How to configure communication between ONTAP and Service Processor (SP) or BMC with Certificate Authority (CA) signed certificates
Applies to
- ONTAP 9.5+
- SP / BMC
- NOT supported on the AFF-A700s platform
Description
- ONTAP 9.5 and greater includes Feature Request 1172908 which supports secure communication with the service-processor (SP) or BMC through Certificate Authority (CA) signed certificates.
- In order to use the system service-processor api-service enable-installed-certificates process, the following three certificate types must be installed:
- Root-CA certificate
- Server certificate
- Client certificate
Considerations
- Overall best practice is to be on an ONTAP recommended release and current Service Processor or BMC firmware.
- Preferably install a version of ONTAP that has a fix for Bug ID 1328457 which performs a validation of the CA certificate chain when the SP API Service is configured.
- This process is non-disruptive to serving data within the ONTAP cluster.
- The SP API service uses port 50000 by default. It can be modified to use another port if desired.
- The SP API provides internal communication within the cluster.
- If the SP API port is queried for certificates after this process is complete, the same certificate will be returned for each SP/BMC in the cluster.