Isilon: OneFS: How to enable support for TLSv1.2 for WebGUI OneFS 7.x and 8.x

Starting with OneFS 7.2.x and later versions, OpenSSL was upgraded to version 1.0.1 which supports TLSv1.2.

How to enable TLSv1.2 on OneFS 7.2.x and later:  

1. SSH into a node that is part of the system zone:

Make a backup copy of the /etc/mcp/templates/webui_httpd.conf file. For example, run a command similar to the following where /ifs/data/ is the directory to which the file should be copied:   

# cp /etc/mcp/templates/webui_httpd.conf /ifs/data/webui_httpd.conf.bak

2. Edit the /etc/mcp/templates/webui_httpd.conf file. Open the file for editing with any editor. For example:   

# vi /etc/mcp/templates/webui_httpd.conf  <-- or use # nano /etc/mcp/templates/webui_httpd.conf

3. To enable TLSv1.2 locate the following line in the webui_httpd.conf file:   

SSLProtocol -all +TLSv1 -SSLv3 -SSLv2

Edit the above line to the following line:

If you disable any other protocol suit, remove the (+) and add the (-) in front of it.

4. After making the wanted changes, save and close the /etc/mcp/templates/webui_httpd.conf file
5. Run the following command to copy the edited file to the /ifs/data directory:   

# cp /etc/mcp/templates/webui_httpd.conf /ifs/data/webui_httpd.conf

6. Run the following command to copy the edited file to the /etc/mcp/templates directory on all nodes:   

# isi_for_array 'cp /ifs/data/webui_httpd.conf /etc/mcp/templates/webui_httpd.conf'

7. Run the following command to push the change out to all nodes in the cluster:   

• • • For OneFS version 7.2.x and 8.0.0.x:   

# isi_for_array '/etc/mcp/scripts/webui.py'

• • • For OneFS version 8.0.1.x and 8.1.x:   

# isi_for_array '/etc/mcp/scripts/httpd.py webui'

8. Verify that "+TLSv1.2" appears in the webui_httpd.conf file on all nodes by running the following command:

9. By default, OneFS uses the highest protocol suit to negotiate. To double-check if TLSv1.2 is being negotiated, run command: