Set up TLS secure channel for NVMe/TCP
Suggest changes
PDFs
Beginning with ONTAP 9.16.1, you can configure TLS secure channel for NVMe/TCP connections. You can use System Manager or the ONTAP CLI to either add a new NVMe subsystem with TLS enabled, or enable TLS for an existing NVMe subsystem. ONTAP does not support TLS hardware offload.
Beginning with ONTAP 9.16.1, you can use System Manager to configure TLS for NVMe/TCP connections while creating or updating an NVMe subsystem, creating or cloning NVMe namespaces, or adding consistency groups with new NVMe namespaces.
-
In System Manager, click Hosts > NVMe Subsystem and then click Add.
-
Add the NVMe subsystem name, and select the storage VM and host operating system.
-
Enter the Host NQN.
-
Select Require Transport Layer Security (TLS) next to the Host NQN.
-
Provide the pre-shared key (PSK).
-
Click Save.
-
To verify that TLS secure channel is enabled, select System Manager > Hosts > NVMe Subsystem > Grid > Peek view.
-
Add an NVMe subsystem host that supports TLS secure channel. You can provide a pre-shared key (PSK) using the
tls-configured-pskargument:vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -tls-configured-psk <key_text> -
Verify that the NVMe subsystem host is configured for TLS secure channel. You can optionally use the
tls-key-typeargument to only display hosts that are using that key type:vserver nvme subsystem host show -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -tls-key-type {none|configured} -
Verify that the NVMe subsystem host controller is configured for TLS secure channel. You can optionally use any of the
tls-key-type,tls-identity, ortls-cipherarguments to only display the controllers that have those TLS attributes:vserver nvme subsystem controller show -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -tls-key-type {none|configured} -tls-identity <text> -tls-cipher {none|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384}