Configuring StorageGRID certificates for ONTAP clients using FabricPool

You can use a script to generate a self-signed server certificate for S3 clients that perform strict hostname validation and do not support disabling strict hostname validation, such as ONTAP clients using FabricPool. In production environments, you should use a certificate that is signed by a known Certificate Authority (CA). Certificates signed by a CA can be rotated non-disruptively. They are also more secure because they provide better protection against man-in-the-middle attacks.

Before you begin

Steps

  1. Obtain the fully qualified domain name (FQDN) of each API Gateway Node.
  2. Log in to the primary Admin Node:
    1. Enter the following command: ssh admin@primary_Admin_Node_IP
    2. Enter the password listed in the Passwords.txt file.
  3. Configure StorageGRID with a new self-signed certificate. $ sudo make-certificate --domains wildcard-gateway-node-fqdn --type storage
    • For --domains, use wildcards to represent the fully qualified domain names of all API Gateway Nodes. For example, *.sgws.foo.com uses the * wildcard to represent gn1.sgws.foo.com and gn2.sgws.foo.com.
    • Set --type to storage to configure the certificate used by S3 and Swift storage clients.
    • By default, generated certificates are valid for one year (365 days) and must be recreated before they expire. You can use the --days argument to override the default validity period.
      Note: A certificate's validity period begins when make-certificate is run. You must ensure the S3 client is synchronized to the same time source as StorageGRID; otherwise, the client might reject the certificate.
    Example
    $ sudo make-certificate --domains *.s3.example.com --type storage --days 730
    The resulting output contains the public certificate needed by your S3 client.
  4. Select and copy the certificate.
    Include the BEGIN and the END tags in your selection.
  5. Log out of the command shell. $ exit
  6. Confirm the certificate was configured:
    1. Access the Grid Manager.
    2. Select Configuration > Server Certificates > Object Storage API Service Endpoints Server Certificate.
  7. Configure your S3 client to use the public certificate you copied. Include the BEGIN and END tags.