Hi *,
during this year I ran two times into an ONTAP hardening issues which was related to snapmirror failures.
For internal hardening projects, I created the following Ansible workbook.
---
- hosts: all
gather_facts: no
vars_prompt:
- name: password
private: yes
vars:
login: &login
username: ansible #"{{ username }}"
password: "{{ password }}"
hostname: "{{ inventory_hostname }}"
https: yes
validate_certs: false
tasks:
- name: Modify SSH algorithms at cluster level
delegate_to: localhost
netapp.ontap.na_ontap_security_ssh:
vserver:
ciphers: ["aes256-ctr","aes192-ctr","aes128-ctr","aes128-gcm","aes256-gcm"]
key_exchange_algorithms: ["diffie-hellman-group-exchange-sha256","ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521","curve25519-sha256"]
mac_algorithms: ["hmac-sha2-256","hmac-sha2-512","hmac-sha2-256-etm","hmac-sha2-512-etm","umac-64","umac-128","umac-64-etm","umac-128-etm"]
max_authentication_retry_count: 6
<<: *login
- name: Modify SSL Security Config
delegate_to: localhost
netapp.ontap.na_ontap_security_config:
#name: ssl
is_fips_enabled: false
supported_cipher_suites: ["TLS_PSK_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_DSS_WITH_AES_128_GCM_SHA256","TLS_DHE_DSS_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
#supported_ciphers: 'ALL:!LOW:!aNULL:!EXP:!eNULL:!3DES:!RC4:!SHA1'
supported_protocols: ['TLSv1.2']
<<: *login
# src https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_security_ssh_module.html
# src https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_security_config_module.htmlI was asked to remove TLS_PSK_WITH_AES_256_GCM_SHA384.
This was a terrible idea. Removing TLS_PSK_WITH_AES_256_GCM_SHA384 leads to that snapmirror stops working or new cluster peering can't be created.
Peering errors looked like:
yourcluster::> cluster peer create -peer-addrs x.x.x.x,x.x.x.y -applications snapmirror -ipspace snapspace -address-family ipv4
Notice: Use a generated passphrase or choose a passphrase of 8 or more characters. To ensure the authenticity of the peering
relationship, use a phrase or sequence of characters that would be hard to guess.
Enter the passphrase:
Confirm the passphrase:
Error: command failed: Using peer-address x.x.x.x: An introductory RPC to the peer address "x.x.x.x" failed to connect: RPC:
Remote system error [from mgwd on node "nodeA" (VSID: -1) to xcintro at x.x.x.x ]. Verify that the peer
address is correct, and then try the operation again.
yourcluster::>There is an NetApp Knowlge Base article regarding this issue -> https://kb.netapp.com/onprem/ontap/metrocluster/Connectivity_to_peer_cluster_is_broken_with_missing_PSK_Cipher
Please be aware of removing TLS_PSK_WITH_AES_256_GCM_SHA384 of your ONTAP SSL Cipher list.
And please also keep in mind, that hardening change for SSL config gets effective only after a takeover/giveback.
The current version of my Harding workbook can be found into my GitHub repo.
Cheers
Eric