Post-installation configuration
-
PDF of this doc site
- Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
Logical storage management with the CLI
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
-
Configure NFS with the CLI
- Security and data encryption
-
Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
After the ONTAP Mediator service is installed and running, additional configuration tasks must be performed in the ONTAP storage system to use the Mediator features:
-
To use the ONTAP Mediator service in a MetroCluster IP configuration, see Configuring the ONTAP Mediator service from a MetroCluster IP configuration.
-
To use SnapMirror active sync, see Install ONTAP Mediator Service and confirm the ONTAP cluster configuration.
Configure ONTAP Mediator security policies
The ONTAP Mediator server supports several configurable security settings. The default values for all settings are provided in a low_space_threshold_mib: 10
read-only file:
/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator.user_config.yaml
All values that are placed in the ontap_mediator.user_config.yaml
will override the default values and be maintained across all ONTAP Mediator upgrades.
After you modify ontap_mediator.user_config.yaml
, restart the ONTAP Mediator service:
systemctl restart ontap_mediator
Modify ONTAP Mediator attributes
The ONTAP Mediator attributes described in this section can be modified if required.
Other default values in the ontap_mediator.config.yaml should not be changed because modified values are not maintained during ONTAP Mediator upgrades.
|
You modify ONTAP Mediator attributes by copying the required variables to the ontap_mediator.user_config.yaml
file to override the default settings.
Install third-party SSL certificates
If you need to replace the default self-signed certificates with third-party SSL certificates, modify certain attributes in the following files:
-
/opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator.config.yaml
-
/opt/netapp/lib/ontap_mediator/uwsgi/ontap_mediator.ini
The variables in these files are used to control the certificate files used by the ONTAP Mediator service.
In ONTAP Mediator 1.8 and earlier, the CA certificate is ca.crt . Beginning with ONTAP Mediator 1.9, the required certificate is intermediate.crt .
|
The default variables listed in the following table are included in the /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/ontap_mediator.config.yaml
file.
Variable | Path |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-
cert_valid_days
is used to set the expiration of client certificates. The maximum value is three years (1095 days). -
x509_passin_pwd
is the passphrase for the signed client certificate.
The default variables listed in the following table are included in the /opt/netapp/lib/ontap_mediator/uwsgi/ontap_mediator.ini
file.
Variable | Path |
---|---|
|
|
|
|
|
|
If you modify these attributes, restart the ONTAP Mediator service to apply the changes. For detailed instructions on how to replace default certificates with third-party certificates, refer to Replace self-signed certificates with trusted third party certificates.
Password attack protection
The following settings provide protection against brute-force password guessing attacks.
To enable the feature, set a value for the window_seconds
and the retry_limit
.
Examples:
-
Provide a 5-minute window for guesses, and then reset the count to zero failures:
authentication_lock_window_seconds: 300
-
Lock the account if five failures occur within the window timeframe:
authentication_retry_limit: 5
-
Reduce the impact of brute-force password guessing attacks by setting a delay that occurs prior to rejecting each attempt, which slows the attacks.
authentication_failure_delay_seconds: 5
authentication_failure_delay_seconds: 0 # seconds (float) to delay failed auth attempts prior to response, 0 = no delay authentication_lock_window_seconds: null # seconds (int) since the oldest failure before resetting the retry counter, null = no window authentication_retry_limit: null # number of retries to allow before locking API access, null = unlimited
Password complexity rules
The following fields control the password complexity rules of the ONTAP Mediator API user account.
password_min_length: 8 password_max_length: 64 password_uppercase_chars: 0 # min. uppercase characters password_lowercase_chars: 1 # min. lowercase character password_special_chars: 1 # min. non-letter, non-digit password_nonletter_chars: 2 # min. non-letter characters (digits, specials, anything)
Control of free space
There are settings that control the required free space on the /opt/netapp/lib/ontap_mediator
disk.
If the space is lower than the set threshold, the service will issue a warning event.
low_space_threshold_mib: 10
Control of reserve log space
The RESERVE_LOG_SPACE is controlled by specific settings. By default, the ONTAP Mediator server installation creates a separate disk space for the logs. The installer creates a new fixed-size file with a total of 700MB of disk space to be used explicitly for Mediator logging.
To disable this feature and use the default disk space, perform the following steps:
-
Change the value of RESERVE_LOG_SPACE from 1 to 0 in the following file:
/opt/netapp/lib/ontap_mediator/tools/mediator_env
-
Restart the Mediator:
-
cat /opt/netapp/lib/ontap_mediator/tools/mediator_env | grep "RESERVE_LOG_SPACE"
RESERVE_LOG_SPACE=0
-
systemctl restart ontap_mediator
-
To re-enable the feature, change the value from 0 to 1 and restart the Mediator.
Toggling between disk spaces does not purge existing logs. All previous logs are backed up and then moved to the current disk space after toggling and restarting the Mediator. |