Updating a GPFS cluster to `nistCompliance` SP800-131A

Learn how to generate FIPS compliant authentication keys for GPFS.

About this task

A cluster upgraded from GPFS version below 4.1 may have the nistCompliance set to off and may be operating with keys which are not NIST SP800-131A-compliant. When enabling FIPS at GPFS level this becomes an issue and the following warning might be generated:

[root@node0101 ~]# mmchconfig FIPS1402mode=yes
mmchconfig: Attention: The authentication keys for cluster gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com (this cluster)
   may not be FIPS140-2 compliant. Use mmauth genkey {new | commit} to replace
   the keys as described in the 'Updating a cluster to nistCompliance SP800-131A'
   section of the documentation.

Follow these steps to make the system compliant with NIST SP800-131A:

Procedure

Verify that GPFS service is running and GPFS nodes are up:
```
mmgetstate -aLv
```
To generate a new key, from a node in the cluster which is running version 4.1 or later, issue:
```
mmauth genkey new
```
To commit the new key generated in previous step, issue:
```
mmauth genkey commit
```
Set the release to LATEST:
```
mmchconfig release=LATEST
```
Set the nistCompliance value:
```
mmchconfig nistCompliance=SP800-131A
```

Updating a GPFS cluster to nistCompliance SP800-131A

About this task

Procedure

Updating a GPFS cluster to `nistCompliance` SP800-131A