IBM Storage Scale deployments and NIST compliance

Starting with IBM Storage Scale 4.1, for improved security during cluster to cluster communication, IBM Storage Scale generates cluster keys in a longer format: SP800-131A NIST compliant. These keys are used when one IBM Storage Scale cluster communicates with other clusters; for example, when a IBM Storage Scale client instance accesses the file system that is managed by a server cluster.

Before IBM Storage Scale 4.1, the IBM Storage Scale keys were not SP800-131A NIST compliant. To allow interoperability between IBM Storage Scale clusters that were upgraded from IBM Storage Scale 3.5 to IBM Storage Scale 4.1, IBM Storage Scale defined a NIST compliance mode that is used to control the compliance validation status. Unless the NIST compliance is enabled on a cluster, IBM Storage Scale does not require clusters that are communicating with the current one to use key SP800-131A NIST compliant.

Verify whether a cluster has NIST compliance enabled

If you have instances that were upgraded from IBM Storage Scale 3.5 to IBM Storage Scale 4.1, or instances that were deployed that use IBM Storage Scale 4.1 (deployed from the IBM Storage Scale pattern 1.2.1.0 or later), you can verify whether NIST compliance is enabled for the instance in two ways:
  • On a IBM Storage Scale Server instance, run Get Cluster Status. For the steps to run this operation, see Get Cluster Status.
  • On a IBM Storage Scale Client instance, run Show Client Status. For the steps to run this operation, see Show Client Status.
Look for nistCompliance status, which can show either:
  • nistCompliance off: in this case, the cluster key might or might not be in SP800-131A format. Compliance verification is not enabled.
  • nistCompliance SP800-131A: in this case, the cluster key is in SP800-131A format. Compliance validation during cluster to cluster communication is enabled.

Enable NIST compliance on IBM Storage Scale 4.1 clusters

If NIST compliance is disabled for a cluster, consider enabling it to improve security during cluster to cluster communication.

To enable NIST compliance, the current cluster and all clusters that are authenticated with the current cluster must use a key in the SP800-131A format.

Important: Before you run the following IBM Storage Scale commands on IBM Storage Scale pattern V1.2.15.0 or later, see Running IBM Storage Scale commands.
To turn on compliance, use SSH to connect to the main server (for a server cluster) or the client virtual machine (for a client cluster) and run:
/usr/lpp/mmfs/bin/mmchconfig nistCompliance=SP800-131A
If all clusters that are communicating with this cluster have the key in SP800-131A format, the call succeeds and you see this message:
# /usr/lpp/mmfs/bin/mmchconfig nistCompliance=SP800-131A
mmchconfig: Command successfully completed
mmchconfig: Propagating the cluster configuration data to all
  affected nodes.  This is an asynchronous process.
If the current cluster, or any cluster that is communicating with the current cluster, uses a key that is not SP800-131A compliant, you see an error message that refers to those clusters:
# /usr/lpp/mmfs/bin/mmchconfig nistCompliance=SP800-131A
mmchconfig: The authentication files associated with cluster gpfs.Web_Application-was.11429564982338 are not NIST SP800-131A compliant.
mmchconfig: Command failed. Examine previous error messages to determine cause.
If you see the preceding error, you need to regenerate the keys on those clusters, and then try to enable NIST compliance again.
To regenerate the keys:
  • For a server cluster, go to the Operations page on the Instance Console and run these commands:
    1. Run Manage Keys > Change server GPFS Key. This command regenerates the cluster keys in the long format, SP800-131A compliant.
    2. Run Manage Keys > Commit server GPFS Key. This commits the key that was generated by the Change Server GPFS Key operation. Clients will no longer be able to access this IBM Storage Scale cluster remotely unless they run the Reconnect to server operation to exchange keys with the server again.
    Note: For a IBM Storage Scale active-active topology, the cluster key can be changed from the primary instance.
  • For a client cluster, go to the Operations page on the Instance Console if you are using the IBM Storage Scale Client Policy, or go to the IBM Storage Scale Client Operations script if you are using IBM Storage Scale script packages. Run the Generate new GPFS key for Client Cluster operation. This operation generates a client key that uses the SP800-131A long format.