Add warning that ONTAP version 9.11.1RC1, FIPS 140-2 compliance management mode no longer uses FIPS 140-2 validated software module

[tulledge]

Page: Configure network security using federal information processing standards (FIPS)

Add this text:

Due to a change in ONTAP version 9.11.1RC1, FIPS 140-2 compliance management mode no longer uses FIPS 140-2 validated software module.

ONTAP 9.11.1RC1 upgraded the OpenSSL version used for management and control plane connections for HTTPS. This version of OpenSSL (OpenSSL 3.x FIPS Provider) has not yet completed the FIPS 140-2 Cryptographic Module Validation Program (CMVP) validation process.

When FIPS compliance mode is enabled, encryption algorithms used for HTTPS connections are identical to the OpenSSL Project OpenSSL 3.x FIPS Provider algorithms that were issued in Cryptographic Algorithm Validation Program (CAVP) certificate A1938. This change only affects ONTAP systems configured in FIPS compliance mode.

This issue will be fixed once the upgraded OpenSSL module present in ONTAP 9.11.1RC1 completes FIPS 140-2 validation with NIST. If your environment requires ONTAP cluster management control plane run with a FIPS 140-2 CMVP validated module, then it is recommended to not upgrade to 9.11.1RC1.

This does not affect NetApp encryption at rest technologies like NSE, NVE, and NAE, as those features use a different cryptographic module than the one provided by OpenSSL in ONTAP.

For more details, see this KB article: https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Upgrading_to_ONTAP_9.11.1RC1_results_in_FIPS_140-2_compliance_management_configuration_that_is_not_validated

[netapp-ahibbard]

@tulledge - Thanks for sharing this. I've updated this on the pages you've flagged here as well as in the other two issues (#515 #514 ).

[netapp-ahibbard]

BURT 1480857