#na_ontap_security_config module

1 messages · Page 1 of 1 (latest)

hexed trout
#

When attempting to use the na_ontap_security_config module to configure SSL on a new cluster, the task shows changed every time (i.e. non-idempotency). Here is our task:

- name: Modify SSL security config
  netapp.ontap.na_ontap_security_config
  <<: *login
  name: ssl
  is_fips_enabled: true
  supported_protocols: "{{ supported_protocols }}"
  supported_cipher_suites: "{{ supported_cipher_suites }}"

I see in the module documentation for the supported_cipher_suites parameter the following verbiage: "To achieve idempotency all similar cipher_suites must be set."

Can you tell us exactly what that means? We're defining the cipher_suites that we are based on NetApp security hardening guide: https://www.netapp.com/media/10674-tr4569.pdf

Module docs: https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_security_config_module.html#parameter-supported_cipher_suites

crude gust
#

looking in to this

#

can you send me what being passed in to supported_protocols, supported_cipher_suites

hexed trout
# 
supported_protocols: ['TLSv1.2','TLSv1.3']
#

the supported_cipher_suites is massive list so i'll have to attach as a file

crude gust
#

thank you we'll try reprocduing this in hour and get back to you.

I have a pretty good idea wht going on but need to confirm.

hexed trout
#

Awesome. Eager to see what you find!

crude gust
#

OK so here the issue, and were looking to see if there a better way to handle this

ONTAP will auto add additional Suite you did not specify. Let you you added
x, y, z,
After we run this ONTAP will auto add some more
x, y, z, a
Because A is required for your supported Protools.

So next time you run the playbook we see you want x,y,z but your system has x,y,z,a so we remove a.... Then ontap add it back automatically as it required, and rinse and repeat.

I"m checking to see if there is a way for us to let you know what Suites are missing that ONTAP is adding automatically. (That what that message orginally was about).

bleak anchor
# hexed trout

in this case ONTAP is adding below 2 cipher suites automatically:

  1. TLS_AES_128_GCM_SHA256
  2. TLS_AES_256_GCM_SHA384
bleak anchor
#

We've story 6825 open for this!