E-Series disable HTTP

gfz-marco · ‎2020-02-04

Hello

Is it possible to disable HTTP on E-Series Systems?

We have different models that we access through https, so an open http port may pose a security issue that we want to avoid.

Ontapforrum · ‎2020-02-04

Hi,

By default, E-Series uses https for internal web services so it is safe.

I am not an E-Series person but in general we call http/https connections as 'Web services' atleast in ONTAP and I believe also in E-Series (Santricity). In general we use these for API purposes for monitoring and/or managing purposes.

According to this PDF:4736
There are two implementations of Web Services; one is embedded on the controller, and one is a separate proxy that can be installed on Linux or Windows.

1) For the embedded Web Services implementation, the port on the controller cannot be changed; it defaults to port 8443 for secure connections.

https://<controller>:<port>/devmgr/ (This is https and cannot be changed, hence you need not worry)

2) For the Proxy Web services (Win/Linux), you can choose between http or https:

http[s]://<server>:<port>/devmgr/

The file that controls this 'proxy' port for proxy-server is this: wsconfig.xml file
located at: C:\Program Files\NetApp\SANtricity Web Services Proxy

For more info:
https://www.netapp.com/us/media/tr-4736.pdf

Thanks!

gfz-marco · ‎2020-02-05

So is the open http port 80 just forwarding requests to https port 443/8443 ?

A quick nmap scan shows all three ports (80,443,8443) as open...

Ontapforrum · ‎2020-02-05

I think you are correct. It does say security is minimal for proxy implementations.

Take a look here, https://www.netapp.com/us/media/tr-4736.pdf
Comparison of Embedded and Proxy Implementations : Page-7 | section 3.1

It says:
1) Proxy = security is minimal
Reason: Developers can get started with the API quickly and easily.
Can you change ?: If desired, you can configure the proxy with the same security profile as the embedded version.

2) Embedded = Security is High
Reason: Security settings are high because the API runs directly on the controllers.

Interesting - I guess embedded is when you access the single E-SERIES storage system directly. With proxy I guess you can manage multiple E-SERIES systems.

Highlight for me is : Document says - If desired, you can configure the proxy with the same security profile as the embedded version. So it is indicating about hardening the proxy security, but it does not discusses it further.

My suggestion will be:

1) Give this a try:

Open this file wsconfig.xml file:
I guess these are the default ports for https & http, comment out the http line there:

save,close & restart service.

Try if you can access it via http, Run the nmap again to scan for ports.

2) If you can still see http/8080 ports , open a ticket with NetApp and to find out 'how to make the proxy secure/https.'