Problem:
How to remediate a NetApp SAN to comply with PCI level security
Solution:
To remediate insecure TLS versions, open NetApp CLI:
set -privilege advanced security config modify -interface SSL -is-fips-enabled true
Connect to NetApp OnCommand Manager
Check cluster status
Failover to secondary node (Monitor iSCSI connections)
Reboot primary node
Wait for primary node to return
Fail back
To remediate insecure 3des cipher:
security ssh remove -vserver <Enter vserver name> -ciphers 3des-cbc
To remediate SSH key too small:
cluster2::*> systemshell -node * -command "sudo ssh-keygen -b 4096 -t rsa -f /var/etc/ssh_host_rsa_key" (system node systemshell) Node: cluster2-01 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/etc/ssh_host_rsa_key. Your public key has been saved in /var/etc/ssh_host_rsa_key.pub.
Then disable DSA keys:
::*>systemshell -node * -command "sudo mv /var/etc/ssh/ssh_host_dsa_key /var/etc/ssh/ssh_host_dsa_key.old" ::*>systemshell -node * -command "sudo mv /var/etc/ssh/ssh_host_dsa_key.pub /var/etc/ssh/ssh_host_dsa_key_pub.old"