Software Development Kit (SDK) and API Discussions

Using NMSDK with Certificate Based Authentication against cluster mode

I followed these directions to implement certificate-based authentication of NMSDK to Cluster Mode and was partially successful:


Steps :

    Create a self-signed certificate using openssl commands. When asked for common name, please use "admin". Else you may not get access to many APIs.

               Example :

    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout yourKeyFileName.key -out yourCertName.pem  

               It will look something like this : ( cat yourCertName.pem)


    Install the certificate in your filer (running Clustered Data ONTAP 8.2 )

command :

    security certificate install -type client-ca -vserver yourAdminVserver  

You will get a prompt saying : Please enter Certificate: Press <Enter> when done

Paste the certificate created in the above step (including the Begin and End lines) and press enter.

    Two important things :
        Check if client authentication is enabled inthe cluster.

> security ssl show -vserver yourAdminVserver

Vserver: yourAdminVserver
   Server Certificate Issuing CA: yourAdminVserver.cert
   Server Certificate Serial Number: 50C8AB18
   Server Certificate Common Name: yourAdminVserver.cert
SSL Server Authentication Enabled: true
SSL Client Authentication Enabled: true

                              If it is disabled then enable using this option :

                                         security ssl modify –vserver yourAdminVserver -client-enabled true

    You should create a securitylogin with the client name that you have mentioned in the certificate.

    security login create -username admin -application ontapi -authmethod cert -role admin -vserver yourAdminVserver  

    Now you are ready to call APIs by providing the certificate and key file.

Example 1 : Run the python apitest using CBA - this file can be found in your NMSDK5.1 bundle in the folder :  netapp-manageability-sdk-5.2/src/sample/Data_ONTAP/Python

    python -C ~/yourCertName.pem -K ~/yourKeyFileName.key <IP.XXX.XXX.XXX> system-get-version  

                      Example 2 : Run the apitest.exe found in netapp-manageability-sdk-5.2\bin\ntexe -C cert.pem -K keyFile.key <IP.XXX.XXX.XXX> volume-get-iter

The issue that I am now having is that I can ONLY get this to work with a self-signed certificate, but it will not work with a CA-signed certificate. Unfortunately the only error message I get from the connection attemps are: "failed: in Zapi::invoke failed to connect SSL (errno=13001)". The clusters that I am connecting to have the CA root certs already installed. I am using Perl to query the OnTAP API.


So far all I can find on the Support Site or the Community is documentation related to using self-signed certificates. Please advise as to what steps I can take to further troubleshoot this issue and what pieces of the puzzle I may be missing.


Thank you for your attention to this matter,

    Scott Lindley


Re: Using NMSDK with Certificate Based Authentication against cluster mode

Hey Scott


Check if HTTPs and TLS is enabled on cluster. 

Re: Using NMSDK with Certificate Based Authentication against cluster mode

They are both enabled. TLS is enabled for the "full monte": TLSv1.2, TLSv1.1, TLSv1

Cloud Volumes ONTAP
Review Banner
All Community Forums