NetApp HCI Manual page 25

External key management
You can configure Element software to use a third-party KMIP-compliant key management service (KMS) to
manage storage cluster encryption keys. When you enable this feature, the storage cluster's cluster-wide drive
access password encryption key is managed by a KMS that you specify.
Element can use the following key management services:
• Gemalto SafeNet KeySecure
• SafeNet AT KeySecure
• HyTrust KeyControl
• Vormetric Data Security Manager
• IBM Security Key Lifecycle Manager
For more information on configuring External Key Management, see
Management in the SolidFire and Element Documentation Center.
Multi-factor authentication
Multi-factor authentication (MFA) enables you to require users to present multiple types of evidence to
authenticate with the NetApp Element web UI or storage node UI upon login. You can configure Element to
accept only multi-factor authentication for logins integrating with your existing user management system and
identity provider.
You can configure Element to integrate with an existing SAML 2.0 identity provider which can enforce multiple
authentication schemes, such as password and text message, password and email message, or other
methods.
You can pair multi-factor authentication with common SAML 2.0 compatible identity providers (IdPs), such as
Microsoft Active Directory Federation Services (ADFS) and Shibboleth.
To configure MFA, see
Center.
FIPS 140-2 for HTTPS and data at rest encryption
NetApp SolidFire storage clusters and NetApp HCI systems support encryption that complies with the Federal
Information Processing Standard (FIPS) 140-2 requirements for cryptographic modules. You can enable FIPS
140-2 compliance on your NetApp HCI or SolidFire cluster for both HTTPS communications and drive
encryption.
When you enable FIPS 140-2 operating mode on your cluster, the cluster activates the NetApp Cryptographic
Security Module (NCSM) and leverages FIPS 140-2 Level 1 certified encryption for all communication via
HTTPS to the NetApp Element UI and API. You use the
parameter to enable FIPS 140-2 HTTPS encryption. On storage clusters with FIPS-compatible hardware, you
can also enable FIPS drive encryption for data at rest using the
FipsDrives
parameter.
For more information about preparing a new storage cluster for FIPS 140-2 encryption, see
supporting FIPS drives.
For more information about enabling FIPS 140-2 on an existing, prepared cluster, see
Element API.
Enabling multi-factor authentication
Getting started with External Key
in the SolidFire and Element Documentation
EnableFeature
Element API with the
EnableFeature
fips
Element API with the
Creating a cluster
The EnableFeature