Modify the SP API service configuration

Contributors

The SP API is a secure network API that enables ONTAP to communicate with the SP over the network. You can change the port used by the SP API service, renew the certificates the service uses for internal communication, or disable the service entirely. You need to modify the configuration only in rare situations.

About this task
  • The SP API service uses port 50000 by default.

    You can change the port value if, for example, you are in a network setting where port 50000 is used for communication by another networking application, or you want to differentiate between traffic from other applications and traffic generated by the SP API service.

  • The SSL and SSH certificates used by the SP API service are internal to the cluster and not distributed externally.

    In the unlikely event that the certificates are compromised, you can renew them.

  • The SP API service is enabled by default.

    You only need to disable the SP API service in rare situations, such as in a private LAN where the SP is not configured or used and you want to disable the service.

    If the SP API service is disabled, the API does not accept any incoming connections. In addition, functionality such as network-based SP firmware updates and network-based SP “down system” log collection becomes unavailable. The system switches to using the serial interface.

Steps
  1. Switch to the advanced privilege level by using the set -privilege advanced command.

  2. Modify the SP API service configuration:

    If you want to…​ Use the following command…​

    Change the port used by the SP API service

    system service-processor api-service modify with the -port {49152..65535} parameter

    Renew the SSL and SSH certificates used by the SP API service for internal communication

    • For ONTAP 9.5 or later use system service-processor api-service renew-internal-certificate

    • For ONTAP 9.4 and earlier use

    • system service-processor api-service renew-certificates

      If no parameter is specified, only the host certificates (including the client and server certificates) are renewed.

      If the -renew-all true parameter is specified, both the host certificates and the root CA certificate are renewed.

    comm

    Disable or reenable the SP API service

    system service-processor api-service modify with the -is-enabled {true|false} parameter

  3. Display the SP API service configuration by using the system service-processor api-service show command.