What is the RSA key size supported by NetApp with open SSL FIPS?
Applies to
- ONTAP 9
- NetApp Storage Encryption
Answer
When creating certificates with open SSL FIPS be sure to select a supported size of 2048 or 3072.
Per the man pages for command security certificate create in ONTAP 9.x:
-size <size of requested certificate in bits> - Size of Requested Certificate in Bits
This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible
values include 512, 1024, 1536, 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true,
the possible values are 2048 and 3072.
ONTAP will warn you if using the 'security certificate create'
command
Example:
Cluster::*> security config show
Cluster Cluster Security
Interface FIPS Mode Supported Protocols Supported Ciphers Config Ready
--------- ---------- ------------------- --------------------- ----------------
SSL true TLSv1.2 ALL:!LOW:!aNULL:!EXP: yes
!eNULL:!3DES
Cluster::*> security config show
Cluster Cluster Security
Interface FIPS Mode Supported Protocols Supported Ciphers Config Ready
--------- ---------- ------------------- --------------------- ----------------
SSL true TLSv1.2 ALL:!LOW:!aNULL:!EXP: yes
!eNULL:!3DES
Cluster::*> security certificate create -common-name test -size 4096 Error: "4096" is an invalid
value for field "-size " Valid choices in this command's context: 2048,3072
Example: If the certificate was created on the KMIP server with a key size of 4096 and then Installed in ONTAP, the following will be
seen when trying to communicate with the KMIP server:
Cluster::> security key-manager show -status
Node Port Registered Key Manager Status
---------------------- ------ --------------------------- ---------------
Cluster-node1 5696 10.0.13.91 unknown
Cluster-node1 5696 10.0.13.92 unknown
Cluster-node1 5696 10.4.13.95 unknown
Cluster-node1 5696 10.4.13.96 unknown
Cluster-node2 5696 10.0.13.91 unknown
Cluster-node2 5696 10.0.13.92 unknown
Cluster-node2 5696 10.4.13.95 unknown
Cluster-node2 5696 10.4.13.96 unknown
8 entries were displayed
Cluster::> security key-manager show -status
Node Port Registered Key Manager Status
---------------------- ------ --------------------------- ---------------
Cluster-node1 5696 10.0.13.91 unknown
Cluster-node1 5696 10.0.13.92 unknown
Cluster-node1 5696 10.4.13.95 unknown
Cluster-node1 5696 10.4.13.96 unknown
Cluster-node2 5696 10.0.13.91 unknown
Cluster-node2 5696 10.0.13.92 unknown
Cluster-node2 5696 10.4.13.95 unknown
Cluster-node2 5696 10.4.13.96 unknown
8 entries were displayed
Solution: remove the certificate and install a new certificate using a supported RSA key size
Additional Information