Skip to main content
NetApp Backup and Recovery
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Set up security certificates for StorageGRID and ONTAP in NetApp Backup and Recovery

Contributors netapp-mwallis
PDFs

Create a security certificate to enable communication between NetApp Backup and Recovery and StorageGRID or ONTAP.

Create a security certificate for StorageGRID

If the communication between NetApp Backup and Recovery containers and StorageGRID should verify the StorageGRID certificate, then complete following steps.

The generated certificate should have CN and Subject Alternative Name as the name provided in NetApp Backup and Recovery when you were activating the backup.

Steps

  1. Follow the steps in the StorageGRID documentation to create the StorageGRID certificate.

    StorageGRID information on configuring certificates

  2. Update StorageGRID with the certificate if you have not already done so.

  3. Log in to the Console agent as a root user. Run:

    sudo su

  4. Get the NetApp Backup and Recovery (Cloud Backup Service) Docker volume. Run:

    docker volume ls | grep cbs

    Output example:

    local service-manager-2_cloudmanager_cbs_volume"
    Note The volume name differs among Standard, Private, and Restricted deployment modes. This example uses Standard mode. Refer to NetApp Console deployment modes.

  5. Find the mount point of the NetApp Backup and Recovery volume. Run:

    docker volume inspect service-manager-2_cloudmanager_cbs_volume | grep Mountpoint

    Output example:

    "Mountpoint": "/var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data"
    Note The mount point differs among Standard, Private, and Restricted deployment modes. This example shows a Standard cloud deployment. Refer to NetApp Console deployment modes.

  6. Change to the MountPoint directory. Run:

    cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data

  7. If StorageGRID's certificate is signed by the root CA and an intermediate CA, then append the pem files of both into one file named sgws.crt in the current location. Do not add the leaf certificate to this file.

Steps for cloudmanager_cbs container

You'll need to enable the StorageGRID Server certificate verification in NetApp Backup and Recovery (Cloud Backup Service).

  1. Change directories to the Docker volume obtained in earlier steps.

    cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data

  2. Change directories to the config directory.

    cd cbs_config

  3. Create and save a configuration file as shown below with one of the following names based on your deployment environment:

    • production-customer.json Used for Standard mode and Restricted mode deployments.

    • darksite-customer.json Used for Private mode deployments.

      Refer to NetApp Console deployment modes.

      Configuration file

      {
  "protocols": {
    "sgws": {
      "certificates": {
        "reject-unauthorized": true,
        "ca-bundle": "/config/sgws.crt"
      }
    }
  }
}

  4. Exit the container. Run:

    exit

  5. Restart cloudmanager_cbs. Run:

    docker restart cloudmanager_cbs

Steps for cloudmanager_cbs_catalog container

Next, you'll need to enable the StorageGRID Server certificate verification for the Cataloging Service.

  1. Change directories to the Docker volume:

    cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data

  2. Configure the catalog. Run:

    cd cbs_catalog_config

  3. Create a config file as shown below with one of the following names based on your deployment environment:

    • production-customer.json Used for Standard mode and Restricted mode deployments.

    • darksite-customer.json Used for Private mode deployments.

      Refer to NetApp Console deployment modes.

      Catalog configuration file

      {
  "protocols": {
    "sgws": {
      "certificates": {
        "reject-unauthorized": true,
        "ca-bundle": "/config/sgws.crt"
      }
    }
  }
}

  4. Restart the catalog. Run:

    docker restart cloudmanager_cbs_catalog

Update the Console agent certificate with the StorageGRID certificate based on the agent operating system

Ubuntu

  1. Copy the SGWS certificate to /usr/local/share/ca-certificates. Here is an example:

    cp /config/sgws.crt /usr/local/share/ca-certificates/

    where sgws.crt is the root CA certificate.

  2. Update the host certificates with the StorageGRID certificate. Run

    sudo update-ca-certificates

Red Hat Enterprise Linux

  1. Copy the SGWS certificate to /etc/pki/ca-trust/source/anchors/.

    cp /config/sgws.crt /etc/pki/ca-trust/source/anchors/

    where sgws.crt is the root CA certificate.

  2. Update the host certificates with the StorageGRID certificate.

    update-ca-trust extract

  3. Update the ca-bundle.crt

    cd /etc/pki/tls/certs/
openssl x509 -in ca-bundle.crt -text -noout

  4. To check whether the certificates are present, run the following command:

    openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep subject | head

Create a security certificate for ONTAP

If the communication between the NetApp Backup and Recovery containers and ONTAP should validate the ONTAP certificate, then complete the following steps.

NetApp Backup and Recovery uses the Cluster Management IP to connect to ONTAP. Enter the IP address of the cluster in the Subject Alternative names of the Certificate. Specify this step when you generate the CSR using the System Manager UI.

Use the System Manager documentation to create a new CA certificate for ONTAP.

Steps

  1. Login to the Console agent as root. Run:

    sudo su

  2. Get the NetApp Backup and Recovery Docker volume. Run:

    docker volume ls | grep cbs

    Output example:

    local service-manager-2_cloudmanager_cbs_volume
    Note The volume name differs among Standard, Private, and Restricted deployment modes. This example shows a Standard cloud deployment. Refer to NetApp Console deployment modes.

  3. Obtain the mount for the volume. Run:

    docker volume inspect service-manager-2_cloudmanager_cbs_volume | grep Mountpoint

    Output example:

    "Mountpoint": "/var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data
    Note The mount point differs among Standard, Private, and Restricted deployment modes. This example shows a Standard cloud deployment. Refer to NetApp Console deployment modes.

  4. Change to the mountpoint directory. Run:

    cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data

  5. Complete one of the following steps:

    • If the ONTAP certificate is signed by the root CA and an intermediate CA, then append the pem files of both into one file named ontap.crt in the current location.

    • If the ONTAP certificate is signed by a single CA, then rename the pem file as ontap.crt and copy it in the current location. Do not add the leaf certificate to this file.

Steps for cloudmanager_cbs container

Next, enable the ONTAP Server certificate verification in NetApp Backup and Recovery (Cloud Backup Service).

  1. Change directories to the Docker volume obtained in earlier steps.

    cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data

  2. Change to the config directory. Run:

    cd cbs_config

  3. Create a configuration file as shown below with one of the following names based on your deployment environment:

    • production-customer.json Used for Standard mode and Restricted mode deployments.

    • darksite-customer.json Used for Private mode deployments.

      Refer to NetApp Console deployment modes.

      Configuration file

      {
  "ontap": {
    "certificates": {
      "reject-unauthorized": true,
      "ca-bundle": "/config/ontap.crt"
    }
  }
}

  4. Exit the container. Run:

    exit

  5. Restart NetApp Backup and Recovery. Run:

    docker restart cloudmanager_cbs

Steps for cloudmanager_cbs_catalog container

Enable the ONTAP Server certificate verification for the Cataloging Service.

  1. Change directories to the Docker volume. Run:

    cd /var/lib/docker/volumes/service-manager-2_cloudmanager_cbs_volume/_data

  2. Run:

    cd cbs_catalog_config

  3. Create a configuration file as shown below with one of the following names based on your deployment environment:

    • production-customer.json Used for Standard mode and Restricted mode deployments.

    • darksite-customer.json Used for Private mode deployments.

      Refer to NetApp Console deployment modes.

      Configuration file

      {
  "ontap": {
    "certificates": {
      "reject-unauthorized": true,
      "ca-bundle": "/config/ontap.crt"
    }
  }
}

  4. Restart NetApp Backup and Recovery. Run:

    docker restart cloudmanager_cbs_catalog

Create a certificate for both ONTAP and StorageGRID

If you need to enable the certificate for both ONTAP and StorageGRID, then the configuration file looks like this:

Configuration file for both ONTAP and StorageGRID

{
  "protocols": {
    "sgws": {
      "certificates": {
        "reject-unauthorized": true,
        "ca-bundle": "/config/sgws.crt"
      }
    }
  },
  "ontap": {
    "certificates": {
      "reject-unauthorized": true,
      "ca-bundle": "/config/ontap.crt"
    }
  }
}