1.1 and TLSv1.2 will remain enabled. However, TLSv1.1 has been regarded as an insecure protocol

FIPS mode and TLS and SSL management in ONTAP

How to harden ONTAP 9 TLS configuration - NetApp Knowledge Base

ONTAP 9.3P15: Enabling FIPS Mode

NetApp's KB Wins Again!