When issuing security ssl show, I see value Server Enabled as true for the cluster, a CIFS SVM (only used for LDAP authentication to the cluster, setup suggested by NetApp technicians) and a FC SVM. The FC SVM doesn't have any IP interface, so I think it's invalid completely. The CIFS SVM is accessible on HTTPS, but I don't think we use it for anything.
So what is this for? Do the SVMs need to have a certificate and SSL enabled at all?
This command displays the configuration of encrypted HTTP (SSL) for Vservers in the cluster. Depending on the requirements of the individual node's or cluster's web services (displayed by the vserver services web show command), this encryption might or might not be used. If the Vserver does not have a certificate associated with it, SSL will not be available.
thanks. When you write "depending on the requirements", that's the part where I cannot tell what exactly the requirements are. I know for sure I'd like to turn off everything we don't necessarily need and limit number of findings in vulnerability scanner. This is a 2-node cluster which only serves disks over fiber-channel, needs authentication with Active Directory to management GUI or SSH console and it should have REST API accessible to be able to read out events. Nothing else.
"depending on requirements" is the correct terminology to use...unfortunately.
You need a valid SSL cluster level cert to establish OCUM/ActiveIQ UM connectivity. Prob the same for SC/VSC/grafana......
I have seen env's with cluster level SSL certs and no SVM level SSL certs, running fine with no issues.
When NetApp introduces SVM System Manager GUI access you'll prob need valid SSL certs for the SVM
I recently had to add a valid SSL cert to the SVM because Varonis FPolicy required it.
I usually replace the SSL cert at deployment time with a longer expiring one (3650 days) to avoid having to deal with it again before the system is replaced/headswapped/etc. (See them here: security certificate show -type server)
Sound to me like you have no need for the SVM level SSL cert. Basic operations have no need for it in my experience.
thanks for your explanation, but I'm a bit lost here. Probably more than a bit.
We don't authenticate directly to the SVM, have no need for it. The cluster management page, which existed and was accessible before we created the SVM from GUI, is on a different IP address and that's the only service we ever want to talk to. Therefore I don't see why this SVM should even have a certificate and publish its web service into the network, when all I need it for is to talk to the domain controllers as client, not as a server.