Security Enhancement in Active IQ Unified Manager 9.9 Part 3: Other Security Enhancements

In part three of our NetApp® Active IQ Unified Manager 9.9 security enhancement blog series, we discuss the other Active IQ Unified Manager security enhancements that we added in the 9.9 release, in addition to the two major security enhancements that we discussed in parts one and two.

The change in the certificate validity duration

In the Active IQ Unified Manager 9.9 release, we reduced the validity duration for the default HTTPS certificate that is created during the installation from 825 days to 397 days. The new reduced validity duration is not automatically applied when you upgrade to Active IQ Unified Manager 9.9 from an earlier release. When you upgrade, the certificate from the earlier release is retained and the certificate validity duration does not change. However, if you select the Reset Server Certificate option from the maintenance console, the system creates a new HTTPS certificate which is valid for 397 days. When you use the UI to regenerate the certificate, you can specify the certificate validity duration from a minimum of one day up to 36500 days. In the figure below, we show you how to access the input options to set the validity duration for the certificate in the Regenerate HTTPS Certificate form which you can access from the Advanced Settings section.

We disabled TLS 1.1 support

In our earlier Active IQ Unified Manager releases, we supported Transport Layer Security (TLS) connection releases TLSv1.1 and TLSv1.2. To improve security in the Active IQ Unified Manager 9.9 release, we removed support for TLSv1.1 due to security vulnerabilities. As a result, all browsers have now dropped support for TLSv1.1 and we have removed related ciphers from the system. In Active IQ Unified Manager 9.9, we retained support for TLSv1.2 and added support for TLSv1.3. In addition, we now support TLSv1.3 in Active IQ Unified Manager across all systems.

You can select HTTPS certificate key size

In our earlier Active IQ Unified Manager releases, you could not change the Remote Support Agent (RSA) key size of the HTTPS certificate, which was 2048 bits. In Active IQ Unified Manager 9.9, you now have the option to change the HTTPS certificate key size when you regenerate the HTTPS Certificate by using the Regenerate HTTPS Certificate form. You can find the Regenerate HTTPS Certificate form on the HTTPS Certificate page and modify the key size in the Advanced Settings section. The certificate default key size is 2048 bits, but you can choose to reset the key size to 2048, 3072, or 4096 bits. You also have the option to create a new HTTPS certificate with an RSA key of size 2048 bits by selecting the Reset Server Certificate option from the maintenance console.

I’ve highlighted the two new fields for validity duration and key size in the HTTPS Certificate image below.

You can lock and unlock users

We have made some significant changes to counter the misuse of user accounts as part of our security enhancement updates in Active IQ Unified Manager 9.9. As an Active IQ Unified Manager administrator, you can now lock and unlock all local, maintenance, and administrator users. We have added a new attribute called Lock-Type which is associated with each user and indicates the user’s status. In the figure below, you can see the three states for the Lock-Type attribute:

• The Lock state indicates that the user is locked.
• The Unlock state indicates the user is not locked.
• The greyed-out Lock state indicates that you cannot lock this user, for example, you cannot lock remote users and at least one application administrator user always remains unlocked.

Try It Out!

Now that you have been introduced to our other Active IQ Unified Manager security enhancement features, we hope it entices you to update and try out Active IQ Unified Manager 9.9.

If you would like more information, contact us (ng-aiqum-feedback@netapp.com) and we would be happy to answer your questions