Skip to main content

Secure an ONTAP Select deployment

Contributors netapp-cgoff dmp-netapp netapp-pcarriga

There are several related tasks you can perform as part of securing an ONTAP Select deployment.

Change the Deploy administrator password

You can change the password for the Deploy virtual machine administrator account as needed using the web user interface.

Steps
  1. Sign in to the Deploy utility web user interface using the administrator account.

  2. Click the figure icon at the top right of the page and select Change Password.

  3. Provide the current and new password as prompted and click Submit.

Add a management server account

You can add a management server account to the Deploy credential store database.

Before you begin

You should be familiar with the types of credentials and how they are used by ONTAP Select Deploy.

Steps
  1. Sign in to the Deploy utility web user interface using the administrator account.

  2. Click the Administration tab at the top of the page.

  3. Click Management Servers and then click Add vCenter.

  4. Enter the following information and click Add.

    In this field … Do the following …

    Name/IP Address

    Provide the domain name or IP address of the vCenter server.

    Username

    Enter the account user name to access vCenter.

    Password

    Enter the password for the associated user name.

  5. After the new management server is added, you can optionally click Options and select one of the following:

    • Update credentials

    • Verify credentials

    • Remove management server

Configure MFA

Beginning with ONTAP Select 9.13.1, multifactor authentication (MFA) is supported for the ONTAP Select Deploy administrator account:

ONTAP Select Deploy CLI MFA login using YubiKey PIV or FIDO2 authentication

YubiKey PIV

Configure the YubiKey PIN and generate or import the Remote Support Agent (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) private key and certificate with the steps in TR-4647: Multifactor authentication in ONTAP.

  • For Windows: The YubiKey PIV Client configuration for Windows section of the technical report.

  • For MacOS: The YubiKey PIV client configuration For MAC OS and Linux section of the technical report.

FIDO2

If you choose to opt for YubiKey FIDO2 authentication, configure the YubiKey FIDO2 PIN using the YubiKey Manager and generate the FIDO2 key with a PuTTY-CAC (Common Access Card) for Windows or ssh-keygen for MacOS. The steps to do this are in the technical report TR-4647: Multifactor authentication in ONTAP.

  • For Windows: The YubiKey FIDO2 client configuration for Windows section of the technical report.

  • For MacOS: The YubiKey FIDO2 client configuration For Mac OS and Linux section of the technical report.

Obtain the YubiKey PIV or FIDO2 public key

Obtaining the public key depends on whether you're a Windows or MacOS client, and if you are using PIV or FIDO2.

For Windows:
  • Export the PIV public key using the Copy to Clipboard feature under SSH → Certificate as described in the section Configuring the Windows PuTTY-CAC SSH Client for YubiKey PIV Authentication on page 16 of TR-4647.

  • Export the FIDO2 public key using the Copy to Clipboard feature under SSH → Certificate as described in the section Configuring the Windows PuTTY-CAC SSH Client for YubiKey FIDO2 Authentication on page 30 of TR-4647.

For MacOS:
  • The PIV public key should be exported using the ssh-keygen -e command as described in the section Configure the Mac OS or Linux SSH Client for YubiKey PIV authentication on page 24 of TR-4647.

  • The FIDO2 public key is in the id_ecdsa_sk.pub file or id_edd519_sk.pub file, depending on whether you use ECDSA or EDD519, as described in the section Configure the MAC OS or Linux SSH client for YubiKey FIDO2 authentication on page 39 of TR-4647.

Configure the public key in ONTAP Select Deploy

SSH is used by the administrator account for the public key authentication method. The command used is the same whether the authentication method is the standard SSH public key authentication or YubiKey PIV or FIDO2 authentication.

For hardware-based SSH MFA, the authentication factors in addition to the public key configured on ONTAP Select Deploy are as follows:

  • The PIV or FIDO2 PIN

  • Possession of the YubiKey hardware device. For FIDO2, this is confirmed by physically touching the YubiKey during the authentication process.

Before you begin

Set the PIV or FIDO2 public key which is configured for the YubiKey. The ONTAP Select Deploy CLI command security publickey add -key is the same for PIV or FIDO2 and the public key string is different.

The public key is obtained from:

  • The Copy to Clipboard function for PuTTY-CAC for PIV and FIDO2 (Windows)

  • Exporting the public key in an SSH compatible format using the ssh-keygen -e command for PIV

  • The public key file located in the ~/.ssh/id_***_sk.pub file for FIDO2 (MacOS)

Steps
  1. Find the generated key in the .ssh/id_***.pub file.

  2. Add the generated key to ONTAP Select Deploy using the security publickey add -key <key> command.

    (ONTAPdeploy) security publickey add -key "ssh-rsa <key> user@netapp.com"
  3. Enable MFA Authentication with the security multifactor authentication enable command.

    (ONTAPdeploy) security multifactor authentication enable
    MFA enabled Successfully

Log in to ONTAP Select Deploy using YubiKey PIV Authentication over SSH

You can log in to ONTAP Select Deploy using YubiKey PIV Authentication over SSH.

Steps
  1. After the YubiKey token, the SSH client, and ONTAP Select Deploy are configured, you can use MFA YubiKey PIV authentication over SSH.

  2. Log in to ONTAP Select Deploy. If you are using the Windows PuTTY-CAC SSH client, a dialog will pop-up prompting you to enter your YubiKey PIN.

  3. Log in from your device with the YubiKey connected.

Example output
login as: admin
Authenticating with public key "<public_key>"
Further authentication required
<admin>'s password:

NetApp ONTAP Select Deploy Utility.
Copyright (C) NetApp Inc.
All rights reserved.

Version: NetApp Release 9.13.1 Build:6811765 08-17-2023 03:08:09

(ONTAPdeploy)

ONTAP Select Deploy CLI MFA login using ssh-keygen

The ssh-keygen command is a tool for creating new authentication key pairs for SSH. The key pairs are used for automating logins, single sign-on, and for authenticating hosts.

The ssh-keygen command supports several public key algorithms for authentication keys.

  • The algorithm is selected with the -t option

  • The key size is selected with the -b option

Example output
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519
ssh-keygen -t ecdsa
Steps
  1. Find the generated key in the .ssh/id_***.pub file.

  2. Add the generated key to ONTAP Select Deploy using the security publickey add -key <key> command.

    (ONTAPdeploy) security publickey add -key "ssh-rsa <key> user@netapp.com"
  3. Enable MFA Authentication with the security multifactor authentication enable command.

    (ONTAPdeploy) security multifactor authentication enable
    MFA enabled Successfully
  4. Log in to the ONTAP Select Deploy system after enabling MFA. You should receive an output similar to the following example.

    [<user ID> ~]$ ssh <admin>
    Authenticated with partial success.
    <admin>'s password:
    
    NetApp ONTAP Select Deploy Utility.
    Copyright (C) NetApp Inc.
    All rights reserved.
    
    Version: NetApp Release 9.13.1 Build:6811765 08-17-2023 03:08:09
    
    (ONTAPdeploy)

Migrate from MFA to single-factor authentication

MFA can be disabled for the Deploy administrator account using the following methods:

  • If you can log in to the Deploy CLI as an administrator using Secure Shell (SSH), disable MFA by running the security multifactor authentication disable command from the Deploy CLI.

    (ONTAPdeploy) security multifactor authentication disable
    MFA disabled Successfully
  • If you cannot log in to the Deploy CLI as an administrator using SSH:

    1. Connect to the Deploy virtual machine (VM) video console through vCenter or vSphere.

    2. Log in to the Deploy CLI using the administrator account.

    3. Run the security multifactor authentication disable command.

      Debian GNU/Linux 11 <user ID> tty1
      
      <hostname> login: admin
      Password:
      
      NetApp ONTAP Select Deploy Utility.
      Copyright (C) NetApp Inc.
      All rights reserved.
      
      Version: NetApp Release 9.13.1 Build:6811765 08-17-2023 03:08:09
      
      (ONTAPdeploy) security multifactor authentication disable
      MFA disabled successfully
      
      (ONTAPdeploy)
  • The administrator can delete the public key with:
    security publickey delete -key