Tech ONTAP Blogs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Tech ONTAP Blogs

ONTAP Tools for VMware 10.5 (Part 1 of 3): Hardening Your VMware Private Cloud

ChanceBingen
NetApp
NetApp
yesterday
56 Views

Introduction:

We’re excited to announce the latest release of NetApp ONTAP tools for VMware vSphere, designed to simplify and secure storage operations for VMware vSphere and Cloud Foundation. This update brings new features that enhance security, resilience, automation, and manageability for modern enterprise environments.

 

In this first blog, we will unpack what’s new in security with strict certificate validation and enhancements to ONTAP tools’ own certificates.

 

New Certificate Features in This Release

 

1. Certificate Validation for ONTAP and vCenter

With both state and non-state actors attempting to gain access to your vital data every single day, security is more important than ever. This new release introduces robust certificate validation for both ONTAP and vCenter, ensuring every TLS handshake from ONTAP tools (sometimes referred to as OTV, not to be confused with Overlay Transport Virtualization) is authenticated and encrypted. This enhancement helps safeguard your data and virtual infrastructure from unauthorized access.

 

Now, before we get started, I have to give a fair warning here. The default self-signed certificates in ONTAP won’t be good enough. You can generate some higher-security self-signed certs using ONTAP's CLI if you want, or leverage your enterprise CA and use CA-signed certs like we should all be doing anyway.

 

So, before we take a deeper dive into certificate validation, I wanted to address the elephant in the room. If you maintain a sandbox lab, a home lab using simulators, or other reduced security environments, there is a process where you CAN disable certificate validation. So, no, you don’t really need to set up a certificate authority and/or reissue all of your certificates if you are comfortable with a reduced security posture. Also, note that if you are upgrading from a previous release, and the upgrade detects that you have ONTAP systems with invalid certificates, it will give you the option to either disable certificate validation right away or immediately cancel the upgrade.

 

To disable certificate validation, simply complete these steps:

 

  1. Log into the maintenance console as the “maint” user and select application configuration, option 1.
    ChanceBingen_0-1761589615817.png

     

  2. Select “Change Cert Validation Flag”
    ChanceBingen_1-1761589615819.png

     

  3. Note if you are changing from false (disabled) to true (enabled), and enter y or n as appropriate. In this example, I am re-enabling it.
    ChanceBingen_2-1761589615823.png

     

  4. Wait for the services to restart. This may take quite a while. Time to grab a nice cup of coffee or make some tea.

 

2. Manager UI & RPUI Enhancements:

  1. Users can add or modify certificates for ONTAP storage backends and vCenter servers via UI or manual upload. Simply select the “Modify storage backend” option from the ONTAP tools “Storage backends” menu.
    ChanceBingen_3-1761589615824.png

     

  2. The UI now shows certificate expiry warnings and allows certificate replacement.
    ChanceBingen_4-1761589615826.png

     

  3. Certificate statuses (expired/expiring soon) are visible in the Storage backends listing views in both the ONTAP tools Manager UI and the vCenter UI.
    ChanceBingen_5-1761589615832.png

     

3.    API Changes:

  1. New and updated APIs support certificate onboarding, validation, truststore updates, and secure TLS handshakes.
  2. Certificates are stored securely and tracked in the ONTAP tools database itself instead of being handled separately.

 

4.    Platform Requirement:

  1. Onboarding storage backends requires that the ONTAP server certificate contain valid Common Name (CN) and Subject Alternative Name (SAN) entries. I recommend that your SAN be the IP address that reverse-resolves via ONTAP tool's DNS server to the FQDN common name. As I mentioned previously, if you try to upgrade to version 10.5 and have onboarded systems with self-signed certificates lacking SAN entries, you will be presented with an option during the upgrade to either disable certificate validation or cancel the upgrade.
  2. Remember, certificate validation can be toggled via the maintenance console as shown above. Note that the maintenance console is not accessible via SSH. Only the vSphere console.

 

5.    Extended Certificate Expiry

  1. To reduce maintenance overhead, certificates for both the ONTAP tools UI/API Gateway and Storage Replication Adapter (SRA) services now have a 1-year (previously 10 years) expiry
  2. Auto-renewal mechanisms are in place to prevent workflow disruptions,  simplifying lifecycle management and compliance.

Conclusion:

ONTAP Tools for VMware 10.5 brings stronger certificate validation, easier management, and streamlined certificate lifecycles with auto-renewal—making your VMware private cloud more secure and easier to maintain.

 

Ready to get started?

You can download ONTAP tools here: https://mysupport.netapp.com/site/products/all/details/otv10/downloads-tab

And if you are new to ONTAP tools 10, be sure to check out my installation cheat sheet here: https://docs.netapp.com/us-en/ontap-apps-dbs/vmware/vmware-vvols-checklist.html

0 Kudos
All Community Forums
Public