Skip to main content
SAN hosts and cloud clients

NVMe-oF host configuration for SUSE Linux Enterprise Server 15 SP6 with ONTAP

Contributors netapp-pcarriga

NVMe over Fabrics (NVMe-oF), including NVMe over Fibre Channel (NVMe/FC) and other transports, is supported for SUSE Linux Enterprise Server 15 SP6 with Asymmetric Namespace Access (ANA). In NVMe-oF environments, ANA is the equivalent of ALUA multipathing in iSCSI and FCP environments and is implemented with in-kernel NVMe multipath.

The following support is available for the NVMe-oF host configuration for SUSE Linux Enterprise Server 15 SP6 with ONTAP:

  • Running NVMe and SCSI traffic on the same co-existent host. For example, you can configure dm-multipath for SCSI mpath devices for SCSI LUNs and use NVMe multipath to configure NVMe-oF namespace devices on the host.

  • Support for NVMe over TCP (NVMe/TCP) and NVMe/FC. This gives the NetApp plug-in in the native nvme-cli package the capability to display the ONTAP details for both NVMe/FC and NVMe/TCP namespaces.

For additional details on supported configurations, see the NetApp Interoperability Matrix Tool.

Features

  • Support for NVMe secure, in-band authentication

  • Support for persistent discovery controllers (PDCs) using a unique discovery NQN

  • TLS 1.3 encryption support for NVMe/TCP

Known limitations

  • SAN booting using the NVMe-oF protocol is currently not supported.

  • NetApp sanlun host utility support isn't available for NVMe-oF on a SUSE Linux Enterprise Server 15 SP6 host. Instead, you can rely on the NetApp plug-in included in the native nvme-cli package for all NVMe-oF transports.

Configure NVMe/FC

You can configure NVMe/FC with Broadcom/Emulex FC or Marvell/Qlogic FC adapters for a SUSE Linux Enterprise Server 15 SP6 with ONTAP configuration.

Broadcom/Emulex

Configure NVMe/FC for a Broadcom/Emulex FC adapter.

Steps
  1. Verify that you are using the recommended adapter model:

    cat /sys/class/scsi_host/host*/modelname
    Example output
    LPe32002 M2
    LPe32002-M2
  2. Verify the adapter model description:

    cat /sys/class/scsi_host/host*/modeldesc
    Example output
    Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter
    Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter
  3. Verify that you are using the recommended Emulex host bus adapter (HBA) firmware versions:

    cat /sys/class/scsi_host/host*/fwrev
    Example output
    14.2.673.40, sli-4:2:c
    14.2.673.40, sli-4:2:c
  4. Verify that you are using the recommended LPFC driver version:

    cat /sys/module/lpfc/version
    Example output
    0:14.4.0.1
  5. Verify that you can view your initiator ports:

    cat /sys/class/fc_host/host*/port_name
    Example output
    0x10000090fae0ec88
    0x10000090fae0ec89
  6. Verify that your initiator ports are online:

    cat /sys/class/fc_host/host*/port_state
    Example output
    Online
    Online
  7. Verify that the NVMe/FC initiator ports are enabled and that the target ports are visible:

    cat /sys/class/scsi_host/host*/nvme_info

    In the following example, one initiator port is enabled and connected with two target LIFs.

    Show example output
    NVME Initiator Enabled
    XRI Dist lpfc0 Total 6144 IO 5894 ELS 250
    NVME LPORT lpfc0 WWPN x10000090fae0ec88 WWNN x20000090fae0ec88 DID x0a1300 ONLINE
    NVME RPORT WWPN x2070d039ea359e4a WWNN x206bd039ea359e4a DID x0a0a05 TARGET DISCSRVC
    ONLINE
    NVME Statistics
    LS: Xmt 00000003ba Cmpl 00000003ba Abort 00000000
    LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000
    Total FCP Cmpl 0000000014e3dfb8 Issue 0000000014e308db OutIO ffffffffffff2923
     abort 00000845 noxri 00000000 nondlp 00000063 qdepth 00000000 wqerr 00000003 err 00000000
    FCP CMPL: xb 00000847 Err 00027f33
    NVME Initiator Enabled
    XRI Dist lpfc1 Total 6144 IO 5894 ELS 250
    NVME LPORT lpfc1 WWPN x10000090fae0ec89 WWNN x20000090fae0ec89 DID x0a1200 ONLINE
    NVME RPORT WWPN x2071d039ea359e4a WWNN x206bd039ea359e4a DID x0a0305 TARGET DISCSRVC
    ONLINE
    NVME Statistics
    LS: Xmt 00000003ba Cmpl 00000003ba Abort 00000000
    LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000
    Total FCP Cmpl 0000000014e39f78 Issue 0000000014e2b832 OutIO ffffffffffff18ba
     abort 0000082d noxri 00000000 nondlp 00000028 qdepth 00000000 wqerr 00000007 err 00000000
    FCP CMPL: xb 0000082d Err 000283bb
Marvell/QLogic

The native inbox qla2xxx driver included in the SUSE Linux Enterprise Server 15 SP6 kernel has the latest fixes. These fixes are essential for ONTAP support.

Configure NVMe/FC for a Marvell/QLogic adapter.

Steps
  1. Verify that you are running the supported adapter driver and firmware versions:

    cat /sys/class/fc_host/host*/symbolic_name
    Example output
    QLE2742 FW:v9.14.01 DVR: v10.02.09.200-k
    QLE2742 FW:v9.14.01 DVR: v10.02.09.200-k
  2. Verify that the ql2xnvmeenable parameter is set to 1:

    cat /sys/module/qla2xxx/parameters/ql2xnvmeenable

    The expected value is 1.

Enable 1MB I/O size (Optional)

ONTAP reports an MDTS (Max Data Transfer Size) of 8 in the Identify Controller data. This means the maximum I/O request size can be up to 1MB. To issue I/O requests of size 1 MB for a Broadcom NVMe/FC host, you should increase the lpfc value of the lpfc_sg_seg_cnt parameter to 256 from the default value of 64.

Note These steps don't apply to Qlogic NVMe/FC hosts.
Steps
  1. Set the lpfc_sg_seg_cnt parameter to 256:

    cat /etc/modprobe.d/lpfc.conf
    options lpfc lpfc_sg_seg_cnt=256
  2. Run the dracut -f command, and reboot the host.

  3. Verify that the expected value of lpfc_sg_seg_cnt is 256:

    cat /sys/module/lpfc/parameters/lpfc_sg_seg_cnt

Verify NVMe services

Beginning with SUSE Linux Enterprise Server 15 SP6, the nvmefc-boot-connections.service and nvmf-autoconnect.service boot services included in the NVMe/FC nvme-cli package are automatically enabled to start during the system boot. After the system boot completes, you should verify that the boot services have been enabled.

Steps
  1. Verify that nvmf-autoconnect.service is enabled:

    # systemctl status nvmf-autoconnect.service

    Show example output
    nvmf-autoconnect.service - Connect NVMe-oF subsystems automatically during boot
      Loaded: loaded (/usr/lib/systemd/system/nvmf-autoconnect.service; enabled; vendor preset: disabled)
      Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago
    Process: 2108 ExecStartPre=/sbin/modprobe nvme-fabrics (code=exited, status=0/SUCCESS)
    Process: 2114 ExecStart=/usr/sbin/nvme connect-all (code=exited, status=0/SUCCESS)
    Main PID: 2114 (code=exited, status=0/SUCCESS)
    
    systemd[1]: Starting Connect NVMe-oF subsystems automatically during boot...
    nvme[2114]: traddr=nn-0x201700a098fd4ca6:pn-0x201800a098fd4ca6 is already connected
    systemd[1]: nvmf-autoconnect.service: Deactivated successfully.
    systemd[1]: Finished Connect NVMe-oF subsystems automatically during boot.
  2. Verify that nvmefc-boot-connections.service is enabled:

    # systemctl status nvmefc-boot-connections.service

    Show example output
    nvmefc-boot-connections.service - Auto-connect to subsystems on FC-NVME devices found during boot
       Loaded: loaded (/usr/lib/systemd/system/nvmefc-boot-connections.service; enabled; vendor preset: enabled)
       Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago
     Main PID: 1647 (code=exited, status=0/SUCCESS)
    
    systemd[1]: Starting Auto-connect to subsystems on FC-NVME devices found during boot...
    systemd[1]: nvmefc-boot-connections.service: Succeeded.
    systemd[1]: Finished Auto-connect to subsystems on FC-NVME devices found during boot.

Configure NVMe/TCP

NVMe/TCP doesn't have an auto-connect functionality. Instead, you can discover the NVMe/TCP subsystems and namespaces by performing the NVMe/TCP connect or connect-all operations manually.

Steps
  1. Verify that the initiator port can fetch the discovery log page data across the supported NVMe/TCP LIFs:

    nvme discover -t tcp -w <host-traddr> -a <traddr>
    Show example output
    Discovery Log Number of Records 8, Generation counter 18
    =====Discovery Log Entry 0======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 4
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.211.67
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 1======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 2
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.111.67
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 2======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 3
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.211.66
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 3======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 1
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.111.66
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 4======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 4
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.211.67
    eflags: none
    sectype: none
    =====Discovery Log Entry 5======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 2
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.111.67
    eflags: none
    sectype: none
    =====Discovery Log Entry 6======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 3
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.211.66
    eflags: none
    sectype: none
    =====Discovery Log Entry 7======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 1
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.111.66
    eflags: none
    sectype: none
  2. Verify that all other NVMe/TCP initiator-target LIF combinations can successfully fetch discovery log page data:

    nvme discover -t tcp -w <host-traddr> -a <traddr>
    Example output
    #nvme discover -t tcp -w 192.168.111.79 -a 192.168.111.66
    #nvme discover -t tcp -w 192.168.111.79 -a 192.168.111.67
    #nvme discover -t tcp -w 192.168.211.79 -a 192.168.211.66
    #nvme discover -t tcp -w 192.168.211.79 -a 192.168.211.67
  3. Run the nvme connect-all command across all the supported NVMe/TCP initiator-target LIFs across the nodes:

    nvme connect-all -t tcp -w <host-traddr> -a <traddr>
    Example output
    # nvme connect-all -t tcp -w 192.168.111.79 -a 192.168.111.66
    # nvme connect-all -t tcp -w 192.168.111.79 -a 192.168.111.67
    # nvme connect-all -t tcp -w 192.168.211.79 -a 192.168.211.66
    # nvme connect-all -t tcp -w 192.168.211.79 -a 192.168.211.67
    Note Beginning with SUSE Linux Enterprise Server 15 SP6, the default setting for the NVMe/TCP ctrl-loss-tmo timeout is turned off. This means there is no limit on the number of retries (indefinite retry), and you don't need to manually configure a specific ctrl-loss-tmo timeout duration when using the nvme connect or nvme connect-all commands (option -l). Additonally, the NVMe/TCP controllers don't experience timeouts in the event of a path failure and remain connected indefinitely.

Validate NVMe-oF

Use the following procedure to validate NVMe-oF for a SUSE Linux Enterprise Server 15 SP6 with ONTAP configuration.

Steps
  1. Verify that in-kernel NVMe multipath is enabled:

    cat /sys/module/nvme_core/parameters/multipath

    The expected value is "Y".

  2. Verify that the host has the correct controller model for the ONTAP NVMe namespaces:

    cat /sys/class/nvme-subsystem/nvme-subsys*/model
    Example output
    NetApp ONTAP Controller
    NetApp ONTAP Controller
  3. Verify the NVMe I/O policy for the respective ONTAP NVMe I/O controller:

    cat /sys/class/nvme-subsystem/nvme-subsys*/iopolicy
    Example output
    round-robin
    round-robin
  4. Verify that the ONTAP namespaces are visible to the host:

    nvme list -v
    Show example output
    Subsystem        Subsystem-NQN                                                                         Controllers
    ---------------- ------------------------------------------------------------------------------------- ---------------------
    nvme-subsys0     nqn.1992- 08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhcha p  nvme0, nvme1, nvme2, nvme3
    
    Device   SN                   MN                                       FR       TxPort Asdress        Subsystem    Namespaces
    -------- -------------------- ---------------------------------------- -------- ---------------------------------------------
    nvme0    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.111.66,trsvcid=4420,host_traddr=192.168.111.79 nvme-subsys0 nvme0n1
    nvme1    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.111.67,trsvcid=4420,host_traddr=192.168.111.79 nvme-subsys0 nvme0n1
    nvme2    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.211.66,trsvcid=4420,host_traddr=192.168.211.79 nvme-subsys0 nvme0n1
    nvme3    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.211.67,trsvcid=4420,host_traddr=192.168.211.79 nvme-subsys0 nvme0n1
    Device        Generic     NSID       Usage                 Format         Controllers
    ------------ ------------ ---------- -------------------------------------------------------------
    /dev/nvme0n1 /dev/ng0n1   0x1     1.07  GB /   1.07  GB    4 KiB +  0 B   nvme0, nvme1, nvme2, nvme3
  5. Verify that the controller state of each path is live and has the correct ANA status:

    nvme list-subsys /dev/<subsystem_name>
    NVMe/FC
    nvme list-subsys /dev/nvme2n1
    Show example output
    nvme-subsys2 - NQN=nqn.1992-
    08.com.netapp:sn.06303c519d8411eea468d039ea36a106:subs
    ystem.nvme
     hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-
    0056-5410-8048-c6c04f425633
     iopolicy=round-robin
    \
    +- nvme4 fc traddr=nn-0x208fd039ea359e4a:pn-0x210dd039ea359e4a,host_traddr=nn-0x2000f4c7aa0cd7ab:pn-0x2100f4c7aa0cd7ab live optimized
    +- nvme6 fc traddr=nn-0x208fd039ea359e4a:pn-0x210ad039ea359e4a,host_traddr=nn-0x2000f4c7aa0cd7aa:pn-0x2100f4c7aa0cd7aa live optimized
    NVMe/TCP
    nvme list-subsys
    Show example output
    nvme-subsys1 - NQN=nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
     hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33
     iopolicy=round-robin
    \
    +- nvme4 tcp traddr=192.168.111.66,trsvcid=4420,host_traddr=192.168.111.79,src_addr=192.168.111.79 live
    +- nvme3 tcp traddr=192.168.211.66,trsvcid=4420,host_traddr=192.168.211.79,src_addr=192.168.111.79 live
    +- nvme2 tcp traddr=192.168.111.67,trsvcid=4420,host_traddr=192.168.111.79,src_addr=192.168.111.79 live
    +- nvme1 tcp traddr=192.168.211.67,trsvcid=4420,host_traddr=192.168.211.79,src_addr=192.168.111.79 live
  6. Verify that the NetApp plug-in displays the correct values for each ONTAP namespace device:

    Column
    nvme netapp ontapdevices -o column
    Example output
    Device           Vserver    Namespace Path                       NSID UUID                                   Size
    ---------------- ---------- ------------------------------------ ------------------------------------------- --------
    /dev/nvme0n1     vs_192     /vol/fcnvme_vol_1_1_0/fcnvme_ns      1    c6586535-da8a-40fa-8c20-759ea0d69d33   20GB
    JSON
    nvme netapp ontapdevices -o json
    Show example output
    {
    "ONTAPdevices":[
    {
    "Device":"/dev/nvme0n1",
    "Vserver":"vs_192",
    "Namespace_Path":"/vol/fcnvme_vol_1_1_0/fcnvme_ns",
    "NSID":1,
    "UUID":"c6586535-da8a-40fa-8c20-759ea0d69d33",
    "Size":"20GB",
    "LBA_Data_Size":4096,
    "Namespace_Size":262144
    }
    ]
    }

Create a persistent discovery controller

Beginning with ONTAP 9.11.1, you can create a persistent discovery controller (PDC) for a SUSE Linux Enterprise Server 15 SP6 host. A PDC is required to automatically detect an NVMe subsystem add or remove operation and changes to the discovery log page data.

Steps
  1. Verify that the discovery log page data is available and can be retrieved through the initiator port and target LIF combination:

    nvme discover -t <trtype> -w <host-traddr> -a <traddr>
    Show example output
    Discovery Log Number of Records 8, Generation counter 18
    =====Discovery Log Entry 0======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 4
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.211.67
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 1======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 2
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.111.67
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 2======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 3
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.211.66
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 3======
    trtype: tcp
    adrfam: ipv4
    subtype: current discovery subsystem
    treq: not specified
    portid: 1
    trsvcid: 8009
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
    traddr: 192.168.111.66
    eflags: explicit discovery connections, duplicate discovery information
    sectype: none
    =====Discovery Log Entry 4======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 4
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.211.67
    eflags: none
    sectype: none
    =====Discovery Log Entry 5======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 2
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.111.67
    eflags: none
    sectype: none
    =====Discovery Log Entry 6======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 3
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.211.66
    eflags: none
    sectype: none
    =====Discovery Log Entry 7======
    trtype: tcp
    adrfam: ipv4
    subtype: nvme subsystem
    treq: not specified
    portid: 1
    trsvcid: 4420
    subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
    traddr: 192.168.111.66
    eflags: none
    sectype: none
  2. Create a PDC for the discovery subsystem:

    nvme discover -t <trtype> -w <host-traddr> -a <traddr> -p
    Example output
    nvme discover -t tcp -w 192.168.111.79 -a 192.168.111.666 -p
  3. From the ONTAP controller, verify that the PDC has been created:

    vserver nvme show-discovery-controller -instance -vserver <vserver_name>
    Show example output
    vserver nvme show-discovery-controller -instance -vserver vs_nvme79
    Vserver Name: vs_CLIENT116 Controller ID: 00C0h
    Discovery Subsystem NQN: nqn.1992-
    08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery Logical Interface UUID: d23cbb0a-c0a6-11ec-9731-d039ea165abc Logical Interface:
    CLIENT116_lif_4a_1
    Node: A400-14-124
    Host NQN: nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc
    Transport Protocol: nvme-tcp
    Initiator Transport Address: 192.168.1.16
    Host Identifier: 59de25be738348f08a79df4bce9573f3 Admin Queue Depth: 32
    Header Digest Enabled: false Data Digest Enabled: false
    Vserver UUID: 48391d66-c0a6-11ec-aaa5-d039ea165514

Set up secure in-band authentication

Beginning with ONTAP 9.12.1, secure in-band authentication is supported over NVMe/TCP and NVMe/FC between a SUSE Linux Enterprise Server 15 SP6 host and an ONTAP controller.

To set up secure authentication, each host or controller must be associated with a DH-HMAC-CHAP key, which is a combination of the NQN of the NVMe host or controller and an authentication secret configured by the administrator. To authenticate its peer, an NVMe host or controller must recognize the key associated with the peer.

You can set up secure in-band authentication using the CLI or a config JSON file. If you need to specify different dhchap keys for different subsystems, you must use a config JSON file.

CLI

Set up secure in-band authentication using the CLI.

Steps
  1. Obtain the host NQN:

    cat /etc/nvme/hostnqn
  2. Generate the dhchap key for the SUSE Linux Enterprise Server 15 SP6 host.

    The following output describes the gen-dhchap-key command paramters:

    nvme gen-dhchap-key -s optional_secret -l key_length {32|48|64} -m HMAC_function {0|1|2|3} -n host_nqn
    •	-s secret key in hexadecimal characters to be used to initialize the host key
    •	-l length of the resulting key in bytes
    •	-m HMAC function to use for key transformation
    0 = none, 1- SHA-256, 2 = SHA-384, 3=SHA-512
    •	-n host NQN to use for key transformation

    In the following example, a random dhchap key with HMAC set to 3 (SHA-512) is generated.

    # nvme gen-dhchap-key -m 3 -n nqn.2014-08.org.nvmexpress:uuid:d3ca725a- ac8d-4d88-b46a-174ac235139b
    DHHC-1:03:J2UJQfj9f0pLnpF/ASDJRTyILKJRr5CougGpGdQSysPrLu6RW1fGl5VSjbeDF1n1DEh3nVBe19nQ/LxreSBeH/bx/pU=:
  3. On the ONTAP controller, add the host and specify both dhchap keys:

    vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function {sha-256|sha-512} -dhchap-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit}
  4. A host supports two types of authentication methods, unidirectional and bidirectional. On the host, connect to the ONTAP controller and specify dhchap keys based on the chosen authentication method:

    nvme connect -t tcp -w <host-traddr> -a <tr-addr> -n <host_nqn> -S <authentication_host_secret> -C <authentication_controller_secret>
  5. Validate the nvme connect authentication command by verifying the host and controller dhchap keys:

    1. Verify the host dhchap keys:

      cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_secret
      Show example output for a unidirectional configuration
      # cat /sys/class/nvme-subsystem/nvme-subsys1/nvme*/dhchap_secret
      DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
      DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
      DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
      DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
    2. Verify the controller dhchap keys:

      cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_ctrl_secret
      Show example output for a bidirectional configuration
      # cat /sys/class/nvme-subsystem/nvme-subsys6/nvme*/dhchap_ctrl_secret
      DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
      DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
      DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
      DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
JSON file

When multiple NVMe subsystems are available on the ONTAP controller configuration, you can use the /etc/nvme/config.json file with the nvme connect-all command.

To generate the JSON file, you can use the -o option. See the NVMe connect-all manual pages for more syntax options.

Steps
  1. Configure the JSON file:

    Show example output
    # cat /etc/nvme/config.json
    [
     {
        "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc",
        "hostid":"3ae10b42-21af-48ce-a40b-cfb5bad81839",
        "dhchap_key":"DHHC-1:03:Cu3ZZfIz1WMlqZFnCMqpAgn/T6EVOcIFHez215U+Pow8jTgBF2UbNk3DK4wfk2EptWpna1rpwG5CndpOgxpRxh9m41w=:"
     },
     {
        "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc",
        "subsystems":[
            {
                "nqn":"nqn.1992-08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIENT116",
                "ports":[
                   {
                        "transport":"tcp",
                        "traddr":" 192.168.111.66 ",
                        "host_traddr":" 192.168.111.79",
                        "trsvcid":"4420",
                        "dhchap_ctrl_key":"DHHC-
    1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
                   },
                   {
                        "transport":"tcp",
                        "traddr":" 192.168.111.66 ",
                        "host_traddr":" 192.168.111.79",
                        "trsvcid":"4420",
                        "dhchap_ctrl_key":"DHHC-
    1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
                   },
                   {
                        "transport":"tcp",
                       "traddr":" 192.168.111.66 ",
                        "host_traddr":" 192.168.111.79",
                        "trsvcid":"4420",
                        "dhchap_ctrl_key":"DHHC-
    1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
                   },
                   {
                        "transport":"tcp",
                        "traddr":" 192.168.111.66 ",
                        "host_traddr":" 192.168.111.79",
                        "trsvcid":"4420",
                        "dhchap_ctrl_key":"DHHC-
    1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
                   }
               ]
           }
       ]
     }
    ]

    +

    Note In the preceding example, dhchap_key corresponds to dhchap_secret and dhchap_ctrl_key corresponds to dhchap_ctrl_secret.
  2. Connect to the ONTAP controller using the config JSON file:

    # nvme connect-all -J /etc/nvme/config.json
    Show example output
    traddr=192.168.111.66 is already connected
    traddr=192.168.211.66 is already connected
    traddr=192.168.111.66 is already connected
    traddr=192.168.211.66 is already connected
    traddr=192.168.111.66 is already connected
    traddr=192.168.211.66 is already connected
    traddr=192.168.111.67 is already connected
    traddr=192.168.211.67 is already connected
    traddr=192.168.111.67 is already connected
    traddr=192.168.211.67 is already connected
    traddr=192.168.111.67 is already connected
    traddr=192.168.111.67 is already connected
  3. Verify that the dhchap secrets have been enabled for the respective controllers for each subsystem:

    1. Verify the host dhchap keys:

      # cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_secret
      Example output
      DHHC-1:01:NunEWY7AZlXqxITGheByarwZdQvU4ebZg9HOjIr6nOHEkxJg:
    2. Verify the controller dhchap keys:

      # cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_ctrl_secret
      Example output
      DHHC-
      1:03:2YJinsxa2v3+m8qqCiTnmgBZoH6mIT6G/6f0aGO8viVZB4VLNLH4z8CvK7pVYxN6S5fOAtaU3DNi12rieRMfdbg3704=:

Configure Transport Layer Security

Transport Layer Security (TLS) provides secure end-to-end encryption for NVMe connections between NVMe-oF hosts and an ONTAP array. Beginning with ONTAP 9.16.1, you can configure TLS 1.3 using the CLI and a configured pre-shared key (PSK).

About this task

You perform the steps in this procedure on the SUSE Linux Enterprise Server 15 SP6 host, except where it specifies that you perform a step on the ONTAP controller.

Steps
  1. Check that you have the following ktls-utils, openssl, and libopenssl packages installed on the host:

    1. rpm -qa | grep ktls

      Example output
      ktls-utils-0.10+12.gc3923f7-150600.1.2.x86_64
    2. rpm -qa | grep ssl

      Example output
      openssl-3-3.1.4-150600.5.7.1.x86_64
      libopenssl1_1-1.1.1w-150600.5.3.1.x86_64
      libopenssl3-3.1.4-150600.5.7.1.x86_64
  2. Verify that you have the correct setup for /etc/tlshd.conf:

    # cat /etc/tlshd.conf
    Show example output
    [debug]
    loglevel=0
    tls=0
    nl=0
    [authenticate]
    keyrings=.nvme
    [authenticate.client]
    #x509.truststore= <pathname>
    #x509.certificate= <pathname>
    #x509.private_key= <pathname>
    [authenticate.server]
    #x509.truststore= <pathname>
    #x509.certificate= <pathname>
    #x509.private_key= <pathname>
  3. Enable tlshd to start at system boot:

    # systemctl enable tlshd
  4. Verify that the tlshd daemon is running:

    # systemctl status tlshd
    Show example output
    tlshd.service - Handshake service for kernel TLS consumers
       Loaded: loaded (/usr/lib/systemd/system/tlshd.service; enabled; preset: disabled)
       Active: active (running) since Wed 2024-08-21 15:46:53 IST; 4h 57min ago
         Docs: man:tlshd(8)
    Main PID: 961 (tlshd)
       Tasks: 1
         CPU: 46ms
       CGroup: /system.slice/tlshd.service
           └─961 /usr/sbin/tlshd
    Aug 21 15:46:54 RX2530-M4-17-153 tlshd[961]: Built from ktls-utils 0.11-dev on Mar 21 2024 12:00:00
  5. Generate the TLS PSK by using the nvme gen-tls-key:

    1. # cat /etc/nvme/hostnqn

      Example output
      nqn.2014-08.org.nvmexpress:uuid:e58eca24-faff-11ea-8fee-3a68dd3b5c5f
    2. # nvme gen-tls-key --hmac=1 --identity=1 --subsysnqn=nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15

      Example output
      NVMeTLSkey-1:01:dNcby017axByCko8GivzOO9zGlgHDXJCN6KLzvYoA+NpT1uD:
  6. On the ONTAP controller, add the TLS PSK to the ONTAP subsystem:

    # nvme subsystem host add -vserver sles15_tls -subsystem sles15 -host-nqn nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc -tls-configured-psk NVMeTLSkey-1:01:dNcby017axByCko8GivzOO9zGlgHDXJCN6KLzvYoA+NpT1uD:
  7. Insert the TLS PSK into the host kernel keyring:

    # nvme check-tls-key --identity=1 --subsysnqn=nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bf --keydata=NVMeTLSkey-1:01:dNcby017axByCko8GivzOO9zGlgHDXJCN6KLzvYoA+NpT1uD: --insert
    Example output
    Inserted TLS key 22152a7e
    Note The PSK shows as "NVMe1R01" because it uses "identity v1" from the TLS handshake algorithm. Identity v1 is the only version that ONTAP supports.
  8. Verify that the TLS PSK is inserted correctly:

    # cat /proc/keys | grep NVMe
    Example output
    22152a7e I--Q---     1 perm 3b010000     0     0 psk       NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15 UoP9dEfvuCUzzpS0DYxnshKDapZYmvA0/RJJ8JAqmAo=: 32
  9. Connect to the ONTAP subsystem using the inserted TLS PSK:

    1. # nvme connect -t tcp -w 20.20.10.80 -a 20.20.10.14 -n nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15 --tls_key=0x22152a7e --tls

      Example output
      connecting to device: nvme0
    2. # nvme list-subsys

      Example output
      nvme-subsys0 - NQN=nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15
                     hostnqn=nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc
                     iopolicy=round-robin
      \
       +- nvme0 tcp traddr=20.20.10.14,trsvcid=4420,host_traddr=20.20.10.80,src_addr=20.20.10.80 live
  10. Add the target, and verify the TLS connection to the specified ONTAP subsystem:

    # nvme subsystem controller show -vserver sles15_tls -subsystem sles15 -instance

    Show example output
      (vserver nvme subsystem controller show)
                           Vserver Name: sles15_tls
                              Subsystem: sles15
                          Controller ID: 0040h
                      Logical Interface: sles15t_e1a_1
                                   Node: A900-17-174
                               Host NQN: nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc
                     Transport Protocol: nvme-tcp
            Initiator Transport Address: 20.20.10.80
                        Host Identifier: ffa0c815e28b4bb18d4c7c6d5e610bfc
                   Number of I/O Queues: 4
                       I/O Queue Depths: 128, 128, 128, 128
                      Admin Queue Depth: 32
                  Max I/O Size in Bytes: 1048576
              Keep-Alive Timeout (msec): 5000
                           Vserver UUID: 1d59a6b2-416b-11ef-9ed5-d039ea50acb3
                         Subsystem UUID: 9b81e3c5-5037-11ef-8a90-d039ea50ac83
                 Logical Interface UUID: 8185dcac-5035-11ef-8abb-d039ea50acb3
                  Header Digest Enabled: false
                    Data Digest Enabled: false
           Authentication Hash Function: -
    Authentication Diffie-Hellman Group: -
                    Authentication Mode: none
           Transport Service Identifier: 4420
                           TLS Key Type: configured
                       TLS PSK Identity: NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15 UoP9dEfvuCUzzpS0DYxnshKDapZYmvA0/RJJ8JAqmAo=
                             TLS Cipher: TLS-AES-128-GCM-SHA256

Known issues

There are no known issues for the SUSE Linux Enterprise Server 15 SP6 with ONTAP release.