Skip to main content
NetApp Knowledge Base

What is high_security.enable in 7-Mode?

Views:
3,202
Visibility:
Public
Votes:
1
Category:
data-ontap-8
Specialty:
7dot
Last Updated:

Applies to

Data ONTAP 8.2.5 7-Mode

Answer

In Data ONTAP 8.2.5 7-Mode, a new option was added called high_security.enable. This option enables or disables the High-Security settings for you. With High Security selected, only strong encryption algorithms are allowed for control plane communications. By default, high_security is off and not enabled.
7-Mode 8.2.5 Release Notes

When high_security.enable is set to OFF (default):

  • SSH: Will negotiate all protocols (legacy and stronger)- This is w.r.t to KEX, Ciphers, and MACs. However, if the user never enabled SSH1, it should not become enabled
  • SSL: both SSLv2 and SSLv3 should be possible and negotiate all protocols
  • TLS: should negotiate all versions TLSv1.0, TLSv1.1 and TLSv1.2
  • Secure LDAP: should be possible with all security protocols - SSLv2, SSLv3, TLSv1.0 , TLSv1.1 and TLSv1.2 (should follow the SSL/TLS options' setting)
When high_security.enable is set to ON:
  • SSH: Will stop advertising weaker ciphers, KEX and MAC algorithms- These MACs will not be advertised: all hmac-md5 series, hmac-ripemd series, umac series and kex: diffie-hellman-group1-sha1, curve25519
  • SSL: ssl.v2.enable and ssl.v3.enable will be disabled 
  • TLS: TLS.v1.1 and TLSv1.2 will be enabled and internally negotiate TLSv1.1, TLSv1.2 only 
  • Secure LDAP: should negotiate according to value of TLS setting (tls.v1_1.enable/tls.v1_2.enable)   
How to enable:

In order to enable high security option, all the Vfilers must have the required ECDSA and ED25519 keys generated using Secure admin setup. If any of the Vfiler does not have the required SSH keys, then high security options cannot be enabled.

Consider the following when stronger SSH keys are required:
  • When prompted for the key size, input the number, do not accept the default in brackets, even if the default is showing the desired key size
    • For ssh1 protocol, key size must be between 1024 and 16384 bits
    • For ssh2 protocol, RSA key size must be between 1024 and 16384 bits
  • DSA valid key size is 1024 bits
  • ECDSA valid key sizes are 256, 384, and 521 bits
  • ED25519 key size must be between 256 and 16384 bits
  1. Enable

>options high_security.enable on

  1. Follow the prompts
Review Documentation: Setting up and Starting SSH service

Additional Information

Note that no feature, setting, or version 7-mode will not send AutoSupport messages over HTTPS transport with TLS 1.2 security.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.