Skip to main content

Configure the ONTAP Mediator and clusters for SnapMirror active sync

Contributors netapp-ranuk netapp-ahibbard netapp-dbagwell
PDFs

SnapMirror active sync utilizes peered clusters to ensure your data is available in the event of a failover scenario. The ONTAP Mediator is a key resource ensuring business continuity, monitoring the health of each cluster. To configure SnapMirror active sync, you must first install the ONTAP Mediator and ensure your primary and secondary clusters are configured properly.

Once you have installed the ONTAP Mediator and configured your clusters, you must Initialize the ONTAP Mediator for SnapMirror active sync using self-signed certificates the ONTAP Mediator for use with SnapMirror active sync. You must then create, initialize, and map the consistency group for SnapMirror active sync.

ONTAP Mediator

The ONTAP Mediator provides a persistent and fenced store for high availability (HA) metadata used by the ONTAP clusters in a SnapMirror active sync relationship. Additionally, ONTAP Mediator provides a synchronous node health query functionality to aid in quorum determination and serves as a ping proxy for controller liveliness detection.

Prerequisites for the ONTAP Mediator

  • The ONTAP Mediator includes its own set of prerequisites. You must meet these prerequisites before installing the mediator.

    For more information, see Prepare to install the ONTAP Mediator service.

  • By default, the ONTAP Mediator provides service through TCP port 31784. You should make sure that port 31784 is open and available between the ONTAP clusters and the mediator.

Install the ONTAP Mediator and confirm cluster configuration

Proceed through each of the following steps. For each step, you should confirm that the specific configuration has been performed. Use the link included after each step to get more information as needed.

Steps

  1. Install the ONTAP Mediator service before you ensure that your source and destination clusters are configured properly.

    Prepare to install or upgrade the ONTAP Mediator service

  2. Confirm that a cluster peering relationship exists between the clusters.

    Note The default IPspace is required by SnapMirror active sync for cluster peer relationships. A custom IPspace is not supported.

    Configure peer relationships

  3. Confirm that the Storage VMs are created on each cluster.

    Creating an SVM

  4. Confirm that a peer relationship exists between the Storage VMs on each cluster.

    Creating an SVM peering relationship

  5. Confirm that the volumes exist for your LUNs.

    Creating a volume

  6. Confirm that at least one SAN LIF is created on each node in the cluster.

    Considerations for LIFs in a cluster SAN environment

    Creating a LIF

  7. Confirm that the necessary LUNs are created and mapped to an igroup, which is used to map LUNs to the initiator on the application host.

    Create LUNs and map igroups

  8. Rescan the application host to discover any new LUNs.

Initialize the ONTAP Mediator for SnapMirror active sync using self-signed certificates

Once you have installed the ONTAP Mediator and confirmed you cluster configuration, you must initialize the ONTAP Mediator for cluster monitoring. You can initialize the ONTAP Mediator using System Manager or the ONTAP CLI.

System Manager

With System Manager, you can configure the ONTAP Mediator server for automated failover. You can also replace the self-signed SSL and CA with the third party validated SSL Certificate and CA if you have not already done so.

Important From ONTAP 9.8 through 9.14.1, SnapMirror active sync is referred to as SnapMirror Business Continuity (SM-BC).
Steps

  1. Navigate to Protection > Overview > Mediator > Configure.

  2. Select Add, and enter the following ONTAP Mediator server information:

    • IPv4 address

    • Username

    • Password

    • Certificate

  3. You can provide the Certificate input in two ways:

    • Option (a): Select Import to navigate to the .crt file and import it.

    • Option (b): Copy the content of the .crt file and paste in the Certificate field.

      When all details are entered correctly, the provided certificate is installed on all the peer clusters.

      system manager mediator add

      When the certificate addition is complete, the ONTAP Mediator is added to the ONTAP cluster.

      The following image demonstrates a successful ONTAP Mediator configuration:

      mediator add successful.

CLI

You can initialize the ONTAP Mediator from either the primary or secondary cluster using the ONTAP CLI. When you issue the mediator add command on one cluster, the ONTAP Mediator is automatically added on the other cluster.

When using Mediator to monitor a SnapMirror active sync relationship, Mediator cannot be initialized in ONTAP without a valid self-signed or certificate authority (CA) certificate. You add a valid certificate to the certificate store for peered clusters. When using Mediator to monitor MetroCluster IP systems, HTTPS is not used after the initial configuration; therefore, certificates are not required.

Steps

  1. Find the ONTAP Mediator CA certificate from the ONTAP Mediator Linux VM/host software installation location cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config.

  2. Add a valid certificate authority to the certificate store on the peered cluster.

    Example

    [root@ontap-mediator server_config]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIFxTCCA62gAwIBAgIJANhtjk6HFCiOMA0GCSqGSIb3DQEBCwUAMHgxFTATBgNV
BAoMDE5ldEFwcCwgSW5jLjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
…
p+jdg5bG61cxkuvbRm7ykFbih1b88/Sgu5XJg2KRhjdISF98I81N+Fo=
-----END CERTIFICATE-----

  3. Add the ONTAP Mediator CA certificate to an ONTAP cluster. When prompted, insert the CA certificate obtained from the ONTAP Mediator. Repeat the steps on all of the peer clusters:

    security certificate install -type server-ca -vserver <vserver_name>

    Example

    [root@ontap-mediator ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config

[root@ontap-mediator server_config]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIFxTCCA62gAwIBAgIJANhtjk6HFCiOMA0GCSqGSIb3DQEBCwUAMHgxFTATBgNV
BAoMDE5ldEFwcCwgSW5jLjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
…
p+jdg5bG61cxkuvbRm7ykFbih1b88/Sgu5XJg2KRhjdISF98I81N+Fo=
-----END CERTIFICATE-----
    C1_test_cluster::*> security certificate install -type server-ca -vserver C1_test_cluster

Please enter Certificate: Press when done
-----BEGIN CERTIFICATE-----
MIIFxTCCA62gAwIBAgIJANhtjk6HFCiOMA0GCSqGSIb3DQEBCwUAMHgxFTATBgNV
BAoMDE5ldEFwcCwgSW5jLjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
…
p+jdg5bG61cxkuvbRm7ykFbih1b88/Sgu5XJg2KRhjdISF98I81N+Fo=
-----END CERTIFICATE-----

You should keep a copy of the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: ONTAP Mediator CA
serial: D86D8E4E87142XXX

The certificate's generated name for reference: ONTAPMediatorCA

C1_test_cluster::*>

  4. View the self-signed CA certificate installed using the generated name of the certificate:

    security certificate show -common-name <common_name>

    Example

    C1_test_cluster::*> security certificate show -common-name ONTAPMediatorCA
Vserver    Serial Number   Certificate Name                       Type
---------- --------------- -------------------------------------- ------------
C1_test_cluster
           6BFD17DXXXXX7A71BB1F44D0326D2DEEXXXXX
                           ONTAPMediatorCA                        server-ca
    Certificate Authority: ONTAP Mediator CA
          Expiration Date: Thu Feb 15 14:35:25 2029

  5. Initialize the ONTAP Mediator on one of the clusters. The ONTAP Mediator is automatically added for the other cluster:

    snapmirror mediator add -mediator-address <ip_address> -peer-cluster <peer_cluster_name> -username user_name

    Example

    C1_test_cluster::*> snapmirror mediator add -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -username mediatoradmin
Notice: Enter the mediator password.

Enter the password: ******
Enter the password again: ******

  6. Check the status of the ONTAP Mediator configuration:

    snapmirror mediator show

    Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
1.2.3.4          C2_test_cluster   connected        true

    Quorum Status indicates whether the SnapMirror consistency group relationships are synchronized with the ONTAP Mediator; a status of true indicates successful synchronization.

Re-initialize ONTAP Mediator with third-party certificates

You might need to re-initialize the ONTAP Mediator service. There might be situations that require the re-initialization of the ONTAP Mediator service such as a change in the ONTAP Mediator IP address, certificate expiration, and more.

The following procedure illustrates the re-initialization of ONTAP Mediator for a specific case when a self-signed certificate needs to be replaced by a third-party certificate.

About this task

You need to replace the SM-BC cluster's self-signed certificates with third-party certificates, remove the ONTAP Mediator configuration from ONTAP, and then add the ONTAP Mediator.

System Manager

With System Manager, you need to remove the ONTAP Mediator configured with the old self-signed certificate from the ONTAP cluster and re-configure the ONTAP cluster with the new third-party certificate.

Steps

  1. Select the menu options icon and select Remove to remove the ONTAP Mediator.

    Note This step does not remove the self-signed server-ca from the ONTAP cluster. NetApp recommends navigating to the Certificate tab and removing it manually before performing the next step below to add a third-party certificate:

    system manager mediator remove

  2. Add the ONTAP Mediator again with the correct certificate.

The ONTAP Mediator is now configured with the new third-party self-signed certificate.

system manager mediator add

CLI

You can re-initialize the ONTAP Mediator from either the primary or secondary cluster by using the ONTAP CLI to replace the self-signed certificate with the third-party certificate.

Steps

  1. Remove the self-signed ca.crt installed earlier when you used self-signed certificates for all clusters. In the example below, there are two clusters:

    Example

     C1_test_cluster::*> security certificate delete -vserver C1_test_cluster -common-name ONTAPMediatorCA
 2 entries were deleted.

 C2_test_cluster::*> security certificate delete -vserver C2_test_cluster -common-name ONTAPMediatorCA *
 2 entries were deleted.

  2. Remove the previously configured ONTAP Mediator from the SM-BC cluster using -force true:

    Example

    C1_test_cluster::*> snapmirror mediator show
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
1.2.3.4          C2_test_cluster   connected         true

C1_test_cluster::*> snapmirror mediator remove -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -force true

Warning: You are trying to remove the ONTAP Mediator configuration with force. If this configuration exists on the peer cluster, it could lead to failure of a SnapMirror failover operation. Check if this configuration
         exists on the peer cluster C2_test_cluster and remove it as well.
Do you want to continue? {y|n}: y

Info: [Job 136] 'mediator remove' job queued

C1_test_cluster::*> snapmirror mediator show
This table is currently empty.

  3. Refer to the steps described in Replace self-signed certificates with trusted third-party certificates on how to obtain certificates from subordinate CA, referred to as ca.crt.
    Replace self-signed certificates with trusted third-party certificates

    Note The ca.crt has certain properties that it derives from the request that need to be sent to the PKI authority, defined in the file /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config/openssl_ca.cnf.

  4. Add the new third-party ONTAP Mediator CA certificate ca.crt from the ONTAP Mediator Linux VM/host software installation location:

    Example

    [root@ontap-mediator ~]# cd /opt/netapp/lib/ontap_mediator/ontap_mediator/server_config
[root@ontap-mediator server_config]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIFxTCCA62gAwIBAgIJANhtjk6HFCiOMA0GCSqGSIb3DQEBCwUAMHgxFTATBgNV
BAoMDE5ldEFwcCwgSW5jLjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
…
p+jdg5bG61cxkuvbRm7ykFbih1b88/Sgu5XJg2KRhjdISF98I81N+Fo=
-----END CERTIFICATE-----

  5. Add the ca.crt file to the peered cluster. Repeat this step for all the peer clusters:

    Example

    C1_test_cluster::*> security certificate install -type server-ca -vserver C1_test_cluster

Please enter Certificate: Press when done
-----BEGIN CERTIFICATE-----
MIIFxTCCA62gAwIBAgIJANhtjk6HFCiOMA0GCSqGSIb3DQEBCwUAMHgxFTATBgNV
BAoMDE5ldEFwcCwgSW5jLjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
…
p+jdg5bG61cxkuvbRm7ykFbih1b88/Sgu5XJg2KRhjdISF98I81N+Fo=
-----END CERTIFICATE-----

You should keep a copy of the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: ONTAP Mediator CA
serial: D86D8E4E87142XXX

The certificate's generated name for reference: ONTAPMediatorCA

C1_test_cluster::*>

  6. Remove the previously configured ONTAP Mediator from the SnapMirror active sync cluster:

    Example

    C1_test_cluster::*> snapmirror mediator show
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
1.2.3.4          C2_test_cluster  connected         true

C1_test_cluster::*> snapmirror mediator remove -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster

Info: [Job 86] 'mediator remove' job queued
C1_test_cluster::*> snapmirror mediator show
This table is currently empty.

  7. Add the ONTAP Mediator again:

    Example

    C1_test_cluster::*> snapmirror mediator add -mediator-address 1.2.3.4 -peer-cluster C2_test_cluster -username mediatoradmin

Notice: Enter the mediator password.

Enter the password:
Enter the password again:

Info: [Job: 87] 'mediator add' job queued

C1_test_cluster::*> snapmirror mediator show
Mediator Address Peer Cluster     Connection Status Quorum Status
---------------- ---------------- ----------------- -------------
1.2.3.4          C2_test_cluster  connected         true

    Quorum Status indicates whether the SnapMirror consistency group relationships are synchronized with the mediator; a status of true indicates successful synchronization.