Skip to main content

Worksheets for administrator authentication and RBAC configuration

Contributors netapp-mwallis netapp-thomi netapp-aoife netapp-forry netapp-aherbin netapp-ahibbard

Before creating login accounts and setting up role-based access control (RBAC), you should gather information for each item in the configuration worksheets.

Create or modify login accounts

You provide these values with the security login create command when you enable login accounts to access a storage VM. You provide the same values with the security login modify command when you modify how an account accesses a storage VM.

Field

Description

Your value

-vserver

The name of the storage VM that the account accesses. The default value is the name of the admin storage VM for the cluster.

-user-or-group-name

The user name or group name of the account. Specifying a group name enables access to each user in the group. You can associate a user name or group name with multiple applications.

-application

The application that is used to access the storage VM:

  • http

  • ontapi

  • snmp

  • ssh

-authmethod

The method that is used to authenticate the account:

  • cert for SSL certificate authentication

  • domain for Active Directory authentication

  • nsswitch for LDAP or NIS authentication

  • password for user password authentication

  • publickey for public key authentication

  • community for SNMP community strings

  • usm for SNMP user security model

  • saml for Security Assertion Markup Language (SAML) authentication

-remote-switch-ipaddress

The IP address of the remote switch. The remote switch can be a cluster switch monitored by the cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by the MetroCluster health monitor (MCC-HM). This option is applicable only when the application is snmp and the authentication method is usm.

-role

The access control role that is assigned to the account:

  • For the cluster (the admin storage VM), the default value is admin.

  • For a data storage VM, the default value is vsadmin.

-comment

(Optional) Descriptive text for the account. You should enclose the text in double quotation marks (").

-is-ns-switch-group

Whether the account is an LDAP group account or NIS group account (yes or no).

-second-authentication-method

Second authentication method in case of multifactor authentication:

  • none if not using multifactor authentication, default value

  • publickey for public key authentication when the authmethod is password or nsswitch

  • password for user password authentication when the authmethod is public key

  • nsswitch for user password authentication when the authmethod is publickey

The order of authentication is always the public key followed by the password.

-is-ldap-fastbind

Beginning with ONTAP 9.11.1, when set to true, enables LDAP fast bind for nsswitch authentication; the default is false. To use LDAP fast bind, the -authentication-method value must be set to nsswitch. Learn about LDAP fastbind for nsswitch authentication.

Configure Cisco Duo security information

You provide these values with the security login duo create command when you enable Cisco Duo two-factor authentication with SSH logins for a storage VM.

Field

Description

Your value

-vserver

The storage VM (referred to as a vserver in the ONTAP CLI) to which the Duo authentication settings apply.

-integration-key

Your integration key, obtained when registering your SSH application with Duo.

-secret-key

Your secret key, obtained when registering your SSH application with Duo.

-api-host

The API hostname, obtained when registering your SSH application with Duo. For example:

api-<HOSTNAME>.duosecurity.com

-fail-mode

On service or configuration errors that prevent Duo authentication, fail safe (allow access) or secure (deny access). The default is safe, which means that Duo authentication is bypassed if it fails due to errors such as the Duo API server being inaccessible.

-http-proxy

Use the specified HTTP proxy. If the HTTP proxy requires authentication, include the credentials in the proxy URL. For example:

http-proxy=http://username:password@proxy.example.org:8080

-autopush

Either true or false. Default is false. If true, Duo automatically sends a push login request to the user's phone, reverting to a phone call if push is unavailable. Note that this effectively disables passcode authentication. If false, the user is prompted to choose an authentication method.

When configured with autopush = true, we recommend setting max-prompts = 1.

-max-prompts

If a user fails to authenticate with a second factor, Duo prompts the user to authenticate again. This option sets the maximum number of prompts that Duo displays before denying access. Must be 1, 2, or 3. The default value is 1.

For example, when max-prompts = 1, the user needs to successfully authenticate on the first prompt, whereas if max-prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again.

When configured with autopush = true, we recommend setting max-prompts = 1.

For the best experience, a user with only publickey authentication will always have max-prompts set to 1.

-enabled

Enable Duo two-factor authentication. Set to true by default. When enabled, Duo two-factor authentication is enforced during SSH login according to the configured parameters. When Duo is disabled (set to false), Duo authentication is ignored.

Define custom roles

You provide these values with the security login role create command when you define a custom role.

Field

Description

Your value

-vserver

(Optional) The name of the storage VM (referred to as a vserver in the ONTAP CLI) that is associated with the role.

-role

The name of the role.

-cmddirname

The command or command directory to which the role gives access. You should enclose command subdirectory names in double quotation marks ("). For example, "volume snapshot". You must enter DEFAULT to specify all command directories.

-access

(Optional) The access level for the role. For command directories:

  • none (the default value for custom roles) denies access to commands in the command directory

  • readonly grants access to the show commands in the command directory and its subdirectories

  • all grants access to all of the commands in the command directory and its subdirectories

For nonintrinsic commands (commands that do not end in create, modify, delete, or show):

  • none (the default value for custom roles) denies access to the command

  • readonly is not applicable

  • all grants access to the command

To grant or deny access to intrinsic commands, you must specify the command directory.

-query

(Optional) The query object that is used to filter the access level, which is specified in the form of a valid option for the command or for a command in the command directory. You should enclose the query object in double quotation marks ("). For example, if the command directory is volume, the query object "-aggr aggr0" would enable access for the aggr0 aggregate only.

Associate a public key with a user account

You provide these values with the security login publickey create command when you associate an SSH public key with a user account.

Field

Description

Your value

-vserver

(Optional) The name of the storage VM that the account accesses.

-username

The user name of the account. The default value, admin, which is the default name of the cluster administrator.

-index

The index number of the public key. The default value is 0 if the key is the first key that is created for the account; otherwise, the default value is one more than the highest existing index number for the account.

-publickey

The OpenSSH public key. You should enclose the key in double quotation marks (").

-role

The access control role that is assigned to the account.

-comment

(Optional) Descriptive text for the public key. You should enclose the text in double quotation marks (").

-x509-certificate

(Optional) Beginning with ONTAP 9.13.1, enables you to manage X.509 certificate association with the SSH public key.

When you associate an X.509 certificate with the SSH public key, ONTAP checks upon SSH login to see if this certificate is valid. If it has expired or been revoked, login is disallowed and the associated SSH public key is disabled. Possible values:

  • install: Install the specified PEM-encoded X.509 certificate and associate it with the SSH public key. Include the full text for the certificate you want to install.

  • modify: Update the existing PEM-encoded X.509 certificate with the specified certificate and associate it with the SSH public key. Include the full text for the new certificate.

  • delete: Remove the existing X.509 certificate association with the SSH public key.

Install a CA-signed server digital certificate

You provide these values with the security certificate generate-csr command when you generate a digital certificate signing request (CSR) for use in authenticating an storage VM as an SSL server.

Field

Description

Your value

-common-name

The name of the certificate, which is either a fully qualified domain name (FQDN) or a custom common name.

-size

The number of bits in the private key. The higher the value, the more secure the key. The default value is 2048. Possible values are 512, 1024, 1536, and 2048.

-country

The country of the storage VM, in a two-letter code. The default value is US. See the man pages for a list of codes.

-state

The state or province of the storage VM.

-locality

The locality of the storage VM.

-organization

The organization of the storage VM.

-unit

The unit in the organization of the storage VM.

-email-addr

The email address of the contact administrator for the storage VM.

-hash-function

The cryptographic hashing function for signing the certificate. The default value is SHA256. Possible values are SHA1, SHA256, and MD5.

You provide these values with the security certificate install command when you install a CA-signed digital certificate for use in authenticating the cluster or storage VM as an SSL server. Only the options that are relevant to account configuration are shown in the following table.

Field

Description

Your value

-vserver

The name of the storage VM on which the certificate is to be installed.

-type

The certificate type:

  • server for server certificates and intermediate certificates

  • client-ca for the public key certificate of the root CA of the SSL client

  • server-ca for the public key certificate of the root CA of the SSL server of which ONTAP is a client

  • client for a self-signed or CA-signed digital certificate and private key for ONTAP as an SSL client

Configure Active Directory domain controller access

You provide these values with the security login domain-tunnel create command when you have already configured a SMB server for a data storage VM and you want to configure the storage VM as a gateway or tunnel for Active Directory domain controller access to the cluster.

Field

Description

Your value

-vserver

The name of the storage VM for which the SMB server has been configured.

You provide these values with the vserver active-directory create command when you have not configured a SMB server and you want to create an storage VM computer account on the Active Directory domain.

Field

Description

Your value

-vserver

The name of the storage VM for which you want to create an Active Directory computer account.

-account-name

The NetBIOS name of the computer account.

-domain

The fully qualified domain name (FQDN).

-ou

The organizational unit in the domain. The default value is CN=Computers. ONTAP appends this value to the domain name to produce the Active Directory distinguished name.

Configure LDAP or NIS server access

You provide these values with the vserver services name-service ldap client create command when you create an LDAP client configuration for the storage VM.

Only the options that are relevant to account configuration are shown in the following table:

Field

Description

Your value

-vserver

The name of the storage VM for the client configuration.

-client-config

The name of the client configuration.

-ldap-servers

A comma-separated list of IP addresses and host names for the LDAP servers to which the client connects.

-schema

The schema that the client uses to make LDAP queries.

-use-start-tls

Whether the client uses Start TLS to encrypt communication with the LDAP server (true or false).

Note

Start TLS is supported for access to data storage VMs only. It is not supported for access to admin storage VMs.

You provide these values with the vserver services name-service ldap create command when you associate an LDAP client configuration with the storage VM.

Field

Description

Your value

-vserver

The name of the storage VM with which the client configuration is to be associated.

-client-config

The name of the client configuration.

-client-enabled

Whether the storage VM can use the LDAP client configuration (true or false).

You provide these values with the vserver services name-service nis-domain create command when you create an NIS domain configuration on an storage VM.

Field

Description

Your value

-vserver

The name of the storage VM on which the domain configuration is to be created.

-domain

The name of the domain.

-active

Whether the domain is active (true or false).

-servers

ONTAP 9.0, 9.1: A comma-separated list of IP addresses for the NIS servers that are used by the domain configuration.

-nis-servers

A comma-separated list of IP addresses and host names for the NIS servers that are used by the domain configuration.

You provide these values with the vserver services name-service ns-switch create command when you specify the look-up order for name service sources.

Field

Description

Your value

-vserver

The name of the storage VM on which the name service look-up order is to be configured.

-database

The name service database:

  • hosts for files and DNS name services

  • group for files, LDAP, and NIS name services

  • passwd for files, LDAP, and NIS name services

  • netgroup for files, LDAP, and NIS name services

  • namemap for files and LDAP name services

-sources

The order in which to look up name service sources (in a comma-separated list):

  • files

  • dns

  • ldap

  • nis

Configure SAML access

Beginning with ONTAP 9.3, you provide these values with the security saml-sp create command to configure SAML authentication.

Field

Description

Your value

-idp-uri

The FTP address or HTTP address of the Identity Provider (IdP) host from where the IdP metadata can be downloaded.

-sp-host

The host name or IP address of the SAML service provider host (ONTAP system). By default, the IP address of the cluster-management LIF is used.

-cert-ca and -cert-serial, or -cert-common-name

The server certificate details of the service provider host (ONTAP system). You can enter either the service provider's certificate issuing certification authority (CA) and the certificate's serial number, or the Server Certificate Common Name.

-verify-metadata-server

Whether the identity of the IdP metadata server must be validated (true or false). The best practice is to always set this value to true.