Skip to main content

Enabling cluster-wide FIPS-compliant mode for KMIP server connections

You can use the security config modify command with the -is-fips-enabled option to enable cluster-wide FIPS-compliant mode for data in flight. Doing so forces the cluster to use OpenSSL in FIPS mode when connecting to KMIP servers.

Before you begin

  • The storage controller must be configured in FIPS-compliant mode.

  • All KMIP servers must support TLSv1.2. The system requires TLSv1.2 to complete the connection to the KMIP server when cluster-wide FIPS-compliant mode is enabled.

About this task

When you enable cluster-wide FIPS-compliant mode, the cluster will automatically use only TLS1.2 and FIPS-validated cipher suites. Cluster-wide FIPS-compliant mode is disabled by default.

You must reboot cluster nodes manually after modifying the cluster-wide security configuration.

  1. Set the privilege level to advanced: set -privilege advanced
  2. Verify that TLSv1.2 is supported: security config show -supported-protocols

    For complete command syntax, see the man page.

    Example

    cluster1::> security config show
              Cluster                                              Cluster Security
    Interface FIPS Mode  Supported Protocols     Supported Ciphers Config Ready
    --------- ---------- ----------------------- ----------------- ----------------
    SSL       false      TLSv1.2, TLSv1.1, TLSv1 ALL:!LOW:         yes
                                                 !aNULL:!EXP:
                                                 !eNULL
  3. Enable cluster-wide FIPS-compliant mode: security config modify -is-fips-enabled true -interface SSL

    For complete command syntax, see the man page.
  4. Reboot cluster nodes manually.
  5. Verify that cluster-wide FIPS-compliant mode is enabled: security config show

    Example

    cluster1::> security config show
              Cluster                                              Cluster Security
    Interface FIPS Mode  Supported Protocols     Supported Ciphers Config Ready
    --------- ---------- ----------------------- ----------------- ----------------
    SSL       true       TLSv1.2, TLSv1.1        ALL:!LOW:         yes
                                                 !aNULL:!EXP:
                                                 !eNULL:!RC4