Skip to main content

Post-installation configuration

Contributors netapp-sarajane netapp-thomi netapp-ahibbard

After the ONTAP Mediator service is installed and running, additional configuration tasks must be performed in the ONTAP storage system to use the Mediator features:

Configure ONTAP Mediator security policies

The ONTAP Mediator server supports several configurable security settings. The default values for all settings are provided in a low_space_threshold_mib: 10 read-only file:

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator.user_config.yaml

All values that are placed in the ontap_mediator.user_config.yaml will override the default values and be maintained across all ONTAP Mediator upgrades.

After you modify ontap_mediator.user_config.yaml, restart the ONTAP Mediator service:

systemctl restart ontap_mediator

Modify ONTAP Mediator attributes

The ONTAP Mediator attributes described in this section can be modified if required.

Note Other default values in the ontap_mediator.config.yaml should not be changed because modified values are not maintained during ONTAP Mediator upgrades.

You modify ONTAP Mediator attributes by copying the required variables to the ontap_mediator.user_config.yaml file to override the default settings.

Install third-party SSL certificates

If you need to replace the default self-signed certificates with third-party SSL certificates, modify certain attributes in the following files:

  • /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator.config.yaml

  • /opt/netapp/lib/ontap_mediator/uwsgi/ontap_mediator.ini

The variables in these files are used to control the certificate files used by the ONTAP Mediator service.

Note In ONTAP Mediator 1.8 and earlier, the CA certificate is ca.crt. Beginning with ONTAP Mediator 1.9, the required certificate is intermediate.crt.

The default variables listed in the following table are included in the /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator.config.yaml file.

Variable Path

cert_path

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator_server.crt

key_path

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator_server.key

ca_cert_path

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/intermediate.crt

ca_key_path

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/intermediate.key

ca_serial_path

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/intermediate.srl

cert_valid_days

1095

x509_passin_pwd

pass:ontap

  • cert_valid_days is used to set the expiration of client certificates. The maximum value is three years (1095 days).

  • x509_passin_pwd is the passphrase for the signed client certificate.

The default variables listed in the following table are included in the /opt/netapp/lib/ontap_mediator/uwsgi/ontap_mediator.ini file.

Variable Path

mediator_cert

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator_server.crt

mediator_key

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator_server.key

ca_cert_path

/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/intermediate.crt

If you modify these attributes, restart the ONTAP Mediator service to apply the changes. For detailed instructions on how to replace default certificates with third-party certificates, refer to Replace self-signed certificates with trusted third party certificates.

Password attack protection

The following settings provide protection against brute-force password guessing attacks.

To enable the feature, set a value for the window_seconds and the retry_limit.

Examples:

  • Provide a 5-minute window for guesses, and then reset the count to zero failures:

    authentication_lock_window_seconds: 300

  • Lock the account if five failures occur within the window timeframe:

    authentication_retry_limit: 5

  • Reduce the impact of brute-force password guessing attacks by setting a delay that occurs prior to rejecting each attempt, which slows the attacks.

    authentication_failure_delay_seconds: 5

    authentication_failure_delay_seconds: 0   # seconds (float) to delay failed auth attempts prior to response, 0 = no delay
    authentication_lock_window_seconds: null  # seconds (int) since the oldest failure before resetting the retry counter, null = no window
    authentication_retry_limit: null          # number of retries to allow before locking API access, null = unlimited

Password complexity rules

The following fields control the password complexity rules of the ONTAP Mediator API user account.

password_min_length: 8

password_max_length: 64

password_uppercase_chars: 0    # min. uppercase characters

password_lowercase_chars: 1    # min. lowercase character

password_special_chars: 1      # min. non-letter, non-digit

password_nonletter_chars: 2    # min. non-letter characters (digits, specials, anything)

Control of free space

There are settings that control the required free space on the /opt/netapp/lib/ontap_mediator disk.

If the space is lower than the set threshold, the service will issue a warning event.

low_space_threshold_mib: 10

Control of reserve log space

The RESERVE_LOG_SPACE is controlled by specific settings. By default, the ONTAP Mediator server installation creates a separate disk space for the logs. The installer creates a new fixed-size file with a total of 700MB of disk space to be used explicitly for Mediator logging.

To disable this feature and use the default disk space, perform the following steps:

  1. Change the value of RESERVE_LOG_SPACE from 1 to 0 in the following file:

    /opt/netapp/lib/ontap_mediator/tools/mediator_env

  2. Restart the Mediator:

    1. cat /opt/netapp/lib/ontap_mediator/tools/mediator_env | grep "RESERVE_LOG_SPACE"

      RESERVE_LOG_SPACE=0
    2. systemctl restart ontap_mediator

To re-enable the feature, change the value from 0 to 1 and restart the Mediator.

Note Toggling between disk spaces does not purge existing logs. All previous logs are backed up and then moved to the current disk space after toggling and restarting the Mediator.