Security features

Contributors netapp-nsriram netapp-soumikd netapp-asubhas

SnapCenter employs strict security and authentication features to enable you to keep your data secure.

SnapCenter includes the following security features:

  • All communication to SnapCenter uses HTTP over SSL (HTTPS).

  • All credentials in SnapCenter are protected using Advanced Encryption Standard (AES) encryption.

  • SnapCenter uses security algorithms that are compliant with the Federal Information Processing Standard (FIPS).

  • SnapCenter supports using the authorized CA certificates provided by the customer.

  • SnapCenter 4.1.1 or later supports Transport Layer Security (TLS) 1.2 communication with ONTAP. You can also use TLS 1.2 communication between clients and servers.

  • SnapCenter supports a certain set of SSL Cipher suites to provide security across network communication.

    For more information, see How to configure supported SSL Cipher Suite.

  • SnapCenter is installed inside your company’s firewall to enable access to the SnapCenter Server and to enable communication between the SnapCenter Server and the plug-ins.

  • SnapCenter API and operation access uses tokens encrypted with AES encryption, which expire after 24 hours.

  • SnapCenter integrates with Windows Active Directory for login and role-based access control (RBAC) that govern access permissions.

  • IPsec is supported with SnapCenter on ONTAP for Windows and Linux host machines. Learn more.

  • SnapCenter PowerShell cmdlets are session secured.

  • After a default period of 15 minutes of inactivity, SnapCenter warns you that you will be logged out in 5 minutes. After 20 minutes of inactivity, SnapCenter logs you out, and you must log in again. You can modify the log out period.

  • Login is temporarily disabled after 5 or more incorrect login attempts.

  • Supports CA certificate authentication between SnapCenter Server and ONTAP. Learn more.

  • Integrity Verifier is added to the SnapCenter Server and the plug-ins and it validates all the shipped binaries during fresh installation and upgrade operations.

CA Certificate Overview

The SnapCenter Server installer enables the Centralized SSL Certificate Support during installation. To enhance the secured communication between the server and the plug-in, SnapCenter supports using the authorized CA certificates provided by the customer.

You should deploy CA certificates after installing the SnapCenter Server and the respective plug-ins. For more information, see Generate CA Certificate CSR file.

You can also deploy CA certificate for SnapCenter plug-in for VMware vSphere. For more information, see Create and import certificates.

Two-way SSL communication

Two-way SSL communication secures the mutual communication between SnapCenter Server and the plug-ins.

Certificate based authentication Overview

Certificate based authentication verifies the authenticity of respective users who try to access the SnapCenter plug-in host. User should export the SnapCenter Server certificate without private key and import it in the plug-in host trusted store. Certificate based authentication works only if the two-way SSL feature is enabled.

Multi-factor authentication (MFA)

MFA uses a third-party Identity Provider (IdP) via the Security Assertion Markup Language (SAML) to manage user sessions. This functionality enhances the authentication security by having an option to use multiple factors such as TOTP, biometrics, push notifications etc. along with the existing username & password. Also, it enables the customer to use their own user identity providers to get unified user login (SSO) across their portfolio.

MFA is applicable only for SnapCenter Server UI login. The logins are authenticated through the IdP Active Directory Federation Services (AD FS). You can configure various authentication factors at AD FS. SnapCenter is the service provider and you should configure SnapCenter as a relying party in AD FS. To enable MFA in SnapCenter, you will require the AD FS metadata.

For information to enable MFA, see Enable Multi-factor authentication.