logo

How to Install TLS/SSL Certificates in NetApp ONTAP

HTTPS is the standard method for internet communications that transmit sensitive data. The TLS protocol is the backbone of HTTPS, encrypting connections so transmitted information can’t be intercepted or modified.

HTTPS should also be used with local web applications that transmit sensitive data. This includes NetApp servers, since external applications and users need to authenticate, authorize and transfer data with the NetApp ONTAP operating system. This requires a digital certificate of type “server” to be installed at the cluster or storage virtual machine (SVM) level.

When a NetApp cluster or SVM is created, a self-signed server certificate is automatically created and installed to enable SSL server authentication. However, installing a certificate signed by a trusted Certificate Authority (CA) is highly recommended for stronger security.

This blog post explains how to install a CA-signed certificate and configure your cluster or SVM to use it. (NetApp can help you request a CA-signed certificate.)

Installing TLS Certificates on an ONTAP Cluster or SVM

Note that the example commands below are at the SVM level but can easily be applied at the cluster level. In addition, they are for “server” certificates but can also be used to install “client-ca” certificates for secure ONTAP communications with external application servers.

Also note that the term “SSL” is still commonly used even though the SSL protocol has long been deprecated in favor of its successor, the TLS protocol.

Before getting started, make sure you have the certificate’s public and private keys on hand. Remember that it’s vital to keep all private keys secure — any compromised private key is a large security risk and will need to be promptly revoked and replaced.

To install a certificate and configure your cluster or SVM to use it, take the following steps:

  1. SSH into the cluster’s CLI interface and run the following command:
security certificate install -vserver <svm_name> -type server

2. When prompted, paste the public key and press ENTER; then paste the private key and press ENTER again. Be sure to include all the text of each key, including “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”.

3. Next, to find the new certificate, display information about server certificates on the cluster or SVM:

security certificate show -vserver <svm_name> -type server
The output should look like the following, which shows a self-signed certificate:
Vserver    Serial Number   Certificate Name                       Type
---------- --------------- -------------------------------------- ------------
dpi_svm    <cert_serial_num>
                           dpi_svm_1625F0D07A496E63               server
    Certificate Authority: dpi_svm
          Expiration Date: Wed Jul 28 14:27:01 2021

4. You’ll need the serial number, common name and CA properties from the certificate. If you need to display more information for a specific certificate, run the following command:

security certificate show -serial <cert_serial_number> -instance

5. Now you can use this information to modify the SSL auth parameter of the cluster or SVM so it uses the certificate you installed:

security ssl modify -vserver <svm_name> -server-enabled true -serial <cert_serial_number> -commonname <cert_common_name> -ca <cert_certificate_authority>

6. When prompted, you can continue to install root or intermediate certificates if required by your certificate chain. If you’re unsure about this process or your chain, refer to your Certificate Authority.

7. In most cases, input “n” to finish installing the certificate. However, if you are warned about a self-signed certificate but that is what you intend to use, input “y” to continue.

8. To verify that the certificate is associated with the cluster or SVM’s server auth parameter, run this command:

security ssl show -vserver <svm_name> -instance

The output’s “SSL Server Authentication Enabled” value should be “true”, and the expected certificate’s serial number should be displayed

Vserver: dpi_svm
                   Server Certificate Issuing CA: dpi_svm
                Server Certificate Serial Number: <cert_serial_num>
                  Server Certificate Common Name: dpi_svm
               SSL Server Authentication Enabled: true
Certificate installation and SSL server auth configuration are now complete, and the cluster or SVM now supports network communication as a server via HTTPS.

How Can Netwrix Help?

Netwrix StealthAUDIT ships with a root certificate store that includes many well-known and trusted Certificate Authorities, which simplifies the communication process once a corresponding CA-signed server certificate has been installed on NetApp clusters and SVMs in the network.

Moreover, Netwrix StealthAUDIT will enable you to:

  • Identify vulnerabilities that attackers could use to compromise your IT systems and get to your data.
  • Spot additional security gaps by quickly and efficiently assessing system patch levels.
  • Enforce security and operational policies through baseline configuration analysis.
  • Audit and govern privileged accounts.
  • Prove compliance more easily with prebuilt reports and complete system transparency.
Senior Director of Product Management at Netwrix. Farrah is responsible for building and delivering on the roadmap of Netwrix products and solutions related to Data Security and Audit & Compliance. Farrah has over 10 years of experience working with enterprise scale data security solutions, joining Netwrix from Stealthbits Technologies where she served as the Technical Product Manager and QC Manager. Farrah has a BS in Industrial Engineering from Rutgers University.