How to use NMSDK with Certificate Based

Authentication
This document explains how Certificate Based Authentication (CBA) can be used with NMSDK to connect to the vserver.
CBA for NMSDK (NetApp Manageability Software Development Kit) ) is supported as of Clustered Data ONTAP 8.2.
This means your scripts do not need to use the username/password to call the Perl APIs on the vserver.
The NetApp Manageability SDK provides resources to develop applications that monitor and manage NetApp storage systems. SDK Help
provides information about core APIs, which provide infrastructure to invoke Data ONTAP APIs, DataFabric Manager APIs for the
OnCommand Core Package, and Web services APIs for DataFabric Manager on a server.
Here I will explain you how you can use a self-signed client certificate to login to your admin vserver.

1. The following Perl packages need to be installed (as user root) on the Linux management server in order to access the Perl API's:

[root@sbuxmng01
[root@sbuxmng01
[root@sbuxmng01
[root@sbuxmng01

~]
~]
~]
~]

$
$
$
$

yum
yum
yum
yum

install
install
install
install

perl-libwww-perl
perl-XML-Parser
openssl-devel
perl-Net-SSLeay

2. Login to the management (Linux) server and create a self-signed certificate.

When asked for common name, please specify user "admin". Otherwise, you may not get access to many APIs.

[nlhsn1@sbocm01~] $ openssl req -x509 -nodes -days 365 -newkey rsa:1024 keyout
sbuxmng01.key -out sbuxmng01.pem
Generating a 1024 bit RSA private key
........................................++++++
...................++++++
writing new private key to 'sbuxmng01.key'
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [XX]:NL
State or Province Name (full name) []:Zuid Holland
Locality Name (eg, city) [Default City]:Den Haag
Organization Name (eg, company) [Default Company Ltd]:T-Systems
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:admin
Email Address []:

The certificate file will look something like this :

[nlhsn1@sbocm01~]$ cat sbuxmng01.pem

-----BEGIN CERTIFICATE----MIIChDCCAe2gAwIBAgIJAPtuOmgbETZFMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
BAYTAk5MMRUwEwYDVQQIDAxadWlkIEhvbGxhbmQxETAPBgNVBAcMCERlbiBIYWFn
MRIwEAYDVQQKDAlULVN5c3RlbXMxDjAMBgNVBAMMBWFkbWluMB4XDTE0MTIwMjEw
NTQyNVoXDTE1MTIwMjEwNTQyNVowWzELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1
aWQgSG9sbGFuZDERMA8GA1UEBwwIRGVuIEhhYWcxEjAQBgNVBAoMCVQtU3lzdGVt
czEOMAwGA1UEAwwFYWRtaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALRR
XGprA5SVjDxeaYECfmdReas6Itn25nj9HZ9xZUKnqN5JfzeW2RnLq1lN4cXdGdJB
NKqn/VZlwRAhDFzQo4KFlvic3zzipxr3iIH2Br5ezzp+LSwRWtfgW4CID/Zz/c9e
hD5aHW8j8BxtStkRfGKxLyq10anf5uJprNPXTCdvAgMBAAGjUDBOMB0GA1UdDgQW
BBQBKxPD1TfvScd6jtxg9Qtqyuee4TAfBgNVHSMEGDAWgBQBKxPD1TfvScd6jtxg
9Qtqyuee4TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACq/JfjpQRcZ
f2oqKt+fCQJVxTLwbkT/sjnlMIl99Tr/J0AI+78orUf4TW4oobMZy5BwoKOEczY5
xkNsRyfjjq4uz8ADsw2l2bJbx89XMnNwBfGh+f+Jvff1MHYBleYtmuCBgpC37UUe
spymRjFrX4k8+LAB15wx8S3ro/4MXTYU
-----END CERTIFICATE-----

3. Install the certificate in your admin vserver (running Clustered Data ONTAP 8.2 or later ).

Paste the certificate created in the above step (including the BEGIN and END lines) and press enter.

[nlhsn1@sbocm01 ~]$ ssh admin@sbnlhsn101

sbnlhsn101::>
security certificate install -type client-ca -vserver sbnlhsn101
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE----MIIChDCCAe2gAwIBAgIJALVQxCQyjgMmMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
BAYTAk5MMRUwEwYDVQQIDAxadWlkIEhvbGxhbmQxETAPBgNVBAcMCERlbiBIYWFn
MRIwEAYDVQQKDAlULVN5c3RlbXMxDjAMBgNVBAMMBWFkbWluMB4XDTE0MTIwMjA4
MDQwOFoXDTE1MTIwMjA4MDQwOFowWzELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1
aWQgSG9sbGFuZDERMA8GA1UEBwwIRGVuIEhhYWcxEjAQBgNVBAoMCVQtU3lzdGVt
czEOMAwGA1UEAwwFYWRtaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANCG
1/fB9BAMeKvaL2m09TrF+EgOpWtbFLXuVkjDxvqVbgGOVkcoJ/yDGrEUil/2RclL
T2VCBH7Jpu5/07hFmQy0fAV4xhPuQZKg67n25tSpoXhmo9cWduerSYLXdRSq1bhB
ee3c0Bupj+BtkDFKA7LwXXlyR5CFnipBAiS8qYkDAgMBAAGjUDBOMB0GA1UdDgQW
BBQxYxD/CfUIDJ9+F4XnHV+W5U9A/DAfBgNVHSMEGDAWgBQxYxD/CfUIDJ9+F4Xn
HV+W5U9A/DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACeAwFVKlAu6
TFSL/uwy34qMyieo1GrAFY3TRr1plZNUOBewkHwkZM6y/kc97IaWVSabpx/sfAjb
CMAgQQNrfMyTkeIhYY1LNxOfNTTvUjb0Uso6NfU1whFegUOPawadFMMmEW032P3Q
qqig6HywSTHfwoTHIWgA5EYEw1Zsp9oQ
-----END CERTIFICATE----<enter>
You should keep a copy of the CA-signed digital certificate for future reference.

4. Check if the certicate is installed:

sbnlhsn101::> security certificate show

Vserver
Serial Number
Common Name
---------- --------------- -------------------------------------sbnlhsn101 B550C424328E0326
admin
Certificate Authority: admin
Expiration Date: Wed Dec 02 09:04:08 2015
sbnlhsn101 FB6E3A681B113645
admin
Certificate Authority: admin
Expiration Date: Wed Dec 02 11:54:25 2015
sbnlhsn101 546B1D6C
sbnlhsn101
Certificate Authority: sbnlhsn101
Expiration Date: Wed Nov 18 11:20:29 2015

Type
-----------client-ca

client-ca

server

5. Check if client authentication is enabled in the cluster.

sbnlhsn101::> security ssl show -vserver sbnlhsn101

Vserver: sbnlhsn101
Server Certificate Issuing CA: sbnlhsn101
Server Certificate Serial Number: 546B1D6C
Server Certificate Common Name: sbnlhsn101
SSL Server Authentication Enabled: true
SSL Client Authentication Eabled: false

6. If client authentication is disabled then enable it using the command:

sbnlhsn101::> security ssl modify -vserver sbnlhsn101 client-enabled true

sbnlhsn101::> security ssl show -vserver sbnlhsn101
Vserver: sbnlhsn101
Server Certificate Issuing CA: sbnlhsn101
Server Certificate Serial Number: 546B1D6C
Server Certificate Common Name: sbnlhsn101
SSL Server Authentication Enabled: true
SSL Client Authentication Eabled: true

7. You should create a security login with the client name (i.e. admin) that you specified in the certificate:

sbnlhsn101::> security login create -username admin -application ontapi -authmethod

cert -role admin -vserver sbnlhsn101
sbnlhsn101::> security login show -vserver sbnlhsn101
Vserver: sbnlhsn101
Authentication
Acct
User/Group Name Application Method
Role Name
Locked
---------------- ----------- -------------- ---------------- -----admin
console
password
admin
no
admin
http
password
admin
no
admin
ontapi
cert
admin
admin
ontapi
password
admin
no
admin
service-processor
password
admin
no
admin
ssh
password
admin
no
admin
ssh
publickey
admin
autosupport
console
password
autosupport
yes
nlhsn1
ssh
publickey
admin
-

8. Now you are ready to call the API's from the management server providing the certificate and key file:

[nlhsn1@sbuxmng01 Perl] $ cd
/home/nlhsn1/netapp-manageability-sdk-5.3/src/sample/Data_ONTAP/Perl
[nlhsn1@sbuxmng01 Perl] $ ./apitest.pl -C ~/sbuxmng01.pem -K ~/sbuxmng01.key
sbnlhsn101 system-get-version
OUTPUT:
<results status="passed">
<build-timestamp>1403125873</build-timestamp>
<is-clustered>true</is-clustered>
<version>NetApp Release 8.3X16: Wed Jun 18 23:11:13 PDT 2014</version>
<version-tuple>
<system-version-tuple>
<generation>8</generation>
<major>3</major>
<minor>0</minor>
</system-version-tuple>
</version-tuple>
</results>

9. The following Perl script (getversion.pl) demonstrates how to get the Data ONTAP version of a system node using CBA:

#!/usr/bin/perl
require 5.6.1;
use lib '/home/nlhsn1/netapp-manageability-sdk-5.3/lib/perl/NetApp';
use strict;
use warnings;
use NaServer;
use NaElement;
my $cert = '/home/nlhsn1/sbuxmng01.pem';
my $key = '/home/nlhsn1/sbuxmng01.key';
my $s = new NaServer('sbnlhsn101-01', 1 , 21);
$s->set_server_type('FILER');
$s->set_transport_type('HTTPS');
$s->set_port(443);
$s->set_style('CERTIFICATE');
# disable certification verification (since we are using a self-signed certificate).
$s->set_server_cert_verification(0);
$s->set_client_cert_and_key ($cert, $key);
# Obtain the Data ONTAP version.
my $api = new NaElement('system-get-version');
my $xo = $s->invoke_elem($api);
if ($xo->results_status() eq 'failed') {
print 'Error:\n';
print $xo->sprintf();
exit 1;
}
print 'Received:\n';
print $xo->sprintf();

[nlhsn1@sbuxmng01 ~] $ ./getversion.pl
Received:\n<results status="passed">
<build-timestamp>1403125873</build-timestamp>
<is-clustered>true</is-clustered>
<version>NetApp Release 8.3X16: Wed Jun 18 23:11:13 PDT 2014</version>
<version-tuple>
<system-version-tuple>
<generation>8</generation>
<major>3</major>
<minor>0</minor>
</system-version-tuple>
</version-tuple>
</results>