Hello@TMADOCTHOMAS,
The article is suggesting to test the security changes on a nonproduction system that has console access. This way in the event of losing access, you will still have a method to reverse the changes or further perform recovery. You will want to collaborate with the security team on the exact time when they are making the changes so you can perform the changes concurrently to avoid having to perform recovery scenarios.
Below is the snippet on page 21 of TR-4569: Security Hardening Guide for NetApp ONTAP 9that explains in further detail on the changes and testing:
"Enabling FIPS 140-2 compliance has effects on other systems and communications internal and external to ONTAP 9. NetApp highly recommends testing these settings on a nonproduction system that has console access.
Note: If SSH is used to administer ONTAP 9, then you must use an OpenSSH 5.7 or later client. SSH clients must negotiate with the Elliptic Curve Digital Signature Algorithm (ECDSA) public key algorithm for the connection to be successful.
TLS security can be further hardened by only enabling TLS 1.2 and using Perfect Forward Secrecy (PFS)-capable cipher suites. PFS is a method of key exchange that, when used in combination with encryption protocols like TLS 1.2, helps prevent an attacker from decrypting all network sessions between a client and server. To enable only TLS 1.2 and PFS-capable ciphers suites, use the security config modify command from the advanced privilege level as shown in the following example.
Note: Before changing the SSL interface configuration, it is important to remember that the client must support the cipher’s mentioned (DHE, ECDHE) when connecting to ONTAP. Otherwise the connection is not allowed."
Regards,
Team NetApp
Team NetApp
