Test integration

This test procedure requires test scripts available from NetApp. The output files resulting from executing the test scripts need to be sent back to NetApp for verification.

  1. Load the test scripts into NetApp ONTAP

  2. Execute the kmip_before_reboot_test.sh test script

  3. Execute the kmip_post_reboot_test.sh test script

  4. Enable FIPS mode

  5. Execute the before and post test scripts a second time

  6. Verify FIPS mode is unchanged after reboot

Load the test scripts into NetApp ONTAP

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

  2. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  3. Enter system shell. Provide the password when prompted.

    mycluster::*> systemshell -node mycluster-01
  (system node systemshell)
diag@127.0.0.1's password:

Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

mycluster-01%

  4. scp the test script files from a server of your choice into the Systemshell of the NetApp ONTAP node. Provide the password when prompted.

    mycluster-01% scp root@10.194.148.52:/root/Downloads/kmip_before_reboot_test.sh kmip_before_reboot_test.sh
root@10.194.148.52's password:
kmip_before_reboot_test.sh                                                            100% 7346   731.0KB/s   00:00
SSH terminating : scp.c : main : 690,errs = 0.

mycluster-01% scp root@10.194.148.52:/root/Downloads/kmip_post_reboot_test.sh kmip_post_reboot_test.sh
root@10.194.148.52's password:
kmip_post_reboot_test.sh                                                              100% 6047     3.6MB/s   00:00
SSH terminating : scp.c : main : 690,errs = 0.

  5. Verify the test scripts files are in the current directory.

    mycluster-01% ls
kmip_before_reboot_test.sh      kmip_post_reboot_test.sh

Execute the kmip_before_reboot_test.sh test script

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

  2. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  3. Enter Systemshell. Provide the password when prompted.

    mycluster::*> systemshell -node mycluster-01
  (system node systemshell)
diag@127.0.0.1's password:

Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

mycluster-01%

  4. Execute the kmip_before_reboot_test.sh test script and redirect the output to file before_reboot_output_1.txt. KeyControl presents itself as a single entity even though it may be composed of multiple nodes (two in this test case). Therefore, select no in the Please enter whether this is a clustered key-server config (yes or no): question below.

    mycluster-01% bash kmip_before_reboot_test.sh > before_reboot_output_1.txt
Please enter key server name: KeyControl
Please enter key server version: 10.2
Please enter whether this is a clustered key-server config (yes or no): no
Sleeping for 10 seconds before checking if aggregate was created...
Sleeping for 10 seconds before checking if vserver was created...

  5. Exit Systemshell.

    mycluster-01% exit

  6. Reboot the node. Wait 10 minutes before logging back into the cluster.

    mycluster::*> reboot -node mycluster-01
  (system node reboot)

Warning: Are you sure you want to reboot node "mycluster-01"? {y|n}: y


Connection to xxx.xxx.xxx.xxx closed.

Execute the kmip_post_reboot_test.sh test script

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

  2. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  3. Enter Systemshell. Provide the password when prompted.

    mycluster::*> systemshell -node mycluster-01
  (system node systemshell)
diag@127.0.0.1's password:

Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

mycluster-01%

  4. Execute the kmip_post_reboot_test.sh test script and redirect the output to file post_reboot_output_1.txt.

    mycluster-01% bash kmip_post_reboot_test.sh > post_reboot_output_1.txt
Please enter key server name: KeyControl
Please enter key server version: 10.2
Please enter whether this is a clustered key-server config (yes or no): no

  5. Exit Systemshell.

    mycluster-01% exit

Enable FIPS mode

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

  2. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  3. Enable FIPS mode.

    mycluster::*> security config modify -interface SSL -is-fips-enabled true

Warning: This command will enable FIPS compliance and can potentially cause some non-compliant components to fail.
         MetroCluster and Vserver DR require FIPS to be enabled on both sites in order to be compatible. An SNMP users
         or SNMP traphosts that are non-compliant to FIPS will be deleted automatically. An SNMPv1 user, SNMPv2c user
         or SNMPv3 user (with none or MD5 as authentication protocol or none or DES as encryption protocol or both) is
         non-compliant to FIPS. An SNMPv1 traphost or SNMPv3 traphost (configured with an SNMPv3 user non-compliant to
         FIPS) is non-compliant to FIPS.
Do you want to continue? {y|n}: y

  4. Reboot all nodes in the cluster. Wait 10 minutes before logging back into the cluster.

    mycluster::*> reboot -node *
  (system node reboot)

Warning: Are you sure you want to reboot node "mycluster-01"? {y|n}: Y
1 entry was acted on.


Connection to 10.194.148.113 closed.

  5. Log back into the NetApp ONTAP Cluster Management.

  6. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  7. Verify FIPS mode is enabled.

    mycluster::*> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
true       TLSv1.3,  TLS_RSA_WITH_AES_128_CCM, TLS_RSA_WITH_AES_128_CCM_8,
           TLSv1.2   TLS_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CCM,

 ...

                     TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
                     TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384

Execute the before and post test scripts a second time

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

  2. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  3. Enter Systemshell. Provide the password when prompted.

    mycluster::*> systemshell -node mycluster-01
  (system node systemshell)
diag@127.0.0.1's password:

Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

mycluster-01%

  4. Execute the kmip_before_reboot_test.sh test script and redirect the output to file before_reboot_output_2.txt.

    mycluster-01% bash kmip_before_reboot_test.sh > before_reboot_output_2.txt
Please enter key server name: KeyControl
Please enter key server version: 10.2
Please enter whether this is a clustered key-server config (yes or no): no
Sleeping for 10 seconds before checking if aggregate was created...
Sleeping for 10 seconds before checking if vserver was created...

  5. Exit Systemshell.

    mycluster-01% exit

  6. Reboot the node. Wait 10 minutes before logging back into the cluster.

    mycluster::*> reboot -node mycluster-01
  (system node reboot)

Warning: Are you sure you want to reboot node "mycluster-01"? {y|n}: y


Connection to xxx.xxx.xxx.xxx closed.

  7. Log back into the NetApp ONTAP Cluster Management.

  8. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  9. Enter Systemshell. Provide the password when prompted.

    mycluster::*> systemshell -node mycluster-01
  (system node systemshell)
diag@127.0.0.1's password:

Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

mycluster-01%

  10. Execute the kmip_post_reboot_test.sh test script and redirect the output to file p`ost_reboot_output_2.txt`.

    mycluster-01% bash kmip_post_reboot_test.sh > post_reboot_output_2.txt
Please enter key server name: KeyControl
Please enter key server version: 10.2
Please enter whether this is a clustered key-server config (yes or no): no

  11. scp the test script output files to a server of your choice. Provide the password when prompted.

    mycluster-01% scp before_reboot_output_1.txt root@xxx.xxx.xxx.xxx:/root/Downloads/before_reboot_output_1.txt
root@10.194.148.52's password:
before_reboot_output_1.txt                                                            100%   11KB 856.1KB/s   00:00
SSH terminating : scp.c : main : 690,errs = 0.

mycluster-01% scp before_reboot_output_2.txt root@xxx.xxx.xxx.xxx:/root/Downloads/before_reboot_output_2.txt
root@10.194.148.52's password:
before_reboot_output_2.txt                                                            100%   11KB  10.8MB/s   00:00
SSH terminating : scp.c : main : 690,errs = 0.

mycluster-01% scp post_reboot_output_1.txt root@xxx.xxx.xxx.xxx:/root/Downloads/post_reboot_output_1.txt
root@10.194.148.52's password:
post_reboot_output_1.txt                                                              100%   10KB 585.4KB/s   00:00
SSH terminating : scp.c : main : 690,errs = 0.

mycluster-01% scp post_reboot_output_2.txt root@xxx.xxx.xxx.xxx:/root/Downloads/post_reboot_output_2.txt
root@10.194.148.52's password:
post_reboot_output_2.txt                                                              100%   10KB   9.6MB/s   00:00
SSH terminating : scp.c : main : 690,errs = 0.

  12. Send these output files to NetApp for verification.

Verify FIPS mode is unchanged after reboot

  1. Exit Systemshell.

    mycluster-01% exit

  2. Disable FIPS mode.

    mycluster::*> security config modify -interface SSL -is-fips-enabled false

  3. Reboot all nodes in the cluster.

    mycluster::*> reboot -node *
  (system node reboot)

Warning: Are you sure you want to reboot node "mycluster-01"? {y|n}: Y
1 entry was acted on.


Connection to 10.194.148.113 closed.

  4. Log back into the NetApp ONTAP Cluster Management.

  5. Set diagnostics.

    mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*>

  6. Verify FIPS mode is disabled on the cluster.

    mycluster::*> security config show
Cluster    Supported
FIPS Mode  Protocols Supported Cipher Suites
---------- --------- ----------------------------------------------------------
false      TLSv1.3,  TLS_RSA_WITH_AES_128_CCM, TLS_RSA_WITH_AES_128_CCM_8,
           TLSv1.2   TLS_RSA_WITH_AES_128_GCM_SHA256,
                     TLS_RSA_WITH_AES_128_CBC_SHA,
                     TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CCM,

 ...

                     TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
                     TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
                     TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
                     TLS_CHACHA20_POLY1305_SHA256