Skip to main content
ONTAP MetroCluster

Set up the ONTAP Mediator for a MetroCluster IP configuration

Contributors netapp-aoife netapp-martyh netapp-pcarriga netapp-folivia netapp-thomi netapp-sarajane thrisun
PDFs

You must configure the ONTAP Mediator on the ONTAP node to use it in a MetroCluster IP configuration.

Before you begin

  • ONTAP Mediator must have been successfully installed on a network location that can be reached by both MetroCluster sites.

    Install or upgrade ONTAP Mediator

  • You must have the IP address of the host running ONTAP Mediator.

  • You must have the username and password for ONTAP Mediator.

  • All nodes of the MetroCluster IP configuration must be online.

Caution Beginning with ONTAP 9.12.1, you can enable the MetroCluster automatic forced switchover feature in a MetroCluster IP configuration. This feature is an extension of the Mediator-assisted unplanned switchover. Before you enable this feature, review the Risks and limitations of using MetroCluster automatic forced switchover.
About this task

  • This task enables automatic unplanned switchover by default.

  • You can perform this task on the ONTAP interface of any node in the MetroCluster IP configuration.

  • Beginning with ONTAP 9.18.1 and ONTAP Mediator 1.11, a single ONTAP Mediator instance configured with iSCSI can manage up to ten MetroCluster configurations simultaneously. In ONTAP 9.17.1 and ONTAP Mediator 1.10 and earlier, an ONTAP Mediator configured with iSCSI can support up to five MetroCluster configurations simultaneously.

  • Beginning with ONTAP 9.19.1 and ONTAP Mediator 1.12, you can install ONTAP Mediator with support for iSCSI and HTTPS, or HTTPS only. If you installed ONTAP Mediator for HTTPS only, you can't configure a Mediator with iSCSI.

  • If you don't specify the -type parameter in the metrocluster configuration-settings mediator add command, the default iSCSI protocol is used.

  • If you configure ONTAP Mediator with HTTPS, a single ONTAP Mediator instance can only monitor one MetroCluster IP configuration. Monitoring multiple MetroCluster IP configurations simultaneously is not supported when ONTAP Mediator is configured with HTTPS.

  • If you need ONTAP Mediator configured with HTTPS to monitor multiple MetroCluster IP configurations, you must configure separate ONTAP Mediator instances for each MetroCluster IP configuration. You must carefully evaluate the requirements for your MetroCluster IP environment before you choose to configure ONTAP Mediator with HTTPS for MetroCluster IP.

  • If you want to use a single ONTAP Mediator instance to monitor more than one MetroCluster IP configurations, you should configure ONTAP Mediator using iSCSI instead of HTTPS.

Configure an ONTAP Mediator with HTTPS

Beginning with ONTAP 9.19.1 and ONTAP Mediator 1.12, you can configure an ONTAP Mediator that uses HTTPS for communication in a MetroCluster IP configuration.

Steps

  1. Locate the ONTAP Mediator CA certificates from the ONTAP Mediator Linux VM/host software installation location:

    [root@ontap-mediator ~] cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config

    You should see output similar to the following example:

    1-ontap-mediator.rules  intermediate.crt   make_self_signed_certs.sh      ontap_mediator_server_chain.crt  ontap_mediator.user_config.yaml  root_ca.crt
config_migration        intermediate.key   netapp_sudoers                 ontap_mediator_server.crt        openssl_ca.cnf                   root_ca.key
config.pyc              intermediate.srl   ontap_mediator.config.yaml     ontap_mediator_server.csr        openssl_intermediate.cnf
__init__.pyc            logging.conf.yaml  ontap_mediator.constants.yaml  ontap_mediator_server.key        openssl_server.cnf

  2. Display the contents of the root CA certificate:

    [root@ontap-mediator ~] cat root_ca.crt

    -----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

  3. Display the contents of the intermediate CA certificate:

    [root@ontap-mediator ~] cat intermediate.crt

    -----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

  4. Install the root and intermediate CA certificates on site A:

    1. Install the root CA certificate:

      security certificate install -type server-ca -vserver <vserver_name>

      Enter the root_ca.crt when prompted, as shown in the following example:

      cluster_A::*> security certificate install -type server-ca -vserver cluster_A

Enter certificate: Press <Enter> when done

-----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

You should keep a copy of the CA-signed digital certificate for future
reference.

The installed certificate's CA and serial number for reference:
CA: ONTAP Mediator CA
serial: <serial_value>

The certificate's generated name for reference: ONTAPMediatorCA

cluster_A::*>

  5. Install the intermediate CA certificate:

    security certificate install -type server-ca -vserver <vserver_name>

    Enter the intermediate.crt when prompted, as shown in the following example:

    cluster_A::*> security certificate install -type server-ca -vserver cluster_A

Enter certificate: Press <Enter> when done

-----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

You should keep a copy of the CA-signed digital certificate for future
reference.

The installed certificate's CA and serial number for reference:
CA: ONTAP Mediator CA
serial: <serial_value>

The certificate's generated name for reference: ONTAPMediatorCA

cluster_A::*>

  6. Repeat the previous step to install the root and intermediate CA certificates on site B.

  7. View the self-signed CA certificates installed using the generated name of the certificates:

    security certificate show -common-name <common_name>

    You should see output similar to the following example:

    security certificate show -common-name ONTAPMediatorCA
Vserver    Serial Number      Certificate Name                     Type
---------- ---------------    ------------------------------------ ------------
cluster_A  <serial_value>     ONTAPMediatorCA                      server-ca
    Certificate Authority: ONTAP Mediator CA
          Expiration Date: Thu Nov 28 05:26:07 2030

cluster_A  <serial_value>    ONTAPMediatorCA                       server-ca
    Certificate Authority: ONTAP Mediator CA
          Expiration Date: Thu Nov 28 05:26:07 2030

2 entries were displayed.

  8. Add ONTAP Mediator to ONTAP. The steps depend on whether you want to use an IPv4 or IPv6 address.

    Note

    • You must be running ONTAP 9.18.1 or later and ONTAP Mediator 1.11 or later to use IPv6.

    • If you enable IPv6 on a cluster, you cannot disable it later.

    1. If you want to use IPv6, complete the following steps:

      To use IPv4, skip to the IPv4 step.

      1. Run the following command on both clusters:

        network options ipv6 modify -enabled true

      2. Configure the node-mgmt IP address with IPv6 addresses on all four nodes.

      3. Add the ONTAP Mediator:

        metrocluster configuration-settings mediator add -mediator-address <mediator_host_ipv6_ip_address> -type https-mediator

        Note Enter the Mediator admin username and password when prompted.

    2. If you want to use IPv4, complete the following step:

      1. Add the ONTAP Mediator:

        metrocluster configuration-settings mediator add -mediator-address <mediator_host_ip_address> -type https-mediator

        Note Enter the Mediator admin username and password when prompted.

  9. Verify the connection status and the ONTAP Mediator type:

    metrocluster configuration-settings mediator show

    You should see output similar to the following example:

    cluster_A::*> metrocluster configuration-settings mediator show
        Mediator IP     Port    Type              Node                    Configuration Connection
                                                  Status                  Status
        --------------- ------- ----------------- ----------------------- ------------- -----------
        10.101.101.101
                        31784   https-mediator    cluster1_node_01        true          true
                                                  cluster1_node_02        true          true
                                                  cluster2_node_01        true          true
                                                  cluster2_node_02        true          true

    1. Verify that the automatic switchover feature is enabled:

      metrocluster show

    2. Verify that the Mediator is now running.

      1. Show the Mediator virtual disks:

        storage disk show -container-type mediator

         cluster_A::> storage disk show -container-type mediator
                        Usable           Disk    Container   Container
 Disk                   Size Shelf Bay Type    Type        Name      Owner
 ---------------- ---------- ----- --- ------- ----------- --------- --------
 NET-1.5                   -     -   - VMDISK  mediator    -         node_A_2
 NET-1.6                   -     -   - VMDISK  mediator    -         node_B_1
 NET-1.7                   -     -   - VMDISK  mediator    -         node_B_2
 NET-1.8                   -     -   - VMDISK  mediator    -         node_A_1

      2. Verify the state of the automatic unplanned switchover (AUSO) failure domain:

        metrocluster show

        Note The following example output applies to ONTAP 9.13.1 and later. For ONTAP 9.12.1 and earlier, the AUSO failure domain state should be auso-on-cluster-disaster. 
        cluster_A::> metrocluster show
Cluster                   Entry Name          State
------------------------- ------------------- -----------
Local: cluster_A         Configuration state configured
                          Mode                normal
                          AUSO Failure Domain auso-on-dr-group-disaster
Remote: cluster_B         Configuration state configured
                          Mode                normal
                          AUSO Failure Domain auso-on-dr-group-disaster
Configure an ONTAP Mediator with iSCSI
Steps

  1. Add ONTAP Mediator to ONTAP. The steps depend on whether you want to use an IPv4 or IPv6 address.

    Note

    • You must be running ONTAP 9.18.1 or later and ONTAP Mediator 1.11 or later to use IPv6.

    • If you enable IPv6 on a cluster, you cannot disable it later.

    1. If you want to use IPv6, complete the following steps:

      To use IPv4, skip to the IPv4 step.

      1. Run the following command on both clusters:

        network options ipv6 modify -enabled true

      2. Configure the node-mgmt IP address with IPv6 addresses on all four nodes.

      3. Add the ONTAP Mediator:

        metrocluster configuration-settings mediator add -mediator-address <mediator_host_ipv6_ip_address> -type iscsi-mediator

        Note Enter the Mediator admin username and password when prompted.

    2. If you want to use IPv4, complete the following step:

      1. Add the ONTAP Mediator:

        metrocluster configuration-settings mediator add -mediator-address <mediator_host_ip_address> -type iscsi-mediator

        Note Enter the Mediator admin username and password when prompted.

    3. Verify that the automatic switchover feature is enabled:

      metrocluster show

    4. Verify that the Mediator is now running.

      1. Show the Mediator virtual disks:

        storage disk show -container-type mediator

         cluster_A::> storage disk show -container-type mediator
                        Usable           Disk    Container   Container
 Disk                   Size Shelf Bay Type    Type        Name      Owner
 ---------------- ---------- ----- --- ------- ----------- --------- --------
 NET-1.5                   -     -   - VMDISK  mediator    -         node_A_2
 NET-1.6                   -     -   - VMDISK  mediator    -         node_B_1
 NET-1.7                   -     -   - VMDISK  mediator    -         node_B_2
 NET-1.8                   -     -   - VMDISK  mediator    -         node_A_1

      2. Set the privilege mode to advanced:

        set advanced

         cluster_A::> set advanced

      3. Display the initiators labelled as mediator:

        storage iscsi-initiator show -label mediator

         cluster_A::*> storage iscsi-initiator show -label mediator
   (storage iscsi-initiator show)
  +                                                                     Status
 Node Type Label    Target Portal      Target Name                      Admin/Op
 ---- ---- -------- ------------------ -------------------------------- --------
 node_A_1
      mailbox
           mediator 1.1.1.1       iqn.2012-05.local:mailbox.target.6616cd3f-9ef1-11e9-aada-00a098ccf5d8:a05e1ffb-9ef1-11e9-8f68- 00a098cbca9e:1 up/up
 node_A_2
      mailbox
           mediator 1.1.1.1       iqn.2012-05.local:mailbox.target.6616cd3f-9ef1-11e9-aada-00a098ccf5d8:a05e1ffb-9ef1-11e9-8f68-00a098cbca9e:1 up/up

      4. Verify the state of the automatic unplanned switchover (AUSO) failure domain:

        metrocluster show

        Note The following example output applies to ONTAP 9.13.1 and later. For ONTAP 9.12.1 and earlier, the AUSO failure domain state should be auso-on-cluster-disaster. 
        cluster_A::> metrocluster show
Cluster                   Entry Name          State
------------------------- ------------------- -----------
Local: cluster_A         Configuration state configured
                          Mode                normal
                          AUSO Failure Domain auso-on-dr-group-disaster
Remote: cluster_B         Configuration state configured
                          Mode                normal
                          AUSO Failure Domain auso-on-dr-group-disaster