NIST compliance

The nistCompliance configuration variable allows the system administrator to restrict the set of available algorithms and key lengths to a subset of those approved by NIST.

About this task

The nistCompliance variable applies to security transport (tscomm security, key retrieval) only, not to encryption, which always uses NIST-compliant mechanisms.

For the valid values for nistCompliance, see mmchconfig command.

The nistCompliance configuration variable has been introduced on version 4.1. Clusters created prior to that release operate with the equivalent of that variable being set to off. Similarly, clusters created on prior versions and which are migrated to 4.1 will have nistCompliance set to off.

Remote Mounts and version 3.5 clusters

A cluster created on version 4.1 or higher, and operating with nistCompliance set to SP800-131A, will be unable to remote-mount a file system from a version 3.5 cluster, since the 4.1 cluster will not accept the key from the latter, which is not NIST SP800-131A-compliant. To allow the version 4.1 cluster to remote-mount the version 3.5 cluster, issue the

mmchconfig nistCompliance=off

command on the version 4.1 cluster, before the mmremotecluster add command can be issued. The key exchange will work even if the version 4.1 cluster already has a NIST-compliant key.

Updating a cluster to nistCompliance SP800-131A

A cluster upgraded from prior versions may have the nistCompliance set to off and may be operating with keys which are not NIST SP800-131A-compliant. To upgrade the cluster to operate in NIST SP800-131A mode, the following procedure should be followed:

From a node in the cluster which is running version 4.1 or later, issue:

mmauth genkey new
mmauth genkey commit

If remote clusters are present, follow the procedure described in the Changing security keys with remote access section (under Accessing a remote GPFS file system) to update the key on the remote clusters.

Once all nodes in the cluster are running at least version 4.1, run the following command from one of the nodes in the cluster:

mmchconfig release=LATEST

From one of the nodes in the cluster, run the following command:

mmchconfig nistCompliance=SP800-131A

For clusters at the version 5.1 level or higher, setting nistCompliance to off is not allowed. The nistCompliance value must be set to SP800-131A. The existing clusters that are running with nistCompliance value set to off must be changed to SP800-131A before migrating the cluster to the version 5.1 level.

If you want to set the nistCompliance value to off or continue to upgrade the version 5.1 level or higher with nistCompliance value set to off, use the option --accept-no-compliance-to-nist-standards. For more information, see Completing the upgrade to a new level of IBM Storage Scale.

Note: It is not recommended to use the --accept-no-compliance-to-nist-standards option and this option might not be available in the subsequent releases.