https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/146996#M2867 <P>I followed these directions to implement certificate-based authentication of NMSDK to Cluster Mode and was partially successful:</P> <P>&nbsp;</P> <PRE>Steps : Create a self-signed certificate using openssl commands. When asked for common name, please use "admin". Else you may not get access to many APIs. Example : openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout yourKeyFileName.key -out yourCertName.pem It will look something like this : ( cat yourCertName.pem) -----BEGIN CERTIFICATE----- MIICwjCCAiugAwIBAgIJAJpgINzlWl06MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV BAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAfBgkqhkiG9w0BCQEW EmFhc2hyYXlAbmV0YXBwLmNvbTAeFw0xMzA3MzAxNjQ2NDRaFw0xNDA3MzAxNjQ2 NDRaMHoxCzAJBgNVBAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAf BgkqhkiG9w0BCQEWEmFhc2hyYXlAbmV0YXBwLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAv8jid3ADQH/HQ05iZ6Tk0NF2cY9iiEna71PVKjM1L8GGkyWJ kGioW2j1qoHO4kJEXUOMoX7YREOKLYbBQW5nx6rrg8Z3iFvP09YJnByonUIuN9QZ 96OHQ+ws9u6wNgM2LTJbcbOUUdJuOQNgaQ4XhzLDa6g0jEzyDBHbC05m2XUCAwEA AaNQME4wHQYDVR0OBBYEFDdavnhJnCUHDJXgZEAovxcoYAsxMB8GA1UdIwQYMBaA FDdavnhJnCUHDJXgZEAovxcoYAsxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF BQADgYEAdnD5BzSlV2SiZJbOjzmhkYraNwG3WauDYlnzo8K0v6BFhxKEC/abjUaa Ic/mBXEE8JqnLN7uqQf1wZtqIU60eNexMMdg+tstYe5O0Fnu27ss9HsmDD51A9LZ kT5+XIfG21EYJMnFa1LwWTtmkla66GNhVEzzJKUtOXD23H6SyNc= -----END CERTIFICATE----- Install the certificate in your filer (running Clustered Data ONTAP 8.2 ) command : security certificate install -type client-ca -vserver yourAdminVserver You will get a prompt saying : Please enter Certificate: Press &lt;Enter&gt; when done Paste the certificate created in the above step (including the Begin and End lines) and press enter. Two important things : Check if client authentication is enabled inthe cluster. &gt; security ssl show -vserver yourAdminVserver Vserver: yourAdminVserver Server Certificate Issuing CA: yourAdminVserver.cert Server Certificate Serial Number: 50C8AB18 Server Certificate Common Name: yourAdminVserver.cert SSL Server Authentication Enabled: true SSL Client Authentication Enabled: true If it is disabled then enable using this option : security ssl modify –vserver yourAdminVserver -client-enabled true You should create a securitylogin with the client name that you have mentioned in the certificate. security login create -username admin -application ontapi -authmethod cert -role admin -vserver yourAdminVserver Now you are ready to call APIs by providing the certificate and key file. Example 1 : Run the python apitest using CBA - this file can be found in your NMSDK5.1 bundle in the folder : netapp-manageability-sdk-5.2/src/sample/Data_ONTAP/Python python apitest.py -C ~/yourCertName.pem -K ~/yourKeyFileName.key &lt;IP.XXX.XXX.XXX&gt; system-get-version Example 2 : Run the apitest.exe found in netapp-manageability-sdk-5.2\bin\ntexe -C cert.pem -K keyFile.key &lt;IP.XXX.XXX.XXX&gt; volume-get-iter</PRE> <P>The issue that I am now having is that I can ONLY get this to work with a self-signed certificate, but it will not work with a CA-signed certificate. Unfortunately the only error message I get from the connection attemps are: "failed: in Zapi::invoke failed to connect SSL (errno=13001)". The clusters that I am connecting to have the CA root certs already installed. I am using Perl to query the OnTAP API.</P> <P>&nbsp;</P> <P>So far all I can find on the Support Site or the Community is documentation related to using self-signed certificates. Please advise as to what steps I can take to further troubleshoot this issue and what pieces of the puzzle I may be missing.</P> <P>&nbsp;</P> <P>Thank you for your attention to this matter,</P> <P>&nbsp;&nbsp;&nbsp; Scott Lindley</P> Wed, 04 Jun 2025 12:45:13 GMT SCOTT_LINDLEY 2025-06-04T12:45:13Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/146996#M2867 <P>I followed these directions to implement certificate-based authentication of NMSDK to Cluster Mode and was partially successful:</P> <P>&nbsp;</P> <PRE>Steps : Create a self-signed certificate using openssl commands. When asked for common name, please use "admin". Else you may not get access to many APIs. Example : openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout yourKeyFileName.key -out yourCertName.pem It will look something like this : ( cat yourCertName.pem) -----BEGIN CERTIFICATE----- MIICwjCCAiugAwIBAgIJAJpgINzlWl06MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV BAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAfBgkqhkiG9w0BCQEW EmFhc2hyYXlAbmV0YXBwLmNvbTAeFw0xMzA3MzAxNjQ2NDRaFw0xNDA3MzAxNjQ2 NDRaMHoxCzAJBgNVBAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAf BgkqhkiG9w0BCQEWEmFhc2hyYXlAbmV0YXBwLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAv8jid3ADQH/HQ05iZ6Tk0NF2cY9iiEna71PVKjM1L8GGkyWJ kGioW2j1qoHO4kJEXUOMoX7YREOKLYbBQW5nx6rrg8Z3iFvP09YJnByonUIuN9QZ 96OHQ+ws9u6wNgM2LTJbcbOUUdJuOQNgaQ4XhzLDa6g0jEzyDBHbC05m2XUCAwEA AaNQME4wHQYDVR0OBBYEFDdavnhJnCUHDJXgZEAovxcoYAsxMB8GA1UdIwQYMBaA FDdavnhJnCUHDJXgZEAovxcoYAsxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF BQADgYEAdnD5BzSlV2SiZJbOjzmhkYraNwG3WauDYlnzo8K0v6BFhxKEC/abjUaa Ic/mBXEE8JqnLN7uqQf1wZtqIU60eNexMMdg+tstYe5O0Fnu27ss9HsmDD51A9LZ kT5+XIfG21EYJMnFa1LwWTtmkla66GNhVEzzJKUtOXD23H6SyNc= -----END CERTIFICATE----- Install the certificate in your filer (running Clustered Data ONTAP 8.2 ) command : security certificate install -type client-ca -vserver yourAdminVserver You will get a prompt saying : Please enter Certificate: Press &lt;Enter&gt; when done Paste the certificate created in the above step (including the Begin and End lines) and press enter. Two important things : Check if client authentication is enabled inthe cluster. &gt; security ssl show -vserver yourAdminVserver Vserver: yourAdminVserver Server Certificate Issuing CA: yourAdminVserver.cert Server Certificate Serial Number: 50C8AB18 Server Certificate Common Name: yourAdminVserver.cert SSL Server Authentication Enabled: true SSL Client Authentication Enabled: true If it is disabled then enable using this option : security ssl modify –vserver yourAdminVserver -client-enabled true You should create a securitylogin with the client name that you have mentioned in the certificate. security login create -username admin -application ontapi -authmethod cert -role admin -vserver yourAdminVserver Now you are ready to call APIs by providing the certificate and key file. Example 1 : Run the python apitest using CBA - this file can be found in your NMSDK5.1 bundle in the folder : netapp-manageability-sdk-5.2/src/sample/Data_ONTAP/Python python apitest.py -C ~/yourCertName.pem -K ~/yourKeyFileName.key &lt;IP.XXX.XXX.XXX&gt; system-get-version Example 2 : Run the apitest.exe found in netapp-manageability-sdk-5.2\bin\ntexe -C cert.pem -K keyFile.key &lt;IP.XXX.XXX.XXX&gt; volume-get-iter</PRE> <P>The issue that I am now having is that I can ONLY get this to work with a self-signed certificate, but it will not work with a CA-signed certificate. Unfortunately the only error message I get from the connection attemps are: "failed: in Zapi::invoke failed to connect SSL (errno=13001)". The clusters that I am connecting to have the CA root certs already installed. I am using Perl to query the OnTAP API.</P> <P>&nbsp;</P> <P>So far all I can find on the Support Site or the Community is documentation related to using self-signed certificates. Please advise as to what steps I can take to further troubleshoot this issue and what pieces of the puzzle I may be missing.</P> <P>&nbsp;</P> <P>Thank you for your attention to this matter,</P> <P>&nbsp;&nbsp;&nbsp; Scott Lindley</P> Wed, 04 Jun 2025 12:45:13 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/146996#M2867 SCOTT_LINDLEY 2025-06-04T12:45:13Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/147543#M2902 <P>Hey Scott</P> <P>&nbsp;</P> <P>Check if HTTPs and TLS is enabled on cluster.&nbsp;</P> Fri, 29 Mar 2019 13:29:57 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/147543#M2902 gaurav_verma 2019-03-29T13:29:57Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/147603#M2904 <P>They are both enabled. TLS is enabled for the "full monte": TLSv1.2, TLSv1.1, TLSv1</P> Mon, 01 Apr 2019 15:59:22 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Using-NMSDK-with-Certificate-Based-Authentication-against-cluster-mode/m-p/147603#M2904 SCOTT_LINDLEY 2019-04-01T15:59:22Z