Overview of using TLS with NFS for strong security
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
![](https://docs.netapp.com/common/images/pdf-zip.png)
Collection of separate PDF docs
Creating your file...
TLS enables encrypted network communications with equivalent security to and less complexity than Kerberos and IPsec. As an administrator, you can enable, configure, and disable TLS for strong security with NFSv3 and NFSv4.x connections using System Manager, the ONTAP CLI, or the ONTAP REST API.
|
NFS over TLS is available in ONTAP 9.15.1 as a public preview. As a preview offering, NFS over TLS is not supported for production workloads in ONTAP 9.15.1. |
ONTAP uses TLS 1.3 for NFS over TLS connections.
Requirements
NFS over TLS requires X.509 certificates. You can either create an install a CA-signed server certificate on the ONTAP cluster, or you can install a certificate that the NFS service uses directly. Your certificates should meet the following guidelines:
-
Each certificate must be configured with the Fully Qualified Domain Name (FQDN) of the NFS server (the data LIF on which TLS will be enabled/configured) as a common name (CN).
-
Each certificate must be configured with the IP address or FQDN of the NFS server (or both) as the Subject Alternative Name (SAN). If both IP address and FQDN are configured, NFS clients can connect using either the IP address or FQDN.
-
You can install multiple NFS service certificates for the same LIF, but only one of them can be in use at a time as part of the NFS TLS configuration.