Skip to main content
Setup and administration

Install and set up a Connector on premises

Contributors netapp-bcammett
PDFs

Install a Connector on premises and then log in and set it up to work with your BlueXP account.

Before you begin

You should review Connector limitations.

Step 1: Review host requirements

The Connector software must run on a host that meets specific operating system requirements, RAM requirements, port requirements, and so on. Ensure that your host meets these requirements before you install the Connector.

Dedicated host

The Connector is not supported on a host that is shared with other applications. The host must be a dedicated host.

Supported operating systems

  • Ubuntu 22.04 LTS

  • CentOS 7.6, 7.7, 7.8, and 7.9

  • Red Hat Enterprise Linux 7.6, 7.7, 7.8, and 7.9

    The host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during Connector installation.

    The Connector is supported on English-language versions of these operating systems.

Hypervisor

A bare metal or hosted hypervisor that is certified to run Ubuntu, CentOS, or Red Hat Enterprise Linux is required.

Red Hat Solution: Which hypervisors are certified to run Red Hat Enterprise Linux?

CPU

4 cores or 4 vCPUs

RAM

14 GB

Disk space in /opt

100 GiB of space must be available

Disk space in /var

20 GiB of space must be available

Docker Engine

Docker Engine is required on the host before you install the Connector.

Step 2: Set up networking

Set up your networking so the Connector can manage resources and processes within your hybrid cloud environment. For example, you need to ensure that connections are available to target networks and that outbound internet access is available.

Connections to target networks

A Connector requires a network connection to the location where you're planning to create and manage working environments. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.

Outbound internet access

The network location where you deploy the Connector must have an outbound internet connection to contact specific endpoints.

Endpoints contacted during manual installation

When you manually install the Connector on your own Linux host, the installer for the Connector requires access to the following URLs during the installation process:

  • https://support.netapp.com

  • https://mysupport.netapp.com

  • https://cloudmanager.cloud.netapp.com/tenancy

  • https://stream.cloudmanager.cloud.netapp.com

  • https://production-artifacts.cloudmanager.cloud.netapp.com

  • https://*.blob.core.windows.net

  • https://cloudmanagerinfraprod.azurecr.io

    The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.

Endpoints contacted from the Connector

The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment for day-to-day operations.

Note that the endpoints listed below are all CNAME entries.

Endpoints Purpose

AWS services (amazonaws.com):

  • CloudFormation

  • Elastic Compute Cloud (EC2)

  • Identity and Access Management (IAM)

  • Key Management Service (KMS)

  • Security Token Service (STS)

  • Simple Storage Service (S3)

To manage resources in AWS. The exact endpoint depends on the AWS region that you're using. Refer to AWS documentation for details

https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.net

To manage resources in Azure public regions.

https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cn

To manage resources in Azure China regions.

https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projects

To manage resources in Google Cloud.

https://support.netapp.com
https://mysupport.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.api.bluexp.netapp.com

https://api.bluexp.netapp.com

https://*.cloudmanager.cloud.netapp.com

https://cloudmanager.cloud.netapp.com

https://netapp-cloud-account.auth0.com

To provide SaaS features and services within BlueXP.

Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.

https://*.blob.core.windows.net

https://cloudmanagerinfraprod.azurecr.io

To upgrade the Connector and its Docker components.
Proxy server

If your organization requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation.

  • IP address

  • Credentials

  • HTTPS certificate

Note that BlueXP does not support transparent proxy servers.

Ports

There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.

  • HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.

  • SSH (22) is only needed if you need to connect to the host for troubleshooting.

  • Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.

    If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.

Enable NTP

If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification

Step 3: Set up cloud permissions

If you want to use BlueXP services in AWS or Azure with an on-premises Connector, then you need to set up permissions in your cloud provider so that you can add the credentials to the Connector after you install it.

Tip Why not Google Cloud? When the Connector is installed on your premises, it can't manage your resources in Google Cloud. The Connector must be installed in Google Cloud to manage any resources that reside there.
AWS

When the Connector is installed on premises, you need to provide BlueXP with AWS permissions by adding access keys for an IAM user who has the required permissions.

You must use this authentication method if the Connector is installed on premises. You can't use an IAM role.

Steps

  1. Log in to the AWS console and navigate to the IAM service.

  2. Create a policy:

    1. Select Policies > Create policy.

    2. Select JSON and copy and paste the contents of the IAM policy for the Connector.

    3. Finish the remaining steps to create the policy.

      Depending on the BlueXP services that you're planning to use, you might need to create a second policy.

      For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Connector.

  3. Attach the policies to an IAM user.

  4. Ensure that the user has an access key that you can add to BlueXP after you install the Connector.

Result

You should now have access keys for an IAM user who has the required permissions. After you install the Connector, you'll need to associate these credentials with the Connector from BlueXP.

Azure

When the Connector is installed on premises, you need to provide BlueXP with Azure permissions by setting up a service principal in Microsoft Entra ID and obtaining the Azure credentials that BlueXP needs.

Create a Microsoft Entra application for role-based access control

  1. Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.

    For details, refer to Microsoft Azure Documentation: Required permissions

  2. From the Azure portal, open the Microsoft Entra ID service.

    Shows the Active Directory service in Microsoft Azure.

  3. In the menu, select App registrations.

  4. Select New registration.

  5. Specify details about the application:

    • Name: Enter a name for the application.

    • Account type: Select an account type (any will work with BlueXP).

    • Redirect URI: You can leave this field blank.

  6. Select Register.

    You've created the AD application and service principal.

Assign the application to a role

  1. Create a custom role:

    Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation

    1. Copy the contents of the custom role permissions for the Connector and save them in a JSON file.

    2. Modify the JSON file by adding Azure subscription IDs to the assignable scope.

      You should add the ID for each Azure subscription from which users will create Cloud Volumes ONTAP systems.

      Example

      "AssignableScopes": [
"/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz",
"/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz",
"/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"

    3. Use the JSON file to create a custom role in Azure.

      The following steps describe how to create the role by using Bash in Azure Cloud Shell.

      • Start Azure Cloud Shell and choose the Bash environment.

      • Upload the JSON file.

        A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

      • Use the Azure CLI to create the custom role:

        az role definition create --role-definition Connector_Policy.json

        You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.

  2. Assign the application to the role:

    1. From the Azure portal, open the Subscriptions service.

    2. Select the subscription.

    3. Select Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the BlueXP Operator role and select Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Select Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here's an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application and select Select.

      • Select Next.

    6. Select Review + assign.

      The service principal now has the required Azure permissions to deploy the Connector.

      If you want to deploy Cloud Volumes ONTAP from multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. BlueXP enables you to select the subscription that you want to use when deploying Cloud Volumes ONTAP.

Add Windows Azure Service Management API permissions

  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Select API permissions > Add a permission.

  3. Under Microsoft APIs, select Azure Service Management.

    A screenshot of the Azure portal that shows the Azure Service Management API permissions.

  4. Select Access Azure Service Management as organization users and then select Add permissions.

    A screenshot of the Azure portal that shows adding the Azure Service Management APIs.

Get the application ID and directory ID for the application

  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Microsoft Entra IDy.

    When you add the Azure account to BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.

Create a client secret

  1. Open the Microsoft Entra ID service.

  2. Select App registrations and select your application.

  3. Select Certificates & secrets > New client secret.

  4. Provide a description of the secret and a duration.

  5. Select Add.

  6. Copy the value of the client secret.

    A screenshot of the Azure portal that shows a client secret for the Microsoft Entra service principal.

    You now have a client secret that BlueXP can use it to authenticate with Microsoft Entra ID.

Result

Your service principal is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. After you install the Connector, you'll need to associate these credentials with the Connector from BlueXP.

Step 4: Install the Connector

Download and install the Connector software on an existing Linux host on premises.

Before you begin

You should have the following:

  • Root privileges to install the Connector.

  • Details about a proxy server, if a proxy is required for internet access from the Connector.

    You have the option to configure a proxy server after installation but doing so requires restarting the Connector.

    Note that BlueXP does not support transparent proxy servers.

  • A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.

About this task

The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Connector automatically updates itself if a new version is available.

Steps

  1. Verify that docker is enabled and running.

    sudo systemctl enable docker && sudo systemctl start docker

  2. If the http_proxy or https_proxy system variables are set on the host, remove them:

    unset http_proxy
unset https_proxy

    If you don't remove these system variables, the installation will fail.

  3. Download the Connector software from the NetApp Support Site, and then copy it to the Linux host.

    You should download the "online" Connector installer that's meant for use in your network or in the cloud. A separate "offline" installer is available for the Connector, but it's only supported with private mode deployments.

  4. Assign permissions to run the script.

    chmod +x BlueXP-Connector-Cloud-<version>

    Where <version> is the version of the Connector that you downloaded.

  5. Run the installation script.

     ./BlueXP-Connector-Cloud-<version> --proxy <HTTP or HTTPS proxy server> --cacert <path and file name of a CA-signed certificate>

    The --proxy and --cacert parameters are optional. If you have a proxy server, you will need to enter the parameters as shown. The installer doesn't prompt you to provide information about a proxy.

    Here's an example of the command using both optional parameters:

     ./BlueXP-Connector-Cloud-v3.9.38 --proxy https://user:password@10.0.0.30:8080/ --cacert /tmp/cacert/certificate.cer

    --proxy configures the Connector to use an HTTP or HTTPS proxy server using one of the following formats:

    • http://address:port

    • http://user-name:password@address:port

    • http://domain-name%92user-name:password@address:port

    • https://address:port

    • https://user-name:password@address:port

    • https://domain-name%92user-name:password@address:port

      Note the following:

      • The user can be a local user or domain user.

      • For a domain user, you must use the ASCII code for the \ as shown above.

      • BlueXP doesn't support passwords that include the @ character.

    --cacert specifies a CA-signed certificate to use for HTTPS access between the Connector and the proxy server. This parameter is required only if you specify an HTTPS proxy server or if the proxy is an intercepting proxy.

Result

The Connector is now installed. At the end of the installation, the Connector service (occm) restarts twice if you specified a proxy server.

Step 5: Set up the Connector

Sign up or log in and then set up the Connector to work with your BlueXP account.

Steps

  1. Open a web browser and enter the following URL:

    https://ipaddress

    ipaddress can be localhost, a private IP address, or a public IP address, depending on the configuration of the host. For example, if the Connector is in the public cloud without a public IP address, you must enter a private IP address from a host that has a connection to the Connector host.

  2. Sign up or log in.

  3. After you log in, set up BlueXP:

    1. Specify the BlueXP account to associate with the Connector.

    2. Enter a name for the system.

    3. Under Are you running in a secured environment? keep restricted mode disabled.

      You should keep restricted mode disabled because these steps describe how to use BlueXP in standard mode. (In addition, restricted mode isn't supported when the Connector is installed on premises.)

    4. Select Let's start.

Result

BlueXP is now set up with the Connector that you just installed.

Step 6: Provide permissions to BlueXP

After you install and set up the Connector, add your cloud credentials so that BlueXP has the required permissions to perform actions in AWS or Azure.

AWS
Before you begin

If you just created these credentials in AWS, it might take a few minutes until they are available for use. Wait a few minutes before you add the credentials to BlueXP.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Amazon Web Services > Connector.

    2. Define Credentials: Enter an AWS access key and secret key.

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

BlueXP now has the permissions that it needs to perform actions in AWS on your behalf.

You can now go to the BlueXP console to start using the Connector with BlueXP.

Azure
Before you begin

If you just created these credentials in Azure, it might take a few minutes until they are available for use. Wait a few minutes before you add the credentials to BlueXP.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Microsoft Azure > Connector.

    2. Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:

      • Application (client) ID

      • Directory (tenant) ID

      • Client Secret

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

BlueXP now has the permissions that it needs to perform actions in Azure on your behalf. You can now go to the BlueXP console to start using the Connector with BlueXP.