Skip to main content

Enable cluster peering encryption on an existing peer relationship

Contributors netapp-forry netapp-ahibbard netapp-pcarriga netapp-aherbin

Beginning with ONTAP 9.6, cluster peering encryption is enabled by default on all newly created cluster peering relationships. Cluster peering encryption uses a pre-shared key (PSK) and the Transport Security Layer (TLS) to secure cross-cluster peering communications. This adds an additional layer of security between the peered clusters.

About this task

If you are upgrading peered clusters to ONTAP 9.6 or later, and the peering relationship was created in ONTAP 9.5 or earlier, cluster peering encryption must be enabled manually after upgrading. Both clusters in the peering relationship must be running ONTAP 9.6 or later in order to enable cluster peering encryption.

Steps
  1. On the destination cluster, enable encryption for communications with the source cluster:

    cluster peer modify source_cluster -auth-status-admin use-authentication -encryption-protocol-proposed tls-psk

  2. When prompted enter a passphrase.

  3. On the data protection source cluster, enable encryption for communication with the data protection destination cluster:

    cluster peer modify data_protection_destination_cluster -auth-status-admin use-authentication -encryption-protocol-proposed tls-psk

  4. When prompted, enter the same passphrase entered on the destination cluster.