- ONTAP 9
- Clustered Data ONTAP 8.3
- Data ONTAP 8 7-mode
- Transport HTTPS
When ONTAP sends an AutoSupport via the HTTPS protocol it is acting as an HTTPS client.
- Here’s a diagram of the basic steps that occur when an HTTPS client attempts to establish encrypted communication with the server.
The major components are:
- Client is the system that initiates the communication and desires an encrypted communication channel. In this case, the autosupport subsystem on Data ONTAP storage controller is the client.
- Server is the system that provides services that can be communicated over an encrypted communication channel.
|AutoSupport Server URL
|Support URL for HTTP/S PUT
|Support URL for HTTP/HTTPS
|Used for AutoSupport OnDemand requests
- Server Keystore, which resides on the server, contains a copy of the CA signed server public certificate file and private key file. Only the server public certificate is shown .
- The server public certificate contains the server’s public key as well as the Certificate Authority (CA) public key chain of the CA(s) that have signed the server certificate.
- TrustStore, which resides on the client, contains a list the public keys of all of the CAs we trust.
cacert.pemfile is where Data ONTAP store the public keys of all of the CAs that is trusted by the Autosupport https client and is used during certificate validation.
Here is how the encrypted channel is established
- The https client connects to the server and requests encrypted communication channel.
- The server responds back with the CA signed server certificate. The signed certificate contains the server’s public key, and the public key chain of the CA(s) which signed the certificate.
- The client checks the CA chain in received server certificate and then verifies that CA can be trusted by checking the client’s TrustStore. In Data ONTAP, there is a setting that can be set to bypass this step.
a) If CA is trusted, certificate exchange continues in step #4.
b) If CA is not trusted, then the client rejects the certificate and terminates the connection.
- Diffie-Hellman (DH) key exchange and encrypted handshake takes place to mutually determine the encrypted algorithm that is used for the session
- After encrypted handshake is complete, encrypted communication begins between client and server.
- To learn more about AutoSupport, see TR-4444 - ONTAP AutoSupport and AutoSuport On Demand Configuration Guide
- ONTAP AutoSupport using HTTPS fails validation when the Certificate is removed
- ONTAP AutoSupport messages fail using HTTPS: error setting certificate verify locations
- ONTAP AutoSupport messages fail using HTTPS: SSL certificate problem