本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。
準備配置ONTAP Cloud Mediator
貢獻者
建議變更
PDF
在你之前"配置ONTAP Cloud Mediator" ,您必須確保滿足先決條件。
防火牆需求
網域控制器上的防火牆設定必須允許 HTTPS 流量 `api.bluexp.netapp.com`來自兩個集群。
代理伺服器要求
如果您使用代理伺服器進行SnapMirror主動同步,請確保已建立代理伺服器並且您具有以下代理伺服器資訊:
-
HTTPS代理IP
-
連接埠
-
使用者名稱
-
密碼
延遲
BlueXP雲端伺服器和SnapMirror主動同步叢集對等點之間的建議 ping 延遲小於 200 毫秒。
根 CA 憑證
檢查集群的證書
ONTAP預先安裝了知名根 CA 證書,因此大多數情況下您無需安裝BlueXP伺服器的根 CA 憑證。在開始ONTAP Cloud Mediator 設定之前,您可以檢查叢集以驗證憑證是否存在:
範例:
C1_cluster% openssl s_client -showcerts -connect api.bluexp.netapp.com:443|egrep "s:|i:"
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 04
verify return:1
depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = *.azureedge.net
verify return:1
0 s:/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=*.azureedge.net
i:/C=US/O=Microsoft Corporation/CN=Microsoft Azure RSA TLS Issuing CA 04
1 s:/C=US/O=Microsoft Corporation/CN=Microsoft Azure RSA TLS Issuing CA 04
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 <====
C1_cluster::> security certificate show -common-name DigiCert*
Vserver Serial Number Certificate Name Type
---------- --------------- -------------------------------------- ------------
C1_cluster 0CE7E0EXXXXX46FE8FE560FC1BFXXXXX DigiCertAssuredIDRootCA server-ca
Certificate Authority: DigiCert Assured ID Root CA
Expiration Date: Mon Nov 10 05:30:00 2031
C1_cluster 0B931C3XXXXX67EA6723BFC3AF9XXXXX DigiCertAssuredIDRootG2 server-ca
Certificate Authority: DigiCert Assured ID Root G2
Expiration Date: Fri Jan 15 17:30:00 2038
C1_cluster 0BA15AFXXXXXA0B54944AFCD24AXXXXX DigiCertAssuredIDRootG3 server-ca
Certificate Authority: DigiCert Assured ID Root G3
Expiration Date: Fri Jan 15 17:30:00 2038
C1_cluster 083BE05XXXXX46B1A1756AC9599XXXXX DigiCertGlobalRootCA server-ca
Certificate Authority: DigiCert Global Root CA
Expiration Date: Mon Nov 10 05:30:00 2031
C1_cluster 033AF1EXXXXXA9A0BB2864B11D0XXXXX DigiCertGlobalRootG2 server-ca
Certificate Authority: DigiCert Global Root G2
Expiration Date: Fri Jan 15 17:30:00 2038
C1_cluster 055556BXXXXXA43535C3A40FD5AXXXXX DigiCertGlobalRootG3 server-ca
Certificate Authority: DigiCert Global Root G3
Expiration Date: Fri Jan 15 17:30:00 2038
C1_cluster 02AC5C2XXXXX409B8F0B79F2AE4XXXXX DigiCertHighAssuranceEVRootCA server-ca
Certificate Authority: DigiCert High Assurance EV Root CA
Expiration Date: Mon Nov 10 05:30:00 2031
C1_cluster 059B1B5XXXXX2132E23907BDA77XXXXX DigiCertTrustedRootG4 server-ca
Certificate Authority: DigiCert Trusted Root G4
Expiration Date: Fri Jan 15 17:30:00 2038
檢查代理伺服器是否安裝了證書
如果您使用代理程式連接到BlueXP中的ONTAP Cloud Mediator 服務,請確保代理伺服器的根 CA 憑證已安裝在ONTAP中:
範例:
C1_cluster% openssl s_client -showcerts -proxy <ip:port> -connect api.bluexp.netapp.com:443 |egrep "s:|i:"
下載CA憑證:
如果需要,您可以從憑證授權單位的網站下載根 CA 憑證並將其安裝在叢集上。
範例:
C1_cluster::> security certificate install -type server-ca -vserver C1_cluster C2_cluster::> security certificate install -type server-ca -vserver C2_cluster