Skip to main content

Enable or disable TLS for NFS clients in ONTAP

Contributors netapp-mwallis netapp-aaron-holt netapp-ahibbard

You can improve the security of NFS connections by configuring NFS over TLS to encrypt all data sent over the network between the NFS client and ONTAP. This increases the security of NFS connections. You can configure this on an existing storage VM enabled for NFS.

Note NFS over TLS is available in ONTAP 9.15.1 as a public preview. As a preview offering, NFS over TLS is not supported for production workloads in ONTAP 9.15.1.

Enable TLS

You can enable TLS encryption for NFS clients to increase security of data in transit.

Before you begin
  • Refer to the requirements for NFS over TLS before you begin.

  • Refer to the ONTAP manual pages for more information about the command in this procedure.

  • Learn more about the vserver nfs tls interface show command in the ONTAP command reference.

Steps
  1. Choose a storage VM and a logical interface (LIF) on which to enable TLS.

  2. Enable TLS for NFS connections on that storage VM and interface.

    vserver nfs tls interface enable -vserver <STORAGE_VM> -lif <LIF_NAME> -certificate-name <CERTIFICATE_NAME>
  3. Use the vserver nfs tls interface show command to view the results:

    vserver nfs tls interface show
Example

The following command enables NFS over TLS on the data1 LIF of the vs1 storage VM:

vserver nfs tls interface enable -vserver vs1 -lif data1 -certificate-name cert_vs1
vserver nfs tls interface show
               Logical
Vserver        Interface     Address         TLS Status TLS Certificate Name
-------------- ------------- --------------- ---------- -----------------------
vs1            data1         10.0.1.1        enabled    cert_vs1
vs2            data2         10.0.1.2        disabled   -
2 entries were displayed.

Disable TLS

You can disable TLS for NFS clients if you no longer need the enhanced security for data in transit.

Before you begin

Learn more about the vserver nfs tls interface disable command in the ONTAP command reference.

Steps
  1. Choose a storage VM and a logical interface (LIF) on which to disable TLS.

  2. Disable TLS for NFS connections on that storage VM and interface.

    vserver nfs tls interface disable -vserver <STORAGE_VM> -lif <LIF_NAME>
  3. Use the vserver nfs tls interface show command to view the results:

    vserver nfs tls interface show
Example

The following command disables NFS over TLS on the data1 LIF of the vs1 storage VM:

vserver nfs tls interface disable -vserver vs1 -lif data1
vserver nfs tls interface show
               Logical
Vserver        Interface     Address         TLS Status TLS Certificate Name
-------------- ------------- --------------- ---------- -----------------------
vs1            data1         10.0.1.1        disabled   -
vs2            data2         10.0.1.2        disabled   -
2 entries were displayed.

Edit a TLS configuration

You can change the settings of an existing NFS over TLS configuration. For example, you can use this procedure to update the TLS certificate.

Before you begin

Learn more about the vserver nfs tls interface modify command in the ONTAP command reference.

Steps
  1. Choose a storage VM and a logical interface (LIF) on which to modify the TLS configuration for NFS clients.

  2. Modify the configuration. If you specify a status of enable, you also need to specify the certificate-name parameter. Replace values in brackets <> with information from your environment:

    vserver nfs tls interface modify -vserver <STORAGE_VM> -lif <LIF_NAME> -status <STATUS> -certificate-name <CERTIFICATE_NAME>
  3. Use the vserver nfs tls interface show command to view the results:

    vserver nfs tls interface show
Example

The following command modifies the NFS over TLS configuration on the data2 LIF of the vs2 storage VM:

vserver nfs tls interface modify -vserver vs2 -lif data2 -status enable -certificate-name new_cert
vserver nfs tls interface show
               Logical
Vserver        Interface     Address         TLS Status TLS Certificate Name
-------------- ------------- --------------- ---------- -----------------------
vs1            data1         10.0.1.1        disabled   -
vs2            data2         10.0.1.2        enabled    new_cert
2 entries were displayed.