ONTAP Discussions

Fabric Pool on remote cluster

kombayn
2,083 Views

Hello

I've got one cluster with AFFs and remote cluster with FAS and SATA disks. I've created Object Store Server and a bucket on FAS system and I'm trying to add it as a cloud tier on AFF cluster but it keeps showing me the error: "Cannot verify availability of the object store from node * Reason: Cannot verify the certificate given by the object store server. It is possible that the certificate has not been installed on the cluster." I've installed certificate of the vserver holding the object store server on AFF cluster, but the error is still the same - does object store server has a separate certificate? Where can I find it? I've got intercluster connectivity tested and working. I've created separate intercluster LIF in the subnet created for S3 traffic as well.

1 ACCEPTED SOLUTION

elementx
1,934 Views

> I think certificate validation is not required as this is the "internal" object store and traffic does not pass the internet - please, correct me if I'm wrong.

 

Certificate validation is always required if you want to make sure it's a valid certificate.

p27 tells you how to reject the option to validate from the client (https://www.netapp.com/pdf.html?item=/media/17239-tr-4598.pdf).

 

1. Launch ONTAP System Manager.
2. Click STORAGE.
3. Click Tiers.
4. Click Add Cloud Tier.
5. Select an object store provider.
6. Complete the text fields as required for your object store provider.
7. Click the Object Store Certificate button to turn it off

 

But if you install CA cert of the CA used to issue & sign the TLS cert of FAS S3 on your S3 client (AFF), then it will be validated so you won't need that step. Or you could paste the FAS S3 TLS certificate alone when adding Object Store, but without CA loaded on the AFF there's no way to know if it was signed by a valid CA.

Also see `-is-certificate-validation-enabled false`, that is also in the PDF.

 

If you use valid certs, create calendar reminders to renew all certs in question, or issue them with a long duration.

View solution in original post

5 REPLIES 5

chamfer
1,993 Views

Hi @kombayn ,

 

  • Can you advise which version of ONTAP you are using on both clusters?
  • Do you require Object store certificate validation? If not this should be able to be disabled.

The certificate that you need to put on your AFF system (w/ Fabric Pool) needs to be the SSL certificate that you have installed on the FAS' SVM that is hosting the S3 buckets.

 

Run the command "security ssl show -vserver <S3_SVM> -instance" on your FAS (ONTAP S3 Server) to show you the SSL certificate that is installed on the HTTPS interface for that SVM.

kombayn
1,940 Views

Hi @chamfer 

Thanks for your suggestions.

 

We are running 9.12.1P8 on both clusters.

I think certificate validation is not required as this is the "internal" object store and traffic does not pass the internet - please, correct me if I'm wrong.

 

My security ssl output on FAS looks like this:


SSL Server Authentication Enabled: true
SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
Timeout for OCSP Queries: 10s
Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
Use a NONCE within OCSP Queries: true


Your suggestion is to disable Server Authentication?

elementx
1,935 Views

> I think certificate validation is not required as this is the "internal" object store and traffic does not pass the internet - please, correct me if I'm wrong.

 

Certificate validation is always required if you want to make sure it's a valid certificate.

p27 tells you how to reject the option to validate from the client (https://www.netapp.com/pdf.html?item=/media/17239-tr-4598.pdf).

 

1. Launch ONTAP System Manager.
2. Click STORAGE.
3. Click Tiers.
4. Click Add Cloud Tier.
5. Select an object store provider.
6. Complete the text fields as required for your object store provider.
7. Click the Object Store Certificate button to turn it off

 

But if you install CA cert of the CA used to issue & sign the TLS cert of FAS S3 on your S3 client (AFF), then it will be validated so you won't need that step. Or you could paste the FAS S3 TLS certificate alone when adding Object Store, but without CA loaded on the AFF there's no way to know if it was signed by a valid CA.

Also see `-is-certificate-validation-enabled false`, that is also in the PDF.

 

If you use valid certs, create calendar reminders to renew all certs in question, or issue them with a long duration.

chamfer
1,768 Views

Hi @kombayn,

 

You really need to take a risk based approach and understand the risk that you have around the requirement for SSL Server Authentication, understanding that this is best practice.

 

If the S3 Object Store is internal and the risk of it being replaced with another S3 Object Store that also has the same S3 credentials is low/near impossible (this would have to be an accident or insider threat), I would then disable Server Authentication......

 

If there is no risk appetite then you should get the certificates from the Object Store onto the Array performing Fabric Pool.

 

kombayn
1,745 Views

Thanks a lot for your explanations. I wasn't able to fix the problem with certificate, but I attached cloud tier without certificate validation and (thanks to your explanations) I know it will be safe in my environment

Public