topic Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2 in Software Development Kit (SDK) and API Discussions

Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

amarumoto — Thu, 16 Jan 2014 20:37:34 GMT

Hello all, I am attempting to use the 5.1 NM SDK via Perl to automate some processes against a cluster mode 8.2 vServer. Based on the SDK documentation for the "NaServer::set_style" method my options for authentication against the filer are LOGIN, HOSTS, or CERTIFICATE. Since this is cluster mode and there is no longer a /etc/hosts.equiv file that means all I can use are LOGIN and CERTIFICATE. If I choose LOGIN I can access all of the functions of the API and everything works perfectly, however I don't really want to have to embed a username and password inside of a script.

I followed the article below to get CERTIFICATE authentication setup. I can tell that the CERTIFICATE authentication is working because I can use the API 'system-get-version' object to retrieve the version and other attributes from the vServer. However if I attempt to use any of the volume related APIs such as 'volume-get-iter' or 'volume-clone-get' I receive a failed results status from the NaServer::invoke_elem method with a reason of 'not authorized for that command'. It appears that there may only be a limited set of API functionality when using CERTIFICATE authentication over LOGIN.

Has anyone had success using CERTIFICATE authetication against an 8.2 cluster mode vServer? any insight would be appreciated! thanks!

https://communities.netapp.com/community/interfaces_and_tools/developer/blog/2013/07/30/using-sdk-with-certificate-based-authentication-cba

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

aashray — Tue, 18 Feb 2014 10:11:55 GMT

Hi,

You can access all APIs and have no limit on access if you use CBA as the "admin" user.

Basically while creating the certificate give the common-name as : admin

Then using "security login create" command create a user with username "admin" , application as "ontapi" and authmethod as "cert".

This should make it work.

I have also updated the article at : https://communities.netapp.com/community/interfaces_and_tools/developer/blog/2013/07/30/using-sdk-with-certificate-based-authentication-cba

Thanks for pointing this out.

Hope I helped.

Please let me know.

Best Regards

Aashray Arora

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

amarumoto — Tue, 18 Feb 2014 22:53:48 GMT

Thank you very much for the reply, this pointed me in the right direction.......I had originally created my certificate/vServer login with a common name unique to our environment. Then I recreated the certificate/vServer login with a common name of 'admin' but I still had the same error message as before. So I recreated the certificate/vServer login again with a common name of 'vsadmin' an then everything was working correctly, I had full API functionality,

Thanks Again!

Drew

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

richard5 — Wed, 19 Feb 2014 01:52:03 GMT

If I create a new user ("limteduser") with specific RBAC access, e.g. snap list but not delete, can I generate a self-signed certificate with the common name as "limiteduser"?

Granting cluster-wide roles is not popular with customers.

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

aashray — Wed, 19 Feb 2014 10:00:31 GMT

Great. Anytime. Thanks for your response, it will help me document CBA usage better.

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

amarumoto — Wed, 19 Feb 2014 15:45:54 GMT

I think you should be able to use a custom role that contains whatever access you like but in my experience it is the name of the user and the common name in the certificate (both should be the same) that were critical. Like you I initially created a user account name that made sense to me, like 'automation' and then created a certificate with common name of 'automation'. The CBA seemed work but with very limited functionality. It wasn't until I used the username of 'vsadmin' that I had complete success. My 'vsadmin' user is assigned the 'vsadmin' role, but I just tested changing the role the 'vsadmin-readonly' and the CBA still works but obviously with read only permissions. So I would try using either 'admin' or 'vsdamin' as your username and certificate common name and assign the user your custom role and I think you should be good.......good luck!

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

SMRUTIMANDAL — Tue, 04 Nov 2014 11:06:34 GMT

Hi,

The link above is not working. Can you please provide a fresh link.

Thanks.

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

pmbidara — Fri, 14 Nov 2014 08:37:35 GMT

Hi ,

Pasting the contents from the link here....

Greetings,

There have been a lot of questions on how Certificate Based Authentication (CBA) can be used with NMSDK to connect to the filer. CBA for NMSDK is supported if you are on Clustered Data ONTAP 8.2. This means your scripts need not have the username/password to call the APIs on the filer.

Here I will show you how you can use a self signed client certificate to login to your filer.

Steps :

Create a self-signed certificate using openssl commands. When asked for common name, please use "admin". Else you may not get access to many APIs.

Example :

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout yourKeyFileName.key -out yourCertName.pem

It will look something like this : ( cat yourCertName.pem)

-----BEGIN CERTIFICATE-----

MIICwjCCAiugAwIBAgIJAJpgINzlWl06MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV

BAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX

aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAfBgkqhkiG9w0BCQEW

EmFhc2hyYXlAbmV0YXBwLmNvbTAeFw0xMzA3MzAxNjQ2NDRaFw0xNDA3MzAxNjQ2

NDRaMHoxCzAJBgNVBAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK

DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAf

BgkqhkiG9w0BCQEWEmFhc2hyYXlAbmV0YXBwLmNvbTCBnzANBgkqhkiG9w0BAQEF

AAOBjQAwgYkCgYEAv8jid3ADQH/HQ05iZ6Tk0NF2cY9iiEna71PVKjM1L8GGkyWJ

kGioW2j1qoHO4kJEXUOMoX7YREOKLYbBQW5nx6rrg8Z3iFvP09YJnByonUIuN9QZ

96OHQ+ws9u6wNgM2LTJbcbOUUdJuOQNgaQ4XhzLDa6g0jEzyDBHbC05m2XUCAwEA

AaNQME4wHQYDVR0OBBYEFDdavnhJnCUHDJXgZEAovxcoYAsxMB8GA1UdIwQYMBaA

FDdavnhJnCUHDJXgZEAovxcoYAsxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF

BQADgYEAdnD5BzSlV2SiZJbOjzmhkYraNwG3WauDYlnzo8K0v6BFhxKEC/abjUaa

Ic/mBXEE8JqnLN7uqQf1wZtqIU60eNexMMdg+tstYe5O0Fnu27ss9HsmDD51A9LZ

kT5+XIfG21EYJMnFa1LwWTtmkla66GNhVEzzJKUtOXD23H6SyNc=

-----END CERTIFICATE-----

Install the certificate in your filer (running Clustered Data ONTAP 8.2 )

command :

security certificate install -type client-ca -vserver yourAdminVserver

You will get a prompt saying : Please enter Certificate: Press <Enter> when done

Paste the certificate created in the above step (including the Begin and End lines) and press enter.

Two important things :
- Check if client authentication is enabled inthe cluster.

> security ssl show -vserver yourAdminVserver

Vserver: yourAdminVserver

Server Certificate Issuing CA: yourAdminVserver.cert

Server Certificate Serial Number: 50C8AB18

Server Certificate Common Name: yourAdminVserver.cert

SSL Server Authentication Enabled: true

SSL Client Authentication Enabled: true

If it is disabled then enable using this option :

security ssl modify –vserver yourAdminVserver -client-enabled true

You should create a securitylogin with the client name that you have mentioned in the certificate.

security login create -username admin -application ontapi -authmethod cert -role admin -vserver yourAdminVserver

Now you are ready to call APIs by providing the certificate and key file.

Example 1 : Run the python apitest using CBA - this file can be found in your NMSDK5.1 bundle in the folder : netapp-manageability-sdk-5.2/src/sample/Data_ONTAP/Python

python apitest.py -C ~/yourCertName.pem -K ~/yourKeyFileName.key <IP.XXX.XXX.XXX> system-get-version

Example 2 : Run the apitest.exe found in netapp-manageability-sdk-5.2\bin\nt

exe -C cert.pem -K keyFile.key <IP.XXX.XXX.XXX> volume-get-iterHope it worked well. Feel free to ask me any questions you might have.

Hope it worked well.

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

SMRUTIMANDAL — Thu, 27 Nov 2014 17:30:47 GMT

Thanks. The issue is resolved.

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

yannb — Thu, 19 May 2016 17:35:56 GMT

It seems like if I try to use a different user, it doesn't work. I get a "Not authorized for that command (13003)" error.

Now, if I assign a password to that user, it works, even if I keep authenticating with a certificate, without putting that password anywhere in my script.

Is that expecetd?

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

yannb — Thu, 19 May 2016 17:43:56 GMT

By the way, this is working find with 8.3.2

The problems show with 8.2.1

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

yannb — Thu, 19 May 2016 18:02:24 GMT

See BUG 801316 (Fixed in 8.2.2)

Re: Using 5.1 NM SDK with Certificate based authentication against cluster mode 8.2

arminwiesel_fts — Wed, 10 Jan 2018 08:41:44 GMT

Thanks, this helped me very much.

Still I had to dig out the parameters I needed in my own script out of the apitest.pl and got it working like this with my simulator:

my $Cluster = new NaServer('192.168.0.22',1,7);
$Cluster->set_transport_type('HTTPS');
$Cluster->set_style('CERTIFICATE');
$Cluster->set_client_cert_and_key('/cf.d/yourCertName.pem','/cf.d/yourKeyFileName.key');
$Cluster->set_server_cert_verification(0);
$Cluster->set_server_type('FILER');
$Cluster->set_port(443);