Enabling cluster peering encryption on an existing peer relationship

Beginning with ONTAP 9.6, cluster peering encryption is enabled by default on all newly created cluster peering relationships. Cluster peering encryption uses a pre-shared key (PSK) and the Transport Security Layer (TLS) to secure cross-cluster peering communications. This adds an additional layer of security between the peered clusters.

About this task

Cluster peering encryption must be enabled manually for peering relationship created prior to upgrading to ONTAP 9.6. Cluster peering encryption is not available for clusters running ONTAP 9.5 or earlier. Therefore, both clusters in the peering relationship must be running ONTAP 9.6 in order to enable cluster peering encryption.

Procedure

  1. On the destination cluster, enable encryption for communications with the source cluster: cluster peer modify source_cluster -auth-status-admin use-authentication -encryption tls
  2. When prompted enter a passphrase.
  3. On the data protection source cluster, enable encryption for communication with the data protection destination cluster: cluster peer modify data_protection_destination_cluster -auth-status-admin use-authentication -encryption tls
  4. When prompted, enter the same passphrase entered on the destination cluster.