Software Development Kit (SDK) and API Discussions

Using NMSDK with Certificate Based Authentication against cluster mode

SCOTT_LINDLEY

I followed these directions to implement certificate-based authentication of NMSDK to Cluster Mode and was partially successful:

 

Steps :

    Create a self-signed certificate using openssl commands. When asked for common name, please use "admin". Else you may not get access to many APIs.

               Example :

    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout yourKeyFileName.key -out yourCertName.pem  

               It will look something like this : ( cat yourCertName.pem)

-----BEGIN CERTIFICATE-----
MIICwjCCAiugAwIBAgIJAJpgINzlWl06MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
BAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAfBgkqhkiG9w0BCQEW
EmFhc2hyYXlAbmV0YXBwLmNvbTAeFw0xMzA3MzAxNjQ2NDRaFw0xNDA3MzAxNjQ2
NDRaMHoxCzAJBgNVBAYTAklOMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2Fhc2hyYXkxITAf
BgkqhkiG9w0BCQEWEmFhc2hyYXlAbmV0YXBwLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAv8jid3ADQH/HQ05iZ6Tk0NF2cY9iiEna71PVKjM1L8GGkyWJ
kGioW2j1qoHO4kJEXUOMoX7YREOKLYbBQW5nx6rrg8Z3iFvP09YJnByonUIuN9QZ
96OHQ+ws9u6wNgM2LTJbcbOUUdJuOQNgaQ4XhzLDa6g0jEzyDBHbC05m2XUCAwEA
AaNQME4wHQYDVR0OBBYEFDdavnhJnCUHDJXgZEAovxcoYAsxMB8GA1UdIwQYMBaA
FDdavnhJnCUHDJXgZEAovxcoYAsxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAdnD5BzSlV2SiZJbOjzmhkYraNwG3WauDYlnzo8K0v6BFhxKEC/abjUaa
Ic/mBXEE8JqnLN7uqQf1wZtqIU60eNexMMdg+tstYe5O0Fnu27ss9HsmDD51A9LZ
kT5+XIfG21EYJMnFa1LwWTtmkla66GNhVEzzJKUtOXD23H6SyNc=
-----END CERTIFICATE-----

    Install the certificate in your filer (running Clustered Data ONTAP 8.2 )

command :

    security certificate install -type client-ca -vserver yourAdminVserver  

You will get a prompt saying : Please enter Certificate: Press <Enter> when done

Paste the certificate created in the above step (including the Begin and End lines) and press enter.

    Two important things :
        Check if client authentication is enabled inthe cluster.

> security ssl show -vserver yourAdminVserver

Vserver: yourAdminVserver
   Server Certificate Issuing CA: yourAdminVserver.cert
   Server Certificate Serial Number: 50C8AB18
   Server Certificate Common Name: yourAdminVserver.cert
SSL Server Authentication Enabled: true
SSL Client Authentication Enabled: true

                              If it is disabled then enable using this option :

                                         security ssl modify –vserver yourAdminVserver -client-enabled true

    You should create a securitylogin with the client name that you have mentioned in the certificate.

    security login create -username admin -application ontapi -authmethod cert -role admin -vserver yourAdminVserver  

    Now you are ready to call APIs by providing the certificate and key file.

Example 1 : Run the python apitest using CBA - this file can be found in your NMSDK5.1 bundle in the folder :  netapp-manageability-sdk-5.2/src/sample/Data_ONTAP/Python

    python apitest.py -C ~/yourCertName.pem -K ~/yourKeyFileName.key <IP.XXX.XXX.XXX> system-get-version  

                      Example 2 : Run the apitest.exe found in netapp-manageability-sdk-5.2\bin\ntexe -C cert.pem -K keyFile.key <IP.XXX.XXX.XXX> volume-get-iter

The issue that I am now having is that I can ONLY get this to work with a self-signed certificate, but it will not work with a CA-signed certificate. Unfortunately the only error message I get from the connection attemps are: "failed: in Zapi::invoke failed to connect SSL (errno=13001)". The clusters that I am connecting to have the CA root certs already installed. I am using Perl to query the OnTAP API.

 

So far all I can find on the Support Site or the Community is documentation related to using self-signed certificates. Please advise as to what steps I can take to further troubleshoot this issue and what pieces of the puzzle I may be missing.

 

Thank you for your attention to this matter,

    Scott Lindley

2 REPLIES 2

gaurav_verma

Hey Scott

 

Check if HTTPs and TLS is enabled on cluster. 

They are both enabled. TLS is enabled for the "full monte": TLSv1.2, TLSv1.1, TLSv1

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public