Using self-signed Certificate & private key for WFA PERL Commands to connect to a NetApp cDOT system

by Extraordinary Contributor on ‎2014-05-19 11:44 PM

Hello Everyone,

The following document explains how to use a self signed certificate and a private key mechanism for connecting WFA perl command to a NetApp clustered DataONTAP system. So its not required to save the cluster credentials in WFA DB. You can use the same certificate for more than one cluster.

Get your Self signed Certificate on your WFA server:

1. Download OpenSSL for windows. Take 64-bit version as WFA only works on x-64 machines. Download it from here:  http://slproweb.com/products/Win32OpenSSL.htmlhttp://slproweb.com/download/Win64OpenSSL-1_0_1g.exe

Perhaps you may even need this: http://www.microsoft.com/en-us/download/details.aspx?id=15336

2. Get your Certificate and Private key:

You can use openssl to create a self signed certificate and a private key. The private key can be encrypted using a password, but that is optional. The below commands open an interactive session for you to provide details like Country Name, Locality Name, Organisation, Common Name. Remember the common name you have provided . I'm taking sinhaa for this document.

Without Private key Encryption:

openssl req -x509 -nodes -newkey rsa:2048 -keyout key.key -out cert.crt -days 365

With Encryption using a password:

openssl req -x509 -newkey rsa:2048 -keyout key.key -out cert.crt -days 365

only change is -nodes option.

Keep your certificates as let's say C:\\

Do 'man openssl' to learn more about creating certificates. Or Google.

2. Get your cluster vserver (Cserver) ready to accept your certificate. Install the certificate into your cDOT cluster. Its a one-time only activity.

f3270-xxxx::> certificate install -type client-ca -vserver f3270-xxxx

[Copy the entire contents of the certificate cert.crt and paste it.]

3. Create a login with authentication cert

f3270-xxxx::> security login create -user-or-group-name sinhaa -application ontapi -authmethod cert -role admin -vserver f3270-xxxx

Remember that common name used in the certificate creation should be used for -user-or-group-name

3. Have ssl client authentication enabled.

f3270-xxxx::> ssl modify -vserver f3270-xxxx -client-enabled true

Your cluster is ready to for Authentication using your self signed certificate.

4. Copy the attached file WFAUtil.pm and paste it at:

WFA2.2: <WFA_installation_dir>/WFA/Perl64/lib

You can keep the original one if you want or replace it. The attached WFAUtil.pm is similar with an added mechanism to connect using certificate and private key. That's all

WFA2.1 and below:

<WFA_installation_dir>/WFA/perl/

5. Now it's all set. Have the command to connect to cDOT like below example. The below command connects to the cDOT cluster and fetches the ONTAP version and prints it. The important thing is mechanism to connect which is certificate and not the Saved credentials.

====

use strict;

use Getopt::Long;

use NaServer;

use WFAUtil;

my $DestinationCluster;

GetOptions(

    "DestinationCluster=s"   => \$DestinationCluster

) or die 'Illegal command parameters\n';

my $wfa_util = WFAUtil->new();

$wfa_util->sendLog('INFO', "Connecting to the cluster: $DestinationCluster" );

my $server= $wfa_util->connect_cert($DestinationCluster, "c:\\mycert.crt", "c:\\mykey.key");

# or my $server= $wfa_util->connect_cert($DestinationCluster, "c:\\mycert.crt", "c:\\mykey.key", "My_password"); for an encrypted private key.

$wfa_util->sendLog('INFO','invoking Command..');

my $out = $server->system_get_version();

my $ver = $out->{'version'};

$wfa_util->sendLog('INFO', "VERSION :$ver");

====

You can take Certificate and Private key path as Command parameters. For simplicity I've hard-coded the paths.

PS: Thanks to Ram Kiran who helped me a lot to get this done.

Comments
adaikkap Former NetApp Employee

Nice work sinhaa and Ram Kiran.

Any specific reason why this is only for PERL and no PowerShell ?

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.