Skip to main content

Configure the ONTAP Mediator for SnapMirror active sync

Contributors netapp-sarajane netapp-aoife netapp-dbagwell netapp-lenida netapp-aaron-holt netapp-ranuk netapp-ahibbard

SnapMirror active sync uses peered clusters to protect your data in the event of a failover scenario. ONTAP Mediator is a key resource that enables business continuity by monitoring the health of each cluster. To configure SnapMirror active sync, you must first install ONTAP Mediator and verify that your primary and secondary clusters are configured properly.

ONTAP Mediator

ONTAP Mediator provides a persistent and fenced store for high availability (HA) metadata used by the ONTAP clusters in a SnapMirror active sync relationship. Additionally, ONTAP Mediator provides a synchronous node health query functionality to aid in quorum determination and serves as a ping proxy for controller liveliness detection.

Each cluster peer relationship can only be associated with a single ONTAP Mediator instance. HA Mediator instances aren't supported. When a cluster is in several peer relationships with other clusters, the following ONTAP Mediator options are available:

  • If SnapMirror active sync is configured on each relationship, each cluster peer relationship can have its own unique ONTAP Mediator instance.

  • The cluster can use the same ONTAP Mediator instance for all peer relationships.

For example, if cluster B has a peer relationship with cluster A, cluster C, and cluster D, all three cluster peer relationships can have a unique associated ONTAP Mediator instance when SnapMirror active sync is configured on each relationship. Alternatively, cluster B can use the same ONTAP Mediator instance for all three peer relationships. In this scenario, the same instance of ONTAP Mediator is listed three times for the cluster.

Beginning with ONTAP 9.17.1, you can configure ONTAP Cloud Mediator to monitor the health of your cluster in a SnapMirror active sync configuration, however, you cannot use both Mediators at the same time.

Important If you are using SnapMirror active sync and ONTAP Mediator or ONTAP Cloud Mediator with ONTAP 9.17.1, you should review the Known problems and limitations in the ONTAP Release Notes for important information about these configurations.
Prerequisites for ONTAP Mediator
  • ONTAP Mediator includes its own set of prerequisites. You must meet these prerequisites before installing ONTAP Mediator.

  • By default, the ONTAP Mediator provides service through TCP port 31784. You should make sure that port 31784 is open and available between the ONTAP clusters and the ONTAP Mediator.

Install ONTAP Mediator and confirm cluster configuration

Perform each of the following steps to install ONTAP Mediator and verify the cluster configuration. For each step, you should confirm that the specific configuration has been performed. Each step includes a link to the specific procedure that you need to follow.

Steps
  1. Install ONTAP Mediator before verifying that your source and destination clusters are configured correctly.

  2. Confirm that a cluster peering relationship exists between the clusters.

    Note The default IPspace is required by SnapMirror active sync for cluster peer relationships. A custom IPspace isn't supported.

Initialize ONTAP Mediator for SnapMirror active sync using self-signed certificates

Once you have installed ONTAP Mediator and confirmed you cluster configuration, you must initialize ONTAP Mediator for cluster monitoring. You can initialize ONTAP Mediator using System Manager or the ONTAP CLI.

System Manager

With System Manager, you can configure ONTAP Mediator for automated failover. You can also replace the self-signed SSL and CA with the third party validated SSL Certificate and CA if you have not already done so.

Important From ONTAP 9.14.1 through 9.8, SnapMirror active sync is referred to as SnapMirror Business Continuity (SM-BC).
ONTAP Mediator 1.9 and later
  1. Navigate to Protection > Overview > Mediator > Configure.

  2. Select Add, and enter the following ONTAP Mediator information:

    • IPv4 address

    • Username

    • Password

    • Certificate

  3. You can provide the Certificate input in two ways:

    • Option (a): Select Import to navigate to the intermediate.crt file and import it.

    • Option (b): Copy the content of the intermediate.crt file and paste it in the Certificate field.

      When all details are entered correctly, the provided certificate is installed on all the peer clusters.

      system manager mediator add

      When the certificate addition is complete, ONTAP Mediator is added to the ONTAP cluster.

      The following image demonstrates a successful ONTAP Mediator configuration:

      mediator add successful.

ONTAP Mediator 1.8 and earlier
  1. Navigate to Protection > Overview > Mediator > Configure.

  2. Select Add, and enter the following ONTAP Mediator information:

    • IPv4 address

    • Username

    • Password

    • Certificate

  3. You can provide the Certificate input in two ways:

    • Option (a): Select Import to navigate to the ca.crt file and import it.

    • Option (b): Copy the content of the ca.crt file and paste it in the Certificate field.

      When all details are entered correctly, the provided certificate is installed on all the peer clusters.

      system manager mediator add

      When the certificate addition is complete, ONTAP Mediator is added to the ONTAP cluster.

      The following image demonstrates a successful ONTAP Mediator configuration:

      mediator add successful.

CLI

You can initialize ONTAP Mediator from either the primary or secondary cluster using the ONTAP CLI. When you issue the mediator add command on one cluster, ONTAP Mediator is automatically added on the other cluster.

When using ONTAP Mediator to monitor a SnapMirror active sync relationship, ONTAP Mediator cannot be initialized in ONTAP without a valid self-signed or certificate authority (CA) certificate. You add a valid certificate to the certificate store for peered clusters. When using ONTAP Mediator to monitor MetroCluster IP systems, HTTPS isn't used after the initial configuration; therefore, certificates aren't required.

ONTAP Mediator 1.9 and later
  1. Find the ONTAP Mediator CA certificate from the ONTAP Mediator Linux VM/host software installation location cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config.

  2. Add a valid certificate authority to the certificate store on the peered cluster.

    Example:

    [root@ontap-mediator_config]# cat intermediate.crt
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
  3. Add the ONTAP Mediator CA certificate to an ONTAP cluster. When prompted, insert the CA certificate obtained from ONTAP Mediator. Repeat the steps on all of the peer clusters:

    security certificate install -type server-ca -vserver <vserver_name>

    Example:

    [root@ontap-mediator ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config
    
    [root@ontap-mediator_config]# cat intermediate.crt
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
    C1_test_cluster::*> security certificate install -type server-ca -vserver C1_test_cluster
    
    Please enter Certificate: Press when done
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
    
    You should keep a copy of the CA-signed digital certificate for future reference.
    
    The installed certificate's CA and serial number for reference:
    CA: ONTAP Mediator CA
    serial: D86D8E4E87142XXX
    
    The certificate's generated name for reference: ONTAPMediatorCA
    
    C1_test_cluster::*>
  4. View the self-signed CA certificate installed using the generated name of the certificate:

    security certificate show -common-name <common_name>

    Example:

    C1_test_cluster::*> security certificate show -common-name ONTAPMediatorCA
    Vserver    Serial Number   Certificate Name                       Type
    ---------- --------------- -------------------------------------- ------------
    C1_test_cluster
               6BFD17DXXXXX7A71BB1F44D0326D2DEEXXXXX
                               ONTAPMediatorCA                        server-ca
        Certificate Authority: ONTAP Mediator CA
              Expiration Date: Thu Feb 15 14:35:25 2029
  5. Initialize ONTAP Mediator on one of the clusters. ONTAP Mediator is automatically added for the other cluster:

    snapmirror mediator add -mediator-address <ip_address> -peer-cluster <peer_cluster_name> -username user_name

    Example:

    C1_test_cluster::*> snapmirror mediator add -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -username mediatoradmin
    Notice: Enter the mediator password.
    
    Enter the password: ******
    Enter the password again: ******
  6. Optionally, check the job ID status job show -id to verify if the SnapMirror Mediator add command is successful.

    Example:

    C1_test_cluster::*> snapmirror mediator show
    This table is currently empty.
    
    
    C1_test_cluster::*> snapmirror mediator add -peer-cluster C2_test_cluster -type on-prem -mediator-address 1.2.3.4 -username mediatoradmin
    
    Notice: Enter the mediator password.
    
    Enter the password:
    Enter the password again:
    
    Info: [Job: 87] 'mediator add' job queued
    
    C1_test_cluster::*> job show -id 87
                                Owning
    Job ID Name                 Vserver           Node           State
    ------ -------------------- ----------------- -------------- ----------
    87     mediator add         C1_test_cluster   C2_test        Running
    
    Description: Creating a mediator entry
    
    C1_test_cluster::*> job show -id 87
                                Owning
    Job ID Name                 Vserver           Node           State
    ------ -------------------- ----------------- -------------- ----------
    87     mediator add         C1_test_cluster   C2_test        Success
    
    Description: Creating a mediator entry
    
    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status Type
    ---------------- ---------------- ----------------- ------------- -------
    1.2.3.4          C2_test_cluster  connected         true          on-prem
    
    C1_test_cluster::*>
  7. Check the status of the ONTAP Mediator configuration:

    snapmirror mediator show

    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster   connected        true

    Quorum Status indicates whether the SnapMirror consistency group relationships are synchronized with ONTAP Mediator; a status of true indicates successful synchronization.

ONTAP Mediator 1.8 and earlier
  1. Find the ONTAP Mediator CA certificate from the ONTAP Mediator Linux VM/host software installation location cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config.

  2. Add a valid certificate authority to the certificate store on the peered cluster.

    Example:

    [root@ontap-mediator_config]# cat ca.crt
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
  3. Add the ONTAP Mediator CA certificate to an ONTAP cluster. When prompted, insert the CA certificate obtained from the ONTAP Mediator. Repeat the steps on all of the peer clusters:

    security certificate install -type server-ca -vserver <vserver_name>

    Example:

    [root@ontap-mediator ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config
    
    [root@ontap-mediator_config]# cat ca.crt
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
    C1_test_cluster::*> security certificate install -type server-ca -vserver C1_test_cluster
    
    Please enter Certificate: Press when done
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
    
    You should keep a copy of the CA-signed digital certificate for future reference.
    
    The installed certificate's CA and serial number for reference:
    CA: ONTAP Mediator CA
    serial: D86D8E4E87142XXX
    
    The certificate's generated name for reference: ONTAPMediatorCA
    
    C1_test_cluster::*>
  4. View the self-signed CA certificate installed using the generated name of the certificate:

    security certificate show -common-name <common_name>

    Example:

    C1_test_cluster::*> security certificate show -common-name ONTAPMediatorCA
    Vserver    Serial Number   Certificate Name                       Type
    ---------- --------------- -------------------------------------- ------------
    C1_test_cluster
               6BFD17DXXXXX7A71BB1F44D0326D2DEEXXXXX
                               ONTAPMediatorCA                        server-ca
        Certificate Authority: ONTAP Mediator CA
              Expiration Date: Thu Feb 15 14:35:25 2029
  5. Initialize ONTAP Mediator on one of the clusters. ONTAP Mediator is automatically added for the other cluster:

    snapmirror mediator add -mediator-address <ip_address> -peer-cluster <peer_cluster_name> -username user_name

    Example:

    C1_test_cluster::*> snapmirror mediator add -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -username mediatoradmin
    Notice: Enter the mediator password.
    
    Enter the password: ******
    Enter the password again: ******
  6. Optionally, check the job ID status job show -id to verify if the SnapMirror Mediator add command is successful.

    Example:

    C1_test_cluster::*> snapmirror mediator show
    This table is currently empty.
    
    
    C1_test_cluster::*> snapmirror mediator add -peer-cluster C2_test_cluster -type on-prem -mediator-address 1.2.3.4 -username mediatoradmin
    
    Notice: Enter the mediator password.
    
    Enter the password:
    Enter the password again:
    
    Info: [Job: 87] 'mediator add' job queued
    
    C1_test_cluster::*> job show -id 87
                                Owning
    Job ID Name                 Vserver           Node           State
    ------ -------------------- ----------------- -------------- ----------
    87     mediator add         C1_test_cluster   C2_test        Running
    
    Description: Creating a mediator entry
    
    C1_test_cluster::*> job show -id 87
                                Owning
    Job ID Name                 Vserver           Node           State
    ------ -------------------- ----------------- -------------- ----------
    87     mediator add         C1_test_cluster   C2_test        Success
    
    Description: Creating a mediator entry
    
    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status Type
    ---------------- ---------------- ----------------- ------------- -------
    1.2.3.4          C2_test_cluster  connected         true          on-prem
    
    C1_test_cluster::*>
  7. Check the status of the ONTAP Mediator configuration:

    snapmirror mediator show

    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster   connected        true

    Quorum Status indicates whether the SnapMirror consistency group relationships are synchronized with ONTAP Mediator; a status of true indicates successful synchronization.

Re-initialize ONTAP Mediator with third-party certificates

You might need to re-initialize ONTAP Mediator. There might be situations that require the re-initialization of ONTAP Mediator such as a change in the ONTAP Mediator IP address, certificate expiration, and so on.

The following procedure illustrates the re-initialization of ONTAP Mediator for a specific case when a self-signed certificate needs to be replaced by a third-party certificate.

About this task

You need to replace the SnapMirror active sync cluster's self-signed certificates with third-party certificates, remove the ONTAP Mediator configuration from ONTAP, and then add ONTAP Mediator.

System Manager

With System Manager, you need to remove the ONTAP Mediator version configured with the old self-signed certificate from the ONTAP cluster and re-configure the ONTAP cluster with the new third-party certificate.

Steps
  1. Select the menu options icon and select Remove to remove ONTAP Mediator.

    Note This step does not remove the self-signed server-ca from the ONTAP cluster. NetApp recommends navigating to the Certificate tab and removing it manually before performing the next step below to add a third-party certificate:

    system manager mediator remove

  2. Add ONTAP Mediator again with the correct certificate.

ONTAP Mediator is now configured with the new third-party self-signed certificate.

system manager mediator add

CLI

You can re-initialize ONTAP Mediator from either the primary or secondary cluster by using the ONTAP CLI to replace the self-signed certificate with the third-party certificate.

ONTAP Mediator 1.9 and later
  1. Remove the self-signed intermediate.crt installed earlier when you used self-signed certificates for all clusters. In the example below, there are two clusters:

    Example:

     C1_test_cluster::*> security certificate delete -vserver C1_test_cluster -common-name ONTAPMediatorCA
     2 entries were deleted.
    
     C2_test_cluster::*> security certificate delete -vserver C2_test_cluster -common-name ONTAPMediatorCA *
     2 entries were deleted.
  2. Remove the previously configured ONTAP Mediator from the SnapMirror active sync cluster using -force true:

    Example:

    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster   connected         true
    
    C1_test_cluster::*> snapmirror mediator remove -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -force true
    
    Warning: You are trying to remove the ONTAP Mediator configuration with force. If this configuration exists on the peer cluster, it could lead to failure of a SnapMirror failover operation. Check if this configuration
             exists on the peer cluster C2_test_cluster and remove it as well.
    Do you want to continue? {y|n}: y
    
    Info: [Job 136] 'mediator remove' job queued
    
    C1_test_cluster::*> snapmirror mediator show
    This table is currently empty.
  3. Refer to the steps described in Replace self-signed certificates with trusted third-party certificates for instructions on how to obtain certificates from a subordinate CA, referred to as intermediate.crt.
    Replace self-signed certificates with trusted third-party certificates

    Note The intermediate.crt has certain properties that it derives from the request that need to be sent to the PKI authority, defined in the file /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/openssl_ca.cnf
  4. Add the new third-party ONTAP Mediator CA certificate intermediate.crt from the ONTAP Mediator Linux VM/host software installation location:

    Example:

    [root@ontap-mediator ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config
    [root@ontap-mediator_config]# cat intermediate.crt
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
  5. Add the intermediate.crt file to the peered cluster. Repeat this step for all peer clusters:

    Example:

    C1_test_cluster::*> security certificate install -type server-ca -vserver C1_test_cluster
    
    Please enter Certificate: Press when done
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
    
    You should keep a copy of the CA-signed digital certificate for future reference.
    
    The installed certificate's CA and serial number for reference:
    CA: ONTAP Mediator CA
    serial: D86D8E4E87142XXX
    
    The certificate's generated name for reference: ONTAPMediatorCA
    
    C1_test_cluster::*>
  6. Remove the previously configured ONTAP Mediator from the SnapMirror active sync cluster:

    Example:

    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster  connected         true
    
    C1_test_cluster::*> snapmirror mediator remove -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster
    
    Info: [Job 86] 'mediator remove' job queued
    C1_test_cluster::*> snapmirror mediator show
    This table is currently empty.
  7. Add ONTAP Mediator again:

    Example:

    C1_test_cluster::*> snapmirror mediator add -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -username mediatoradmin
    
    Notice: Enter the mediator password.
    
    Enter the password:
    Enter the password again:
    
    Info: [Job: 87] 'mediator add' job queued
    
    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster  connected         true

    Quorum Status indicates whether the SnapMirror consistency group relationships are synchronized with the mediator; a status of true indicates successful synchronization.

ONTAP Mediator 1.8 and earlier
  1. Remove the self-signed ca.crt installed earlier when you used self-signed certificates for all clusters. In the example below, there are two clusters:

    Example:

     C1_test_cluster::*> security certificate delete -vserver C1_test_cluster -common-name ONTAPMediatorCA
     2 entries were deleted.
    
     C2_test_cluster::*> security certificate delete -vserver C2_test_cluster -common-name ONTAPMediatorCA *
     2 entries were deleted.
  2. Remove the previously configured ONTAP Mediator from the SnapMirror active sync cluster using -force true:

    Example:

    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster   connected         true
    
    C1_test_cluster::*> snapmirror mediator remove -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -force true
    
    Warning: You are trying to remove the ONTAP Mediator configuration with force. If this configuration exists on the peer cluster, it could lead to failure of a SnapMirror failover operation. Check if this configuration
             exists on the peer cluster C2_test_cluster and remove it as well.
    Do you want to continue? {y|n}: y
    
    Info: [Job 136] 'mediator remove' job queued
    
    C1_test_cluster::*> snapmirror mediator show
    This table is currently empty.
  3. Refer to the steps described in Replace self-signed certificates with trusted third-party certificates for instructions on how to obtain certificates from a subordinate CA, referred to as ca.crt.
    Replace self-signed certificates with trusted third-party certificates

    Note The ca.crt has certain properties that it derives from the request that need to be sent to the PKI authority, defined in the file /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/openssl_ca.cnf
  4. Add the new third-party ONTAP Mediator CA certificate ca.crt from the ONTAP Mediator Linux VM/host software installation location:

    Example:

    [root@ontap-mediator ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config
    [root@ontap-mediator_config]# cat ca.crt
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
  5. Add the intermediate.crt file to the peered cluster. Repeat this step for all peer clusters:

    Example:

    C1_test_cluster::*> security certificate install -type server-ca -vserver C1_test_cluster
    
    Please enter Certificate: Press when done
    -----BEGIN CERTIFICATE-----
    <certificate_value>
    -----END CERTIFICATE-----
    
    You should keep a copy of the CA-signed digital certificate for future reference.
    
    The installed certificate's CA and serial number for reference:
    CA: ONTAP Mediator CA
    serial: D86D8E4E87142XXX
    
    The certificate's generated name for reference: ONTAPMediatorCA
    
    C1_test_cluster::*>
  6. Remove the previously configured ONTAP Mediator from the SnapMirror active sync cluster:

    Example:

    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster  connected         true
    
    C1_test_cluster::*> snapmirror mediator remove -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster
    
    Info: [Job 86] 'mediator remove' job queued
    C1_test_cluster::*> snapmirror mediator show
    This table is currently empty.
  7. Add ONTAP Mediator again:

    Example:

    C1_test_cluster::*> snapmirror mediator add -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -username mediatoradmin
    
    Notice: Enter the mediator password.
    
    Enter the password:
    Enter the password again:
    
    Info: [Job: 87] 'mediator add' job queued
    
    C1_test_cluster::*> snapmirror mediator show
    Mediator Address Peer Cluster     Connection Status Quorum Status
    ---------------- ---------------- ----------------- -------------
    1.2.3.4          C2_test_cluster  connected         true

    Quorum Status indicates whether the SnapMirror consistency group relationships are synchronized with the mediator; a status of true indicates successful synchronization.