Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

What is high_security.enable in 7-Mode?

Views:
2,149
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
core
Last Updated:

Applies to

Data ONTAP 8.2.5 7-Mode

Answer

In Data ONTAP 8.2.5 7-Mode, a new option was added called high_security.enable. This option enables or disables the High-Security settings for you. With High Security selected, only strong encryption algorithms are allowed for control plane communications. By default, high_security is off and not enabled.
7-Mode 8.2.5 Release Notes

When high_security.enable is set to OFF (default):

  • SSH: Will negotiate all protocols (legacy and stronger)- This is w.r.t to KEX, Ciphers, and MACs. However, if the user never enabled SSH1, it should not become enabled
  • SSL: both SSLv2 and SSLv3 should be possible and negotiate all protocols
  • TLS: should negotiate all versions TLSv1.0, TLSv1.1 and TLSv1.2
  • Secure LDAP: should be possible with all security protocols - SSLv2, SSLv3, TLSv1.0 , TLSv1.1 and TLSv1.2 (should follow the SSL/TLS options' setting)
When high_security.enable is set to ON:
  • SSH: Will stop advertising weaker ciphers, KEX and MAC algorithms- These MACs will not be advertised: all hmac-md5 series, hmac-ripemd series, umac series and kex: diffie-hellman-group1-sha1, curve25519
  • SSL: ssl.v2.enable and ssl.v3.enable will be disabled 
  • TLS: TLS.v1.1 and TLSv1.2 will be enabled and internally negotiate TLSv1.1, TLSv1.2 only 
  • Secure LDAP: should negotiate according to value of TLS setting (tls.v1_1.enable/tls.v1_2.enable)   
How to enable:

In order to enable high security option, all the Vfilers must have the required ECDSA and ED25519 keys generated using Secure admin setup. If any of the Vfiler does not have the required SSH keys, then high security options cannot be enabled.

Consider the following when stronger SSH keys are required:
  • When prompted for the key size, input the number, do not accept the default in brackets, even if the default is showing the desired key size
    • For ssh1 protocol, key size must be between 1024 and 16384 bits
    • For ssh2 protocol, RSA key size must be between 1024 and 16384 bits
  • DSA valid key size is 1024 bits
  • ECDSA valid key sizes are 256, 384, and 521 bits
  • ED25519 key size must be between 256 and 16384 bits
  1. Enable

>options high_security.enable on

  1. Follow the prompts
Review Documentation: Setting up and Starting SSH service

Additional Information

additionalInformation_text

 

Scan to view the article on your device

 

  • Was this article helpful?