ONTAP Discussions
ONTAP Discussions
Hi,
We would like to improve security on our SP Cards (Service Processor) by disabling TLS 1.0 and 1.1 and removing 3DES cipher. All Storage devices are on ONTAP9.1P1. Our current scenarion when running SSL checkers against the card IPs shows the following output.
testsslserver <SP Card IP Address> 50000
Supported versions:
TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.0
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
(TLSv1.1: idem)
TLSv1.2
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
e50304b62d8f97bff54a6a3dbac0eaf1cbdcf6b7: E="", OU="", O="", L="", S="", C="", CN=sp.spcs.server
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected
The NETAPP device itself has only TLS1.2 only enabled and has resticted ciphers allowed
ie.
<Cluster name>::*> security config show
Cluster Cluster Security
Interface FIPS Mode Supported Protocols Supported Ciphers Config Ready
--------- ---------- ----------------------- ----------------- ----------------
SSL false TLSv1.2 AES:!LOW:!MEDIUM: yes
!aNULL:!EXP:
!eNULL:!3DES
We have asked NETAPP support for assistance with this. There recommendations have centered around altering the storage device Security Config by enabling FIPS. I am not convinced that this will make any difference whatsoever to the SP card security profile and even it is does it will require Node Reboots to complete the alteration. All of our netapp devices host CIFS shares so unfortunately as a consequence Node reboots will involve some service disruption.
Has anyone else encountered this before and does anyone have any recommendations or knowledge relevant to SP Card security? I am surprised by the lack of available information
thank you,
D
Solved! See The Solution
I found the case you submitted and read through the notes and checked our developer documentation and can confirm - FIPS mode is the only way to modify ciphers on the SP. TLS is only used internally for redirecting node console to the SP, and other cipher types will be removed in a future version of SP firmware.
The SP is designed to be as simple as possible - it operates in a number of very finite states and has a very limited command set. There is an existing request for enhancement to enable changing ciphers without enabling FIPS mode that your request has been added to.
I found the case you submitted and read through the notes and checked our developer documentation and can confirm - FIPS mode is the only way to modify ciphers on the SP. TLS is only used internally for redirecting node console to the SP, and other cipher types will be removed in a future version of SP firmware.
The SP is designed to be as simple as possible - it operates in a number of very finite states and has a very limited command set. There is an existing request for enhancement to enable changing ciphers without enabling FIPS mode that your request has been added to.
I am curious if this feature has been implemented. We just upgraded to ver 9.3P4 and we are getting dinged by our security department because the SPs are not TLS 1.2
The current status is that there is no Ontap or SP firmware release avilable that will result in the SP card using TLS.1.2 only. The best you can achieve is TLS1.1 & 1.2. We asked NETAPP recently if a fix was pending and we are anticipating a reply shortly. I will post on here once I have an update.
Hi @ThirtySeven,
This is detailed in this document, but basically
c94::> set -priv adv Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel. Do you want to continue? {y|n}: y c94::*> security config modify ocsp show status c94::*> security config modify -interface SSL -is-fips-enabled true
Does this apply to the service processor or just ontap? We're running firmware v3.3 on an 8040 and getting the same thing from our IRT.
Both ONTAP and the SP