3.3 - Certificate-Based API Access

Information

When using the NetApp Manageability SDK API access to ONTAP, you must use certificate-based authentication instead of the user ID and password authentication.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

A self-signed certificate can be generated and installed on ONTAP as follows:
1. Using OpenSSL, generate a certificate by running the following command:

openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout test.key -out test.pem \
> -subj "/C=US/ST=NC/L=RTP/O=NetApp/CN=cert_user"
Generating a 2048 bit RSA private key
..............+++
..........................+++
writing new private key to 'test.key'

This command generates a public certificate named test.pem and a private key named key.out.
The common name, CN, corresponds to the ONTAP user ID.

2. Install the contents of the public certificate in privacy enhanced mail (pem) format in ONTAP by
running the following command and pasting the certificate's contents when prompted:

security certificate install -type client-ca -vserver ontap9-tme-8040
Please enter Certificate: Press <Enter> when done

3. Enable ONTAP to allow client access through SSL and define the user ID for API access.

security ssl modify -vserver ontap9-tme-8040 -client-enabled true
security login create -user-or-group-name cert_user -application ontapi -authmethod cert -role admin -vserver ontap9-tme-8040

See Also

https://www.netapp.com/us/media/tr-4569.pdf