Skip to main content
NetApp Knowledge Base

What is the authentication process for SnapDiff?

  1. Last updated
  2. Save as PDF
Views:
2
Visibility:
Public
Votes:
0
Category:
snapdiff
Specialty:
dp
Last Updated:

Applies to

  • ONTAP
  • SnapDiff

Answer

  • NetApp SnapDiff backups use standard user-level username and password authentication for an HTTP or HTTPS connection to the ONTAP storage system, or it can use REST APIs for Snapdiff v3 operations, which are enabled via web access configuration on the ONTAP system itself
  • The specific user requires appropriate permissions within ONTAP to access SnapDiff functionality, and the connection should use TLS/HTTPS for in-flight data encryption
  • To authorize and use SnapDiff v3 API on a NetApp ONTAP system, you need to follow a few key steps involving user creation, role assignment, and enabling the necessary services. Here's a step-by-step guide:
  •  Create a Role with SnapDiff Permissions
  • You need to create a custom role that allows access to SnapDiff and related commands:

::>security login role create -vserver <SVM_NAME> -role snapdiff_role -cmddirname "snapdiff" -access all
::>security login role create -vserver <SVM_NAME> -role snapdiff_role -cmddirname "license" -access all

  • Create a User for SnapDiff Access
  • Create a user that will authenticate via HTTP (REST API):

::>security login create -vserver <SVM_NAME> -user-or-group-name snapdiff_user -application http -authentication-method ::>password -role snapdiff_role

  • Replace <SVM_NAME> with your Storage Virtual Machine name
  • You’ll be prompted to set a password for snapdiff_user
  • Enable HTTP/HTTPS Access
  • Ensure that HTTP or HTTPS is enabled on the SVM:

::>system services web show

  • If not enabled, you can enable it:

::>system services web modify -name http -enabled true
::>system services web modify -name ssl -enabled true

  • Also, make sure a valid SSL certificate is installed and bound to the SVM
  • Verify LIF and Service Policy
  • Ensure that the logical interface (LIF) used for SnapDiff has a service policy that includes:

data-nfs
management- https

  • You can check and modify service policies using:

::>network interface service-policy show

  • Use the SnapDiff v3 API
  • Once the user is created and services are enabled, you can authenticate using basic HTTP authentication:

Endpoint: https://<cluster_or_svm>/api/snapdiff/
Auth: Basic Auth with snapdiff_user and password
Headers:

  • http isn’t fully supported. Syntax highlighting is based on Shell

Authorization: Basic <base64_encoded_credentials>
Content-Type: application/json

  • You can test it using curl or Postman:

curl -u snapdiff_user:password -k https://<cluster_or_svm>/api/snapdiff/volumes

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  • SnapDiff v3 API with Basic Authentication works by sending a Base64-encoded string containing the username and password in the HTTP request header. Here's how it functions step-by-step:

  • Credentials Format:
  • Combine the username and password with a colon (:):

snapdiff_user:your_password

  • Base64 Encoding:

Encode the string above using Base64. For example:
snapdiff_user:your_password → c25hcGRpZmZfdXNlcjp5b3VyX3Bhc3N3b3Jk
 

  • Include the encoded string in the HTTP request header:
  • Security Considerations
  • Always use HTTPS to encrypt the credentials during transmission.
  • Avoid hardcoding credentials in scripts or storing them in plaintext
  • Consider using OAuth 2.0 or certificate-based authentication if available and supported in your environment for better security


---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  • SnapDiff v3 API with Certificate-Based Authentication in NetApp ONTAP enhances security by replacing password-based login with client certificates
  • Instead of sending a username and password, the client presents a digital certificate during the SSL handshake. ONTAP verifies this certificate against its trusted certificate authorities (CAs) and grants access if the certificate matches a configured user
  • Here's how it works and how to set it up:
  • Steps to Set Up Certificate-Based Authentication
  • Generate a Client Certificate
  • Use OpenSSL to create a certificate and private key:

openssl req -x509 -nodes -days 1095 -newkey rsa:2048 \
-keyout test.key -out test.pem \
-subj "/C=IN/ST=KA/L=Bangalore/O=YourOrg/CN=cert_user"
test.pem: Public certificate
test.key: Private key
CN=cert_user: Must match the ONTAP user ID

  • Install the Certificate in ONTAP

::> security certificate install -type client-ca -vserver <SVM_NAME>

  • Paste the contents of test.pem when prompted.
  • Enable SSL and Create the User

::> security ssl modify -vserver <SVM_NAME> -client-enabled true

security login create -vserver <SVM_NAME> \
-user-or-group-name cert_user \
-application http \
-authmethod cert \
-role snapdiff_role

  • Make sure snapDiff_role has access to SnapDiff APIs
  • Make API Calls Using the Certificate
  • Use curl or any REST client that supports client certificates:

curl -k --cert ./test.pem --key ./test.key \
-X GET " https://<cluster_or_svm>/api/snapdiff/volumes"

-k: Skips certificate verification (use only in testing)
--cert and --key: Provide the client certificate and key

  • Important Notes
  • You can use CA-signed certificates for production environments 1
  • Certificate authentication is supported for http, ontapi, and rest applications 2
  • Ensure the SVM has a valid SSL certificate installed and HTTPS is enabled.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  • Snapdiff V3 authentication with OAuth 2.0 is an industry-standard protocol for authorization. In ONTAP, it enables REST API clients (like backup applications using SnapDiff v3) to authenticate using access tokens issued by a trusted authorization server (e.g., Azure AD, Auth0, Keycloak)
  • Steps to Set Up OAuth 2.0 for SnapDiff v3
  • Prepare Your Authorization Server
  • Choose an OAuth 2.0-compliant provider (e.g., Microsoft Entra ID, Auth0, ADFS, Keycloak)
  • Ensure it supports JWT (JSON Web Tokens) and exposes a JWKS URI (JSON Web Key Set)
  • Install the Authorization Server’s Root CA Certificate
  • This allows ONTAP to trust tokens signed by your provider
  • CLI Example:

security certificate install -type server-ca

  • Paste the certificate content when prompted
  • Define the Authorization Server in ONTAP
  • CLI Example:

security oauth2 client create \
-config-name my_oauth_config \
-provider-jwks-uri https://<auth_server>/jwks \
-application http \
-issuer https://<auth_server>/issuer

  • This tells ONTAP how to validate tokens from your provider
  • Create REST Roles and Map Them to Token Claims
  • Define roles in ONTAP that match scopes or group claims in the token
  • You can use self-contained scopes or external group mappings (e.g., AD groups)

::>security login rest-role create -role snapdiff_role -cmddirname "snapdiff" -access all

  • Your backup application or script must:
  • Authenticate with the OAuth provider
  • Request a token with the correct scope
  • Include the token in API requests:

Additional Information

additionalInformation_text
NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.