Management support for TLS communications on VNX2 systems
The Management communication into and out of the storage system is encrypted using SSL. As part of this process, the client and the storage system negotiate an SSL protocol to use. By default, the storage system supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols for communication. The storage system includes an administrative setting to change the TLS mode from the system.
Setting the TLS mode as TLSv1.0 means that the storage system will support communication using the TLS 1.0, TLS 1.1 and TLS 1.2 protocols.
Setting the TLS mode as TLSv1.1 means that the storage system will only support communication using the TLS 1.1 and TLS 1.2 protocols, and TLS 1.0 will not be considered a valid protocol.
Setting the TLS mode as TLSv1.2 means that the storage system will only support communication using the TLS 1.2 protocol, while TLS 1.0 and TLS 1.1 will not be considered valid protocols.
NOTE:Changing the TLS mode to a higher level (from TLSv1.0 to TLSv1.1 or from TLSv1.0 to TLSv1.2) may impact existing client applications which are not compatible with TLS 1.1 or TLS 1.2 protocols. In this case, TLS 1.0 support should remain enabled. TLS mode should not be changed to a higher level. The following functionality will not work in TLSv1.1 and TLSv1.2 mode:
Domain management containing a VNX/VNX2 Control Station (version
8.1.21.256 and earlier)
Navisphere CLI (version
7.33.x.x.x and earlier) cannot connect to Management Server. Replication Manager, RPA, ViPR SRM, AppSync, and ESA integrated with Navisphere CLI (version
7.33.x.x.x and earlier) also cannot connect to Management Server.
If TLS 1.0 is disabled in the network environment (for example, block TLS 1.0 packets by switch), the following functions will be impacted:
Unisphere Service Manager cannot receive software, drive firmware, and language pack upgrade notifications
ESRS IP Client
ESRS Device Client on Control Station and Storage Processors
Managing TLS mode on the storage system
On a Unified VNX2 or a Gateway VNX2, run the following command on Control Station with root user to manage TLS mode:
/nas/bin/nas_tls -set TLSv1.0 Sets TLS protocol 1.0 as the lowest supported version.
/nas/bin/nas_tls -set TLSv1.1 Sets TLS protocol 1.1 as the lowest supported version.
/nas/bin/nas_tls -set TLSv1.2 Sets TLS protocol 1.2 as the lowest supported version.
/nas/bin/nas_tls -info
Lists the current TLS protocol settings.
On a Block-only VNX2, run the following naviseccli command with Administrator or Security Administrator roles:
naviseccli -h
<sp_ip> security -tls -set TLSv1.0 Sets TLS protocol 1.0 as the lowest supported version.
naviseccli -h
<sp_ip> security -tls -set TLSv1.1 Sets TLS protocol 1.1 as the lowest supported version.
naviseccli -h
<sp_ip> security -tls -set TLSv1.2 Sets TLS protocol 1.2 as the lowest supported version.
naviseccli -h
<sp_ip> security -tls -get Lists the current TLS protocol settings.
For more information about these commands, please refer to
VNX Command Line Interface Reference for File and
VNX Command Line Interface Reference for Block.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\