Coming soon...New Support-Specific categorization of Knowledge Articles in the NetApp Knowledge Base site to improve navigation, searchability and your self-service journey.

Home
Advice and Troubleshooting
Data Storage Software
ONTAP OS
How to configure communication between ONTAP and Service Processor (SP) or BMC with Certificate Authority (CA) signed certificates

How to configure communication between ONTAP and Service Processor (SP) or BMC with Certificate Authority (CA) signed certificates

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 1,843

Visibility:: Public

Votes:: 1

Category:: ontap-9

Specialty:: core

Last Updated:

This KB article is linked to the Interactive Workflow ONTAP SSL certificate resolution guide.

Applies to

ONTAP 9.5+
SP / BMC
NOT supported on the AFF-A700s platform

Description

ONTAP 9.5 and greater includes Feature Request 1172908 which supports secure communication with the service-processor (SP) or BMC through Certificate Authority (CA) signed certificates.
In order to use the system service-processor api-service enable-installed-certificates process, the following three certificate types must be installed:
- Root-CA certificate
- Server certificate
- Client certificate

Considerations

Overall best practice is to be on an ONTAP recommended release and current Service Processor or BMC firmware.
Preferably install a version of ONTAP that has a fix for Bug ID 1328457 which performs a validation of the CA certificate chain when the SP API Service is configured.
This process is non-disruptive to serving data within the ONTAP cluster.
The SP API service uses port 50000 by default. It can be modified to use another port if desired.
The SP API provides internal communication within the cluster.
- If the SP API port is queried for certificates after this process is complete, the same certificate will be returned for each SP/BMC in the cluster.