What is high_security.enable in 7-Mode?
Applies to
Data ONTAP 8.2.5 7-Mode
Answer
In Data ONTAP 8.2.5 7-Mode, a new option was added called high_security.enable
. This option enables or disables the High-Security settings for you. With High Security selected, only strong encryption algorithms are allowed for control plane communications. By default, high_security is off and not enabled.
7-Mode 8.2.5 Release Notes
When high_security.enable
is set to OFF (default):
- SSH: Will negotiate all protocols (legacy and stronger)- This is w.r.t to KEX, Ciphers, and MACs. However, if the user never enabled SSH1, it should not become enabled
- SSL: both SSLv2 and SSLv3 should be possible and negotiate all protocols
- TLS: should negotiate all versions TLSv1.0, TLSv1.1 and TLSv1.2
- Secure LDAP: should be possible with all security protocols - SSLv2, SSLv3, TLSv1.0 , TLSv1.1 and TLSv1.2 (should follow the SSL/TLS options' setting)
high_security.enable
is set to ON:
- SSH: Will stop advertising weaker ciphers, KEX and MAC algorithms- These MACs will not be advertised: all hmac-md5 series, hmac-ripemd series, umac series and kex: diffie-hellman-group1-sha1, curve25519
- SSL: ssl.v2.enable and ssl.v3.enable will be disabled
- TLS: TLS.v1.1 and TLSv1.2 will be enabled and internally negotiate TLSv1.1, TLSv1.2 only
- Secure LDAP: should negotiate according to value of TLS setting (
tls.v1_1.enable/tls.v1_2.enable
)
In order to enable high security option, all the Vfilers must have the required ECDSA and ED25519 keys generated using Secure admin setup. If any of the Vfiler does not have the required SSH keys, then high security options cannot be enabled.
Consider the following when stronger SSH keys are required:
- When prompted for the key size, input the number, do not accept the default in brackets, even if the default is showing the desired key size
- For ssh1 protocol, key size must be between 1024 and 16384 bits
- For ssh2 protocol, RSA key size must be between 1024 and 16384 bits
- DSA valid key size is 1024 bits
- ECDSA valid key sizes are 256, 384, and 521 bits
- ED25519 key size must be between 256 and 16384 bits
- Enable
>options high_security.enable on
- Follow the prompts
Additional Information
Note that no feature, setting, or version 7-mode will not send AutoSupport messages over HTTPS transport with TLS 1.2 security.