110 NetApp AltaVault Cloud Integrated Storage Administration Guide
Beta Draft
Configuring AltaVault appliances for FIPS-compliant cryptography Configuring AltaVault appliances for FIPS-compliant cryptography
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
Configuring any other ciphers displays a warning message and the system will not be FIPS compliant.
Note: The default ciphers for SSH are aes128-cbc, aes192-cbc, and aes256-cbc. These ciphers are FIPS compliant.
You can configure SSH ciphers with the following command:
amnesiac (config) # ssh server allowed-ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-
ctr,aes192-ctr,aes256-ctr
amnesiac (config) # write memory
To verify your SSH settings, enter the following command:
amnesiac (config) # show ssh server allowed-ciphers
SSH server allowed ciphers:
---------------------------
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
To verify that SSH is running in FIPS mode, look for entries similar to the following in the syslog when a user
logs in:
Mar 18 15:00:30 amnesiac sshd: FIPS_mode_set(1)
Mar 18 15:00:30 amnesiac sshd[14594]: FIPS mode initialized
Telnet server
Telnet functionality is not FIPS compliant. Enabling this feature triggers a configuration warning in FIPS mode.
Telnet must be disabled. If Telnet is enabled, an error message appears if you try to enable FIPS mode. If FIPS mode
is enabled, the system prevents you from enabling Telnet and provides an error message.
To disable this feature, use the following commands:
amnesiac (config) # no telnet-server enable
amnesiac (config) # no telnet-server permit-admin
amnesiac (config) # write memory
To verify your settings, enter the following command:
amnesiac (config) # show telnet-server
Telnet server enabled: no
Web proxy
Web proxy functionality for licensing is not FIPS compliant.
To Next Page
Loading...
