Enable or disable TLS for NFS clients in ONTAP
You can improve the security of NFS connections by configuring NFS over TLS to encrypt all data sent over the network between the NFS client and ONTAP. This increases the security of NFS connections. You can configure this on an existing storage VM enabled for NFS.
NFS over TLS is available in ONTAP 9.15.1 as a public preview. As a preview offering, NFS over TLS is not supported for production workloads in ONTAP 9.15.1. |
Enable TLS
You can enable TLS encryption for NFS clients to increase security of data in transit.
-
Refer to the requirements for NFS over TLS before you begin.
-
Refer to the ONTAP manual pages for more information about the command in this procedure.
-
Learn more about the
vserver nfs tls interface show
command in the ONTAP command reference.
-
Choose a storage VM and a logical interface (LIF) on which to enable TLS.
-
Enable TLS for NFS connections on that storage VM and interface.
vserver nfs tls interface enable -vserver <STORAGE_VM> -lif <LIF_NAME> -certificate-name <CERTIFICATE_NAME>
-
Use the
vserver nfs tls interface show
command to view the results:vserver nfs tls interface show
The following command enables NFS over TLS on the data1
LIF of the vs1
storage VM:
vserver nfs tls interface enable -vserver vs1 -lif data1 -certificate-name cert_vs1
vserver nfs tls interface show
Logical Vserver Interface Address TLS Status TLS Certificate Name -------------- ------------- --------------- ---------- ----------------------- vs1 data1 10.0.1.1 enabled cert_vs1 vs2 data2 10.0.1.2 disabled - 2 entries were displayed.
Disable TLS
You can disable TLS for NFS clients if you no longer need the enhanced security for data in transit.
Learn more about the vserver nfs tls interface disable
command in the ONTAP command reference.
-
Choose a storage VM and a logical interface (LIF) on which to disable TLS.
-
Disable TLS for NFS connections on that storage VM and interface.
vserver nfs tls interface disable -vserver <STORAGE_VM> -lif <LIF_NAME>
-
Use the
vserver nfs tls interface show
command to view the results:vserver nfs tls interface show
The following command disables NFS over TLS on the data1
LIF of the vs1
storage VM:
vserver nfs tls interface disable -vserver vs1 -lif data1
vserver nfs tls interface show
Logical Vserver Interface Address TLS Status TLS Certificate Name -------------- ------------- --------------- ---------- ----------------------- vs1 data1 10.0.1.1 disabled - vs2 data2 10.0.1.2 disabled - 2 entries were displayed.
Edit a TLS configuration
You can change the settings of an existing NFS over TLS configuration. For example, you can use this procedure to update the TLS certificate.
Learn more about the vserver nfs tls interface modify
command in the ONTAP command reference.
-
Choose a storage VM and a logical interface (LIF) on which to modify the TLS configuration for NFS clients.
-
Modify the configuration. If you specify a
status
ofenable
, you also need to specify thecertificate-name
parameter. Replace values in brackets <> with information from your environment:vserver nfs tls interface modify -vserver <STORAGE_VM> -lif <LIF_NAME> -status <STATUS> -certificate-name <CERTIFICATE_NAME>
-
Use the
vserver nfs tls interface show
command to view the results:vserver nfs tls interface show
The following command modifies the NFS over TLS configuration on the data2
LIF of the vs2
storage VM:
vserver nfs tls interface modify -vserver vs2 -lif data2 -status enable -certificate-name new_cert
vserver nfs tls interface show
Logical Vserver Interface Address TLS Status TLS Certificate Name -------------- ------------- --------------- ---------- ----------------------- vs1 data1 10.0.1.1 disabled - vs2 data2 10.0.1.2 enabled new_cert 2 entries were displayed.