ONTAP Discussions

SSL for SVMs

KarelBP
3,900 Views

Hello everyone,

would somebody please know the answer to this:

 

When issuing security ssl show, I see value Server Enabled as true for the cluster, a CIFS SVM (only used for LDAP authentication to the cluster, setup suggested by NetApp technicians) and a FC SVM. The FC SVM doesn't have any IP interface, so I think it's invalid completely. The CIFS SVM is accessible on HTTPS, but I don't think we use it for anything.

 

So what is this for? Do the SVMs need to have a certificate and SSL enabled at all?

 

Thanks,

Karel

 

1 ACCEPTED SOLUTION

Mjizzini
3,817 Views

This command displays the configuration of encrypted HTTP (SSL) for Vservers in the cluster. Depending on the requirements of the individual node's or cluster's web services (displayed by the vserver services web show command), this encryption might or might not be used. If the Vserver does not have a certificate associated with it, SSL will not be available.

 

View solution in original post

5 REPLIES 5

AlainTansi
3,828 Views

SSL is the recommended authentication method for ONTAP cluster mode.

If you are accessing an svm for management purpose or data access ...etc, authentication is required.

That is why by default SSL service "Sever Enabled" is true for all svms.

For any users or application to access data on the CIFS or FC SVM, they need to authenticate.

For logging in to the cluster as an admin or user you need to authenticate and that is done through the cluster(admin) SVM.

In your case, the CIFS SVM is used for LDAP authentication which is correct and the SSL service is needed to be enabled.

 

So yes, the SVMs need certs(it can be the default Self-Signed or third party CA-signed) and SSL service enabled

 

Hope that answers your question 🙂

KarelBP
3,790 Views

Hi,

thanks for your explanation, but I'm a bit lost here. Probably more than a bit.

 

We don't authenticate directly to the SVM, have no need for it. The cluster management page, which existed and was accessible before we created the SVM from GUI, is on a different IP address and that's the only service we ever want to talk to. Therefore I don't see why this SVM should even have a certificate and publish its web service into the network, when all I need it for is to talk to the domain controllers as client, not as a server.

 

Thanks,

Karel

 

Mjizzini
3,818 Views

This command displays the configuration of encrypted HTTP (SSL) for Vservers in the cluster. Depending on the requirements of the individual node's or cluster's web services (displayed by the vserver services web show command), this encryption might or might not be used. If the Vserver does not have a certificate associated with it, SSL will not be available.

 

KarelBP
3,789 Views

Hi,

thanks. When you write "depending on the requirements", that's the part where I cannot tell what exactly the requirements are. I know for sure I'd like to turn off everything we don't necessarily need and limit number of findings in vulnerability scanner. This is a 2-node cluster which only serves disks over fiber-channel, needs authentication with Active Directory to management GUI or SSH console and it should have REST API accessible to be able to read out events. Nothing else.

 

Thank you,

Karel

Sig
3,643 Views

"depending on requirements" is the correct terminology to use...unfortunately.

You need a valid SSL cluster level cert to establish  OCUM/ActiveIQ UM connectivity.  Prob the same for SC/VSC/grafana......

I have seen env's with cluster level SSL certs and no SVM level SSL certs, running fine with no issues.

When NetApp introduces SVM System Manager GUI access you'll prob need valid SSL certs for the SVM

I recently had to add a valid SSL cert to the SVM because Varonis FPolicy required it.

I usually replace the SSL cert at deployment time with a longer expiring one (3650 days) to avoid having to deal with it again before the system is replaced/headswapped/etc. (See them here: security certificate show -type server)

Sound to me like you have no need for the SVM level SSL cert. Basic operations have no need for it in my experience.

 

Public