Enable or disable TLS for NFS clients
Suggest changes
PDFs
You can improve the security of NFS connections by configuring NFS over TLS to encrypt all data sent over the network between the NFS client and ONTAP. This increases the security of NFS connections. You can configure this on an existing storage VM enabled for NFS.
|
NFS over TLS is available in ONTAP 9.15.1 as a public preview. As a preview offering, NFS over TLS is not supported for production workloads in ONTAP 9.15.1. |
Enable TLS
You can enable TLS encryption for NFS clients to increase security of data in transit.
-
Refer to the requirements for NFS over TLS before you begin.
-
Refer to the ONTAP manual pages for more information about the command in this procedure.
-
Choose a storage VM and a logical interface (LIF) on which to enable TLS.
-
Enable TLS for NFS connections on that storage VM and interface.
vserver nfs tls interface enable -vserver <STORAGE_VM> -lif <LIF_NAME> -certificate-name <CERTIFICATE_NAME> -
Use the
vserver nfs tls interface showcommand to view the results:vserver nfs tls interface show
The following command enables NFS over TLS on the data1 LIF of the vs1 storage VM:
vserver nfs tls interface enable -vserver vs1 -lif data1 -certificate-name cert_vs1vserver nfs tls interface showLogical Vserver Interface Address TLS Status TLS Certificate Name -------------- ------------- --------------- ---------- ----------------------- vs1 data1 10.0.1.1 enabled cert_vs1 vs2 data2 10.0.1.2 disabled - 2 entries were displayed.
Disable TLS
You can disable TLS for NFS clients if you no longer need the enhanced security for data in transit.
Refer to the ONTAP manual pages for more information about the command in this procedure.
-
Choose a storage VM and a logical interface (LIF) on which to disable TLS.
-
Disable TLS for NFS connections on that storage VM and interface.
vserver nfs tls interface disable -vserver <STORAGE_VM> -lif <LIF_NAME> -
Use the
vserver nfs tls interface showcommand to view the results:vserver nfs tls interface show
The following command disables NFS over TLS on the data1 LIF of the vs1 storage VM:
vserver nfs tls interface disable -vserver vs1 -lif data1vserver nfs tls interface showLogical Vserver Interface Address TLS Status TLS Certificate Name -------------- ------------- --------------- ---------- ----------------------- vs1 data1 10.0.1.1 disabled - vs2 data2 10.0.1.2 disabled - 2 entries were displayed.
Edit a TLS configuration
You can change the settings of an existing NFS over TLS configuration. For example, you can use this procedure to update the TLS certificate.
Refer to the ONTAP manual pages for more information about the command in this procedure.
-
Choose a storage VM and a logical interface (LIF) on which to modify the TLS configuration for NFS clients.
-
Modify the configuration. If you specify a
statusofenable, you also need to specify thecertificate-nameparameter. Replace values in brackets <> with information from your environment:vserver nfs tls interface modify -vserver <STORAGE_VM> -lif <LIF_NAME> -status <STATUS> -certificate-name <CERTIFICATE_NAME> -
Use the
vserver nfs tls interface showcommand to view the results:vserver nfs tls interface show
The following command modifies the NFS over TLS configuration on the data2 LIF of the vs2 storage VM:
vserver nfs tls interface modify -vserver vs2 -lif data2 -status enable -certificate-name new_certvserver nfs tls interface showLogical Vserver Interface Address TLS Status TLS Certificate Name -------------- ------------- --------------- ---------- ----------------------- vs1 data1 10.0.1.1 disabled - vs2 data2 10.0.1.2 enabled new_cert 2 entries were displayed.