Skip to main content
NetApp Knowledge Base

What are the requirements around setting custom SSL certificates in Element Software?

Views:
950
Visibility:
Public
Votes:
1
Category:
element-software
Specialty:
solidfire
Last Updated:

Applies to

  • Element Software versions 12.2 and above
  • Element Management Node (mNode)

Answer

By default, Element Software and its associated management node (mNode) are packaged with certificates meeting the requirements below as of version 12.2.

Certificate Requirements
  • A unique SSL certificate made for the storage cluster
  •  The cert commonName field must be the cluster name or short name from the FQDN
  • The Subject Alternative Name must contain the FQDN of the MVIP 
  • It can not contain additional FQDN's of other systems.
    • nslookup [MVIP] must return the FQDN 
    • nslookup  [FQDN]must return the MVIP
  • PEM encoding (x509)
  • ExtendedKeyUsage (EKU) is set (x509v3)
  • Certificate length of 2048 bits or more (this is a requirement for using for Multifactor Authentication (MFA))

The default certificates are self-signed. Custom certificates (for example, certificates signed by a third party Certificate Authority (CA)) can be installed on Element storage clusters and their accompanying mNodes provided they meet the above requirements.

Environmental Requirement

Ensure that the certificate being installed is allowed by any firewalls in the network path.

To check the certificate policy's URL to be allowed/added to the firewall's exception list:

  • in a web broswer, review the certificate in the Cluster UI
  • click on the lock icon in web browser and select Certificate > Certification Path > Organization's certificate
  • in the window that pops up, select Details > Certificate Policy
  • The URL for this certificate policy should be at the bottom -- this URL needs to be allowed by the firewall
  • Enable FW rule on port http (80) from all storage node's MIP to the CA server
Setting the Custom Certificate

Once obtained, custom certificates can be then be set via various API-driven methods on both the Element cluster and mNode. See, for instance:

Additional Information

Troubleshooting

If any of the above requirements are not in place, the SetSSLCertificate (Element) or SetNodeSSLCertificate (mNode) API will fail with an error message. See, for instance:

Related Topics

For information on using MFA with Element Software, see Where is the Element Multi-factor Authentication guide located?

For information on using FIPS with Element Software, see Enabling FIPS 140-2 for HTTPS on your cluster.

For information on Ciphers in the context of SSL on Element, see the 'TLS and SSL' section of the guide linked from Where is the HCI Hardening guide located?

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.