Configure important EMS events to forward notifications to a webhook application
You can configure ONTAP to forward important event notifications to a webhook application. The configuration steps needed depend on the level of security you choose.
Prepare to configure EMS event forwarding
There are several concepts and requirements you should consider before configuring ONTAP to forward event notifications to a webhook application.
Webhook application
You need a webhook application capable of receiving the ONTAP event notifications. A webhook is a user-defined callback routine that extends the capability of the remote application or server where it runs. Webhooks are called or activated by the client (in this case ONTAP) by sending an HTTP request to the destination URL. Specifically, ONTAP sends an HTTP POST request to the server hosting the webhook application along with the event notification details formatted in XML.
Security options
There are several security options available depending on how the Transport Layer Security (TLS) protocol is used. The option you choose determines the required ONTAP configuration.
TLS is a cryptographic protocol that is widely used on the internet. It provides privacy as well as data integrity and authentication using one or more public key certificates. The certificates are issued by trusted certificate authorities. |
- HTTP
-
You can use HTTP to transport the event notifications. With this configuration, the connection is not secure. The identities of the ONTAP client and webhook application are not verified. Further, the network traffic is not encrypted or protected. See Configure a webhook destination to use HTTP for the configuration details.
- HTTPS
-
For additional security, you can install a certificate at the server hosting the webhook routine. The HTTPS protocol is used by ONTAP to verify the identity of the webhook application server as well as by both parties to ensure the privacy and integrity of the network traffic. See Configure a webhook destination to use HTTPS for the configuration details.
- HTTPS with mutual authentication
-
You can further enhance the HTTPS security by installing a client certificate at the ONTAP system issuing the webbook requests. In addition to ONTAP verifying the identity of the webhook application server and protecting the network traffic, the webhook application verifies the identity of the ONTAP client. This two-way peer authentication is known as Mutual TLS. See Configure a webhook destination to use HTTPS with mutual authentication for the configuration details.
Configure a webhook destination to use HTTP
You can configure ONTAP to forward event notifications to a webhook application using HTTP. This is the least secure option but the simplest to set up.
-
Create a new destination
restapi-ems
to receive the events:event notification destination create -name restapi-ems -rest-api-url http://<webhook-application>
In the above command, you must use the HTTP scheme for the destination.
-
Create a notification linking the
important-events
filter with therestapi-ems
destination:event notification create -filter-name important-events -destinations restapi-ems
Configure a webhook destination to use HTTPS
You can configure ONTAP to forward event notifications to a webhook application using HTTPS. ONTAP uses the server certificate to confirm the identity of the webhook application as well as secure the network traffic.
-
Generate a private key and certificate for the webhook application server
-
Have the root certificate available to install in ONTAP
-
Install the appropriate server private key and certificates at the server hosting your webhook application. The specific configuration steps are dependent on the server.
-
Install the server root certificate in ONTAP:
security certificate install -type server-ca
The command will ask for the certificate.
-
Create the
restapi-ems
destination to receive the events:event notification destination create -name restapi-ems -rest-api-url https://<webhook-application>
In the above command, you must use the HTTPS scheme for the destination.
-
Create the notification that links the
important-events
filter with the newrestapi-ems
destination:event notification create -filter-name important-events -destinations restapi-ems
Configure a webhook destination to use HTTPS with mutual authentication
You can configure ONTAP to forward event notifications to a webhook application using HTTPS with mutual authentication. With this configuration there are two certificates. ONTAP uses the server certificate to confirm the identity of the webhook application and secure the network traffic. In addition, the application hosting the webhook uses the client certificate to confirm the identity of the ONTAP client.
You must do the following before configuring ONTAP:
-
Generate a private key and certificate for the webhook application server
-
Have the root certificate available to install in ONTAP
-
Generate a private key and certificate for the ONTAP client
-
Perform the first two steps in the task Configure a webhook destination to use HTTPS to install the server certificate so that ONTAP can verify the identity of the server.
-
Install the appropriate root and intermediate certificates at the webhook application to validate the client certificate.
-
Install the client certificate in ONTAP:
security certificate install -type client
The command will ask for the private key and certificate.
-
Create the
restapi-ems
destination to receive the events:event notification destination create -name restapi-ems -rest-api-url https://<webhook-application> -certificate-authority <issuer of the client certificate> -certificate-serial <serial of the client certificate>
In the above command, you must use the HTTPS scheme for destination.
-
Create the notification that links the
important-events
filter with the newrestapi-ems
destination:event notification create -filter-name important-events -destinations restapi-ems