概述
NetApp的SSL自签名证书如果过期,那么第三方的一些与NetApp 443(HTTPS)对接的系统或业务可能会失效或者无法正常对接,包括但不限于:
- F-Policy
- 反病毒系统
- 系统管理平台
在国内的话主要会涉及到与第三方监控系统的对接,以下的话就是比较常见的问题,证书过期导致Unified Manager中无法正常加入,这时就涉及到需要对证书进行续订
更新流程
针对不同版本的Ontap有不同的更新方式,以下为几种主流的方式
Ontap 9 CLI (9.10之前版本)
应该是目前绝大多数会碰到的场景,WebUI里无法进行相关操作,需要SSH到CLI进行证书续订,以下为实际生产环境操作流程记录
首先看下当前证书情况,主要关注下系统SVM的Server证书(如果不确定是哪个SVM,可以直接network interface show看下集群管理地址在哪个SVM),当前环境为aff
aff::> security certificate show -type server
Vserver Serial Number Certificate Name Type
---------- --------------- -------------------------------------- ------------
NFS_A300 167D41C62C822732
NFS_A300_167D41C62C822732 server
Certificate Authority: NFS_A300
Expiration Date: Mon May 09 09:29:20 2022
SVM_CIFS 1623CABBD606D398
SVM_CIFS_1623CABBD606D398 server
Certificate Authority: SVM_CIFS
Expiration Date: Wed Jul 21 22:26:41 2021
SVM_VMware 05393577695463 SVM_VMware_05393577695463 server
Certificate Authority: SVM_VMware
Expiration Date: Fri Aug 04 10:11:23 2017
SVM_VMware_SAS
151D583707BC9723
SVM_VMware_SAS_151D583707BC9723 server
Certificate Authority: SVM_VMware_SAS
Expiration Date: Tue Mar 19 22:20:42 2019
aff 53567C81FC423 aff_53567C81FC423 server
Certificate Authority: aff
Expiration Date: Sat Jun 17 00:32:19 2017
5 entries were displayed.
或者可以多些Fields参数看下当前情况
aff::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver common-name serial ca type subtype cert-name expiration
-------- ----------- ---------------- -------- ------ ------- ------------------------- ------------------------
NFS_A300 NFS_A300 167D41C62C822732 NFS_A300 server - NFS_A300_167D41C62C822732 Mon May 09 09:29:20 2022
SVM_CIFS SVM_CIFS 1623CABBD606D398 SVM_CIFS server - SVM_CIFS_1623CABBD606D398 Wed Jul 21 22:26:41 2021
SVM_VMware
SVM_VMware 05393577695463 SVM_VMware
server - SVM_VMware_05393577695463 Fri Aug 04 10:11:23 2017
SVM_VMware_SAS
SVM_VMware_SAS
151D583707BC9723 SVM_VMware_SAS
server - SVM_VMware_SAS_151D583707BC9723
Tue Mar 19 22:20:42 2019
aff aff 53567C81FC423 aff server - aff_53567C81FC423 Sat Jun 17 00:32:19 2017
5 entries were displayed.
关键步骤一:新建证书
common-name:新证书名称,建议与原有证书不重名已便于区分
expire-days:证书时长建议长些,本例中为10年
aff::> security certificate create -common-name aff_new -type server -size 2048 -expire-days 3650 -protocol SSL -hash-function SHA256 -vserver aff
The certificate's generated name for reference: aff_new
可以看到新建证书aff_new,有效期至2034年
aff::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver common-name serial ca type subtype cert-name expiration
-------- ----------- ---------------- -------- ------ ------- ------------------------- ------------------------
NFS_A300 NFS_A300 167D41C62C822732 NFS_A300 server - NFS_A300_167D41C62C822732 Mon May 09 09:29:20 2022
SVM_CIFS SVM_CIFS 1623CABBD606D398 SVM_CIFS server - SVM_CIFS_1623CABBD606D398 Wed Jul 21 22:26:41 2021
SVM_VMware
SVM_VMware 05393577695463 SVM_VMware
server - SVM_VMware_05393577695463 Fri Aug 04 10:11:23 2017
SVM_VMware_SAS
SVM_VMware_SAS
151D583707BC9723 SVM_VMware_SAS
server - SVM_VMware_SAS_151D583707BC9723
Tue Mar 19 22:20:42 2019
aff aff 53567C81FC423 aff server - aff_53567C81FC423 Sat Jun 17 00:32:19 2017
aff aff_new 17D25787A3DA1548 aff_new server - aff_new Mon May 22 14:04:08 2034
6 entries were displayed.
关键步骤二:启用证书
aff::> security ssl modify -server-enabled true -vserver aff -ca aff_new -serial 17D25787A3DA1548 -common-name aff_new
Warning: The certificate aff_new is a self-signed certificate, which offers no verification of identity by client machines. This presents the risk of man-in-the-middle
attacks by malicious third-parties.
Do you want to continue? {y|n}: y
证书启用后测试OCUM中添加集群正常
Ontap 9.10.1 之后版本
9.10.1版本开始可直接在WebUI续订,由于目前暂没有机会接触到生产环境的9.10之后的版本,可直接参考以下KB(当然直接用CLI一定不会有问题)
https://kb.netapp.com/onprem/ontap/dm/System_Manager/How_to_renew_an_ONTAP_selfsigned_certificate_via_System_Manager
Ontap 7-mode 环境
7-mode的场景估计碰到的不多了,可直接参考以下KB
https://kb.netapp.com/Legacy/ONTAP/7Mode/How_to_renew_an_SSL_certificate_in_Data_ONTAP_7-Mode
其他
当然以上部分仅涉及续订简单的SSL自签名证书,如果需要续订标准CA机构或服务器颁发的证书需要另外参考对应KB