Skip to main content

Overview of using TLS with NFS for strong security

Contributors netapp-mwallis

TLS enables encrypted network communications with equivalent security to and less complexity than Kerberos and IPsec. As an administrator, you can enable, configure, and disable TLS for strong security with NFSv3 and NFSv4.x connections using System Manager, the ONTAP CLI, or the ONTAP REST API.

Note NFS over TLS is available in ONTAP 9.15.1 as a public preview. As a preview offering, NFS over TLS is not supported for production workloads in ONTAP 9.15.1.

ONTAP uses TLS 1.3 for NFS over TLS connections.

Requirements

NFS over TLS requires X.509 certificates. You can either create and install a CA-signed server certificate on the ONTAP cluster, or you can install a certificate that the NFS service uses directly. Your certificates should meet the following guidelines:

  • The common name (CN) of each certificate must be configured with the Fully Qualified Domain Name (FQDN) of the data LIF on which TLS will be enabled.

  • The Subject Alternative Name (SAN) of each certificate must be configured with the IP address of the data LIF on which TLS will be enabled. You can optionally configure the SAN with both the IP address and the FQDN of the data LIF. If both IP address and FQDN are configured, NFS clients can connect using either the IP address or FQDN.

  • You can install multiple NFS service certificates for the same LIF, but only one of them can be in use at a time as part of the NFS TLS configuration.