Using self-signed Certificate & private key for WFA PERL Commands to connect to a NetApp cDOT system

by Extraordinary Contributor on ‎2014-05-19 11:44 PM

Hello Everyone,

The following document explains how to use a self signed certificate and a private key mechanism for connecting WFA perl command to a NetApp clustered DataONTAP system. So its not required to save the cluster credentials in WFA DB. You can use the same certificate for more than one cluster.

Get your Self signed Certificate on your WFA server:

1. Download OpenSSL for windows. Take 64-bit version as WFA only works on x-64 machines. Download it from here:

Perhaps you may even need this:

2. Get your Certificate and Private key:

You can use openssl to create a self signed certificate and a private key. The private key can be encrypted using a password, but that is optional. The below commands open an interactive session for you to provide details like Country Name, Locality Name, Organisation, Common Name. Remember the common name you have provided . I'm taking sinhaa for this document.

Without Private key Encryption:

openssl req -x509 -nodes -newkey rsa:2048 -keyout key.key -out cert.crt -days 365

With Encryption using a password:

openssl req -x509 -newkey rsa:2048 -keyout key.key -out cert.crt -days 365

only change is -nodes option.

Keep your certificates as let's say C:\\

Do 'man openssl' to learn more about creating certificates. Or Google.

2. Get your cluster vserver (Cserver) ready to accept your certificate. Install the certificate into your cDOT cluster. Its a one-time only activity.

f3270-xxxx::> certificate install -type client-ca -vserver f3270-xxxx

[Copy the entire contents of the certificate cert.crt and paste it.]

3. Create a login with authentication cert

f3270-xxxx::> security login create -user-or-group-name sinhaa -application ontapi -authmethod cert -role admin -vserver f3270-xxxx

Remember that common name used in the certificate creation should be used for -user-or-group-name

3. Have ssl client authentication enabled.

f3270-xxxx::> ssl modify -vserver f3270-xxxx -client-enabled true

Your cluster is ready to for Authentication using your self signed certificate.

4. Copy the attached file and paste it at:

WFA2.2: <WFA_installation_dir>/WFA/Perl64/lib

You can keep the original one if you want or replace it. The attached is similar with an added mechanism to connect using certificate and private key. That's all

WFA2.1 and below:


5. Now it's all set. Have the command to connect to cDOT like below example. The below command connects to the cDOT cluster and fetches the ONTAP version and prints it. The important thing is mechanism to connect which is certificate and not the Saved credentials.


use strict;

use Getopt::Long;

use NaServer;

use WFAUtil;

my $DestinationCluster;


    "DestinationCluster=s"   => \$DestinationCluster

) or die 'Illegal command parameters\n';

my $wfa_util = WFAUtil->new();

$wfa_util->sendLog('INFO', "Connecting to the cluster: $DestinationCluster" );

my $server= $wfa_util->connect_cert($DestinationCluster, "c:\\mycert.crt", "c:\\mykey.key");

# or my $server= $wfa_util->connect_cert($DestinationCluster, "c:\\mycert.crt", "c:\\mykey.key", "My_password"); for an encrypted private key.

$wfa_util->sendLog('INFO','invoking Command..');

my $out = $server->system_get_version();

my $ver = $out->{'version'};

$wfa_util->sendLog('INFO', "VERSION :$ver");


You can take Certificate and Private key path as Command parameters. For simplicity I've hard-coded the paths.

PS: Thanks to Ram Kiran who helped me a lot to get this done.