Skip to main content

Managing the web protocol engine

You can configure the web protocol engine on the cluster to control whether web access is allowed and what SSL versions can be used. You can also display the configuration settings for the web protocol engine.

You can manage the web protocol engine at the cluster level in the following ways:

  • You can specify whether remote clients can use HTTP or HTTPS to access web service content by using the system services web modify command with the -external parameter.

  • You can specify whether SSLv3 should be used for secure web access by using the security config modify command with the -supported-protocol parameter.

    By default, SSLv3 is disabled. Starting in ONTAP 9.8, Transport Layer Security 1.0 (TLSv1.0) is disabled by default with TLSv1.1 and TLSv1.2 remaining enabled. Systems running ONTAP 9.7 or earlier will need to disable TLSv1.0 after updating to ONTAP 9.8 or later using the security config modify command with the -supported-protocol parameter.

  • You can enable Federal Information Processing Standard (FIPS) 140-2 compliance mode for cluster-wide control plane web service interfaces.

    Note
    By default, FIPS 140-2 compliance mode is disabled.
    When FIPS 140-2 compliance mode is disabled
    You can enable FIPS 140-2 compliance mode by setting the is-fips-enabled parameter to true for the security config modify command, and then using the security config show command to confirm the online status.
    When FIPS 140-2 compliance mode is enabled
    Both TLSv1 and SSLv3 are disabled and only TLSv1.1 and TLSv1.2 remain enabled. ONTAP prevents you from enabling both TLSv1 and SSLv3 when FIPS 140-2 compliance mode is enabled. If you enable FIPS 140-2 compliance mode and then subsequently disable it, TLSv1 and SSLv3 remain disabled, but either TLSv1.2 or both TLSv1.1 and TLSv1.2 are enabled depending on the previous configuration.

  • You can display the configuration of cluster-wide security by using the system security config show command.

If the firewall is enabled, the firewall policy for the logical interface (LIF) to be used for web services must be set up to allow HTTP or HTTPS access.

If you use HTTPS for web service access, SSL for the cluster or storage virtual machine (SVM) that offers the web service must also be enabled, and you must provide a digital certificate for the cluster or SVM.

In MetroCluster configurations, the setting changes you make for the web protocol engine on a cluster are not replicated on the partner cluster.

  • Commands for managing the web protocol engine
    You use the system services web commands to manage the web protocol engine. You use the system services firewall policy create and network interface modify commands to allow web access requests to go through the firewall.