Software Development Kit (SDK) and API Discussions

Using NMSDK with Certificate Based Authentication against cluster mode

SCOTT_LINDLEY
2,268 Views

I followed these directions to implement certificate-based authentication of NMSDK to Cluster Mode and was partially successful:

 

Steps :

    Create a self-signed certificate using openssl commands. When asked for common name, please use "admin". Else you may not get access to many APIs.

               Example :

    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout yourKeyFileName.key -out yourCertName.pem  

               It will look something like this : ( cat yourCertName.pem)

-----BEGIN CERTIFICATE-----
MIICwjCCAiugAwIBAgIJAJpgINzlWl06MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
BAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAfBgkqhkiG9w0BCQEW
EmFhc2hyYXlAbmV0YXBwLmNvbTAeFw0xMzA3MzAxNjQ2NDRaFw0xNDA3MzAxNjQ2
NDRaMHoxCzAJBgNVBAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAf
BgkqhkiG9w0BCQEWEmFhc2hyYXlAbmV0YXBwLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAv8jid3ADQH/HQ05iZ6Tk0NF2cY9iiEna71PVKjM1L8GGkyWJ
kGioW2j1qoHO4kJEXUOMoX7YREOKLYbBQW5nx6rrg8Z3iFvP09YJnByonUIuN9QZ
96OHQ+ws9u6wNgM2LTJbcbOUUdJuOQNgaQ4XhzLDa6g0jEzyDBHbC05m2XUCAwEA
AaNQME4wHQYDVR0OBBYEFDdavnhJnCUHDJXgZEAovxcoYAsxMB8GA1UdIwQYMBaA
FDdavnhJnCUHDJXgZEAovxcoYAsxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAdnD5BzSlV2SiZJbOjzmhkYraNwG3WauDYlnzo8K0v6BFhxKEC/abjUaa
Ic/mBXEE8JqnLN7uqQf1wZtqIU60eNexMMdg+tstYe5O0Fnu27ss9HsmDD51A9LZ
kT5+XIfG21EYJMnFa1LwWTtmkla66GNhVEzzJKUtOXD23H6SyNc=
-----END CERTIFICATE-----

    Install the certificate in your filer (running Clustered Data ONTAP 8.2 )

command :

    security certificate install -type client-ca -vserver yourAdminVserver  

You will get a prompt saying : Please enter Certificate: Press <Enter> when done

Paste the certificate created in the above step (including the Begin and End lines) and press enter.

    Two important things :
        Check if client authentication is enabled inthe cluster.

> security ssl show -vserver yourAdminVserver

Vserver: yourAdminVserver
   Server Certificate Issuing CA: yourAdminVserver.cert
   Server Certificate Serial Number: 50C8AB18
   Server Certificate Common Name: yourAdminVserver.cert
SSL Server Authentication Enabled: true
SSL Client Authentication Enabled: true

                              If it is disabled then enable using this option :

                                         security ssl modify –vserver yourAdminVserver -client-enabled true

    You should create a securitylogin with the client name that you have mentioned in the certificate.

    security login create -username admin -application ontapi -authmethod cert -role admin -vserver yourAdminVserver  

    Now you are ready to call APIs by providing the certificate and key file.

Example 1 : Run the python apitest using CBA - this file can be found in your NMSDK5.1 bundle in the folder :  netapp-manageability-sdk-5.2/src/sample/Data_ONTAP/Python

    python apitest.py -C ~/yourCertName.pem -K ~/yourKeyFileName.key <IP.XXX.XXX.XXX> system-get-version  

                      Example 2 : Run the apitest.exe found in netapp-manageability-sdk-5.2\bin\ntexe -C cert.pem -K keyFile.key <IP.XXX.XXX.XXX> volume-get-iter

The issue that I am now having is that I can ONLY get this to work with a self-signed certificate, but it will not work with a CA-signed certificate. Unfortunately the only error message I get from the connection attemps are: "failed: in Zapi::invoke failed to connect SSL (errno=13001)". The clusters that I am connecting to have the CA root certs already installed. I am using Perl to query the OnTAP API.

 

So far all I can find on the Support Site or the Community is documentation related to using self-signed certificates. Please advise as to what steps I can take to further troubleshoot this issue and what pieces of the puzzle I may be missing.

 

Thank you for your attention to this matter,

    Scott Lindley

2 REPLIES 2

gaurav_verma
2,135 Views

Hey Scott

 

Check if HTTPs and TLS is enabled on cluster. 

SCOTT_LINDLEY
2,020 Views

They are both enabled. TLS is enabled for the "full monte": TLSv1.2, TLSv1.1, TLSv1

Public