Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > Configuration
Before configuring OneFS for FIPS compliance mode, ensure that you understand the feature impacts.
Before enabling FIPS compliance mode:
Note: The output of this command states only if the FIPS mode is enabled but does not confirm if any FIPS parameters have been changed since the mode was enabled. An administrator may re-enable FIPS mode, without disabling FIPS mode, to return all parameters to the FIPS configuration. Conversely, an administrator may redisable FIPS mode, without ever enabling FIPS mode, to apply OneFS system defaults if a FIPS parameter was changed manually.
Also consider the following information:
FIPS compliance mode is enabled on PowerScale cluster through the isi security settings CLI option or through the security/settings API endpoint. After FIPS compliance mode is applied, it can also be reverted in the future, if required. The reverting process returns the cluster to the original state, before enabling the FIPS compliance mode.
Note: Before proceeding with enabling FIPS compliance mode, review this section in its entirety to understand all the implications of enabling FIPS. Further, complete all prerequisites previously described. As recommended with any significant IT infrastructure update, before updating a production cluster, test the update on a lab PowerScale cluster that mimics the production environment, workflow, and workload. Consider updating the production cluster only after a successful lab implementation.
To enable FIPS compliance mode on a PowerScale cluster:
A password hash update is required for FIPS compliance. Typically, UID 0 applies only to the root account.
Note: Updating the password hash also implicitly disables the NTLM support for SMB access that is used when shares are accessed through IP. Additionally, Linux-variants, even when active directory joined, will default to using NTLM authentication. Ensure all clients are migrated to Kerberos authentication or other FIPS-compliant authentication method before running these commands.
To update the password hash, run the following commands:
isi auth file modify System --password-hash-type=SHA512
isi auth local modify System --password-hash-type=SHA512
After updating the password hash, update any UID 0 login password. The password value may be the same, but the update applies the new hash. For example, to update the root password, run the following command:
isi auth users change-password root
isi security settings modify --fips-mode-enabled=true
PowerScale# isi security settings view
FIPS Mode Enabled: Yes
USB Ports Disabled: No
Restricted shell Enabled: No
Alternatively, the FIPS compliance mode may also be checked in the PowerScale API by a user who has the ISI_PRIV_CLUSTER privilege and ISI_PRIV_LOGIN_PAPI.
For information, see Appendix A: SSH key exchange, ciphers, algorithms, and tagsAppendix A: SSH key exchange, ciphers, algorithms, and tags.
After the FIPS compliance mode is enabled on a PowerScale cluster, it may also be disabled.
Note: Before proceeding with disabling FIPS compliance, consider the troubleshooting options outlined in TroubleshootingTroubleshooting. Further, FIPS mode can be re-enabled, without disabling FIPS mode, to return all parameters to the FIPS configuration.
Note: After disabling FIPS compliance mode, before exiting the SSH session, SSH access must be updated. Otherwise, SSH access may not be available at the next login. Complete all the following steps in a single SSH session without exiting.
To disable FIPS compliance mode:
isi security settings modify --fips-mode-enabled=false
PowerScale# isi security settings view
FIPS Mode Enabled: No
USB Ports Disabled: No
Restricted shell Enabled: No
Alternatively, the FIPS compliance mode may also be checked in the PowerScale API by a user who has the ISI_PRIV_ CLUSTER privilege and ISI_PRIV_LOGIN_PAPI.
The OneFS audit log retains FIPS mode updates if configuration auditing is enabled. In addition to the audit log, you can view the FIPS compliance mode logs in /ifs/.ifsvar/security_config.log, which logs security configuration changes.
A user who has the ISI_PRIV_ CLUSTER privilege and ISI_PRIV_LOGIN_PAPI can also check the FIPS compliance mode status by using the OneFS API.
PowerScale clusters running OneFS 9.4.0.0 with FIPS mode enabled may upgrade to OneFS 9.5.0.0 or later. After upgrading to OneFS Release 9.5.0.0 or later and committing the upgrade, re-enable FIPS mode. Disabling FIPS mode before upgrading is not required.