Active IQ Unified Manager Discussions

Running netapp harvest on Port 80

parkea2
5,669 Views

I need to run the netapp-harvest for a while on port 80  for a reason of policy madness !! so lets not get into that Please !!.

 

I edited  netapp-harvest.conf  and set  this:

 

#====== Polled host setup defaults ============================================
host_type         = FILER
host_port         = 80
host_enabled      = 1
template          = default
data_update_freq  = 60
ntap_autosupport  = 0

 

Then I enabled  httpd.admin.enable  on  the target FILER..    I tested this with OnCommand and accessed it OK on port 80, though OnCommand did warn me about not being secure.

 

I then stopped and start the  netapp-manager  .

 

The logs showed that it was not working:

 

[2016-09-14 15:03:06] [WARNING] [main] system-info update failed; will try again in 10 seconds.
[2016-09-14 15:03:16] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Server returned HTTP Error:
[2016-09-14 15:03:16] [WARNING] [main] system-info update failed; will try again in 10 seconds.

 

What did I miss changing?  or does it need SSL only ?  

 

FYI I tested on 443  and all works fine,  but I get Security Nessus failures due to no TLS 1.2 support  on ONTAP 8.2.4/P3 7-Mode  only TLS-1.0 or possible TLS-1.1 I believe.

Also using http.admin.access host=x.x.x.x  did not stop the Nessus scanner seeing the FILER cannot talk TLS 1.2.

 

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

madden
5,639 Views

Hi @yannb@parkea2

 

Yes, Harvest forces HTTPS.  Even if some older Data ONTAP versions have vulnerabilities it would be better than cleartext.  But, if you must, to get HTTP support on port 80 the easiest would be to modify line 733 of netapp-worker (assuming Harvest v1.2.2 ) from:

 

my $out = $s->set_transport_type('HTTPS');

to 

my $out = $s->set_transport_type('HTTPS') unless ($connection{'host_port'} eq '80');

This change would use HTTPS unless the port is 80, in which case the default HTTP would be used.

 

Cheers,
Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

View solution in original post

4 REPLIES 4

yannb
5,652 Views

From what I see Harvest enforces HTTPS, you will have to modify "netapp-worker" around

 

 

my $out = $s->set_transport_type('HTTPS');

 

To override this

 

 @madden, thoughts? 🙂

madden
5,640 Views

Hi @yannb@parkea2

 

Yes, Harvest forces HTTPS.  Even if some older Data ONTAP versions have vulnerabilities it would be better than cleartext.  But, if you must, to get HTTP support on port 80 the easiest would be to modify line 733 of netapp-worker (assuming Harvest v1.2.2 ) from:

 

my $out = $s->set_transport_type('HTTPS');

to 

my $out = $s->set_transport_type('HTTPS') unless ($connection{'host_port'} eq '80');

This change would use HTTPS unless the port is 80, in which case the default HTTP would be used.

 

Cheers,
Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

parkea2
5,607 Views

Hi Chirs

 

Thanks for the solution, I needed to tweak it slightly as the default in  NaServer.pm was HTTPS

 

So;

my $out = $s->set_transport_type('HTTP') unless ($connection{'host_port'} eq '443');

 

I fully get TLS 1.0 / 1.1 is better then clear text.  However the above tweak allows

me to do some testing while I negotiate with the jobs worths !!

 

Yes in my strange world: 

No encryption passes the security scan while  < TLS 1.2 fails.

 

Rgds Andy

madden
5,601 Views

@parkea2

 

Great to hear you got it working.  I saw this in the 5.5 docs:

 

https-sdk.png

 

I then tested in my lab (which has 5.4) and it worked as I posted. But after your response I checked the actual NaServer.pm files and indeed the default changed from HTTP to HTTPS between 5.4 and 5.5...making the doc snippet above incorrect.  I will open a bug for this.

 

Cheers,
Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

 

Public