Updating a GPFS cluster to nistCompliance SP800-131A

Learn how to generate FIPS compliant authentication keys for GPFS.

About this task

A cluster upgraded from GPFS version below 4.1 may have the nistCompliance set to off and may be operating with keys which are not NIST SP800-131A-compliant. When enabling FIPS at GPFS level this becomes an issue and the following warning might be generated:
[root@node0101 ~]# mmchconfig FIPS1402mode=yes
mmchconfig: Attention: The authentication keys for cluster gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com (this cluster)
   may not be FIPS140-2 compliant. Use mmauth genkey {new | commit} to replace
   the keys as described in the 'Updating a cluster to nistCompliance SP800-131A'
   section of the documentation.

Follow these steps to make the system compliant with NIST SP800-131A:


  1. Verify that GPFS service is running and GPFS nodes are up:
    mmgetstate -aLv
  2. To generate a new key, from a node in the cluster which is running version 4.1 or later, issue:
    mmauth genkey new
  3. To commit the new key generated in previous step, issue:
    mmauth genkey commit
  4. Set the release to LATEST:
    mmchconfig release=LATEST
  5. Set the nistCompliance value:
    mmchconfig nistCompliance=SP800-131A