Integrate KeyControl with NetApp ONTAP

Install the KeyControl client bundle into NetApp ONTAP

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

    % ssh admin@xxx.xxx.xxx.xxx

  2. Install the KeyControl Client Certificate into NetApp ONTAP.

    Paste the certificate section from the NetApp-ONTAP.pem file from section deploy-entrust-kc.adoc#create-client-cert-bundle when prompted. Paste the private key section when prompted.

    mycluster::> security certificate install -vserver mycluster -type client -subtype kmip-cert
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIEaDCCA1CgAwIBAgIEfhphJTANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJV
.
.
.
Ib/yNAFPx5aYqVv7b1RKCnTUYnhn/dyGPUuVQgrtQRKx6tQUbLhIHW/z8qMzJf/w
hnQE/yaXuHl3ofbRJ9Q9IxtYz4jtdluEXQkVxUvu+weqYz6l+jl+7CeFvO2yhjSd
bX8bICgNVFhPjoxY7/BLFCaBDhsnhYpO9Wr1uXh6TxbmnxSwYipZLzBGpnagl47V
RMM5ZEqIjkwJh1CurTN5JuLFZPYV9zNNHKKEiQ==
-----END CERTIFICATE-----

Please enter Private Key: Press <Enter> when done
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCj7+BP2YfDiUiW
.
.
.
QiHLPgQodyWE0zO50+2c/vBopas2bCz8y/klWwm87Er8LAqP3PhFcGMe4+NlFB4V
W0toY9yZQ6MI6mtMCtISGPnCOdpcKv8SF8Btf76PTlpUzzJ3qBbg+3XytojZ4udg
T0ScRW+7m8qKuyJCbC7oLyEaeuMcU/A=
-----END PRIVATE KEY-----

Enter certificates of certification authorities (CA) which form the certificate chain of the client certificate.
This starts with the issuing CA certificate of the client certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: n

You should keep a copy of the private key and the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: HyTrust KeyControl Certificate Authority
serial: 7E1A6125

The certificate's generated name for reference: NetApp-ONTAP

  3. Note the certificate’s generated name above, e.g. NetApp-ONTAP. It will be needed in section Setup KeyControl as the external KMIP server.

Setup KeyControl as the external KMIP server

  1. Open a command window and remote login into the NetApp ONTAP Cluster Management.

  2. Enable the external KMIP server.

    The argument of -client-cert is the certificate’s generated name from section Install the KeyControl client bundle into NetApp ONTAP: NetApp-ONTAP. The argument of -server-ca-certs is the certificate’s generated name from section Deploy NetApp Simulate ONTAP: INTEROP-ROOT-CA-CA.

    Notice the IP of both nodes in the KeyControl cluster. 
    mycluster::> security key-manager external enable -key-servers xx.xxx.xxx.xxx:5696,xx.xxx.xxx.xxx:5696 -client-cert NetApp-ONTAP -server-ca-certs INTEROP-ROOT-CA-CA

  3. Verify the external key-management is configured.

    mycluster::> security key-manager external show-status

Node  Vserver  Primary Key Server                                 Status
----  -------  -------------------------------------------------  ------------
mycluster-01
      mycluster
               xx.xxx.xxx.xxx:5696                                available
               xx.xxx.xxx.xxx:5696                                available
2 entries were displayed.