The Secure Sockets Layer (SSL) protocol improves security by providing a digital certificate that authenticates storage systems and allows encrypted data to pass between the system and a browser.
SSL is built into all major browsers. Therefore, installing a digital certificate on the storage system enables the SSL capabilities between system and browser.
Unlike using FilerView to send the storage system password in plain text, using SSL and Secure FilerView improves security by encrypting the administrator’s password and all administrative communication when you manage your system from a browser.
Data ONTAP supports SSLv2 and SSLv3. You should use SSLv3 because it offers better security protections than previous SSL versions.
As a precautionary measure due to security vulnerability CVE-2009-3555, the SSL renegotiation feature is disabled in Data ONTAP.
Next topics
How to manage SSL on page 61 Setting up and starting SSL on page 62
Installing a certificate-authority-signed certificate on page 63 Testing certificates on page 63
Reinitializing SSL on page 64 Enabling or disabling SSL on page 64
Enabling or disabling SSLv2 or SSLv3 on page 65
How to manage SSL
SSL uses a certificate to provide a secure connection between the storage system and a Web browser.
If your storage system does not have SSL enabled, you can set up SecureAdmin to enable SSL and allow administrative requests over HTTPS to succeed.
SecureAdmin is set up automatically on storage systems shipped with Data ONTAP 8.0 or later. For these systems, Secure protocols (including SSH, SSL, and HTTPS) are enabled by default, and nonsecure protocols (including RSH, Telnet, FTP, and HTTP) are disabled by default.
Two types of certificates are used—self-signed certificate and certificate-authority-signed certificate.
• Self-signed certificate
A certificate generated by Data ONTAP. Self-signed certificates can be used as is, but they are less secure than certificate-authority signed certificates, because the browser has no way of verifying the signer of the certificate. This means the system could be spoofed by an unauthorized server.
• Certificate-authority-signed certificate
A certificate-authority-signed certificate is a self-signed certificate that is sent to a certificate authority to be signed. The advantage of a certificate-authority-signed certificate is that it verifies to the browser that the system is the system to which the client intended to connect.
Related concepts
The default security settings on page 50
Setting up and starting SSL
Setting up SSL enables Data ONTAP to generate a self-signed certificate.
Steps
1. Enter the following command at the storage system prompt:
secureadmin setup ssl
2. If SSL has been previously set up for the storage system, Data ONTAP asks you whether you want to continue.
• Enter Y if you want to change the SSL setup.
• Enter N to exit the SSL setup.
3. Enter information when Data ONTAP prompts you.
The information you are prompted to enter includes the following:
• Country, state, or province name
• Company or organization name
• Domain name
• Administrator email
• Days until expires
• Key length in bits
To use the default settings, press Enter at each of the prompts.
When the SSL setup is complete, Data ONTAP generates secureadmin.pem files and saves them in the appropriate subdirectories (cert, key, and csr) in the /etc/keymgr directory.
Related tasks
Installing a certificate-authority-signed certificate on page 63 Testing certificates on page 63
Installing a certificate-authority-signed certificate
The advantage of a certificate-authority-signed certificate is that it verifies to the browser that the system is the system to which the client intended to connect.
Steps
1. Send the certificate signing request, secureadmin.pem, to the certificate authority. This file is found in the /etc/keymgr/cert directory on the storage system.
Note: This process might take a few days.
2. Back up the secureadmin.pem file by making a copy.
3. When the certificate authority returns the signed certificate, copy the signed certificate into a temporary location on the storage system.
4. Install the certificate by entering the following command:
secureadmin addcert ssl directory_path directory_path is the full path to the certificate.
Example
The following command installs a certificate called secureadmin.pem, currently located in the tempdir directory, into the /etc/keymgr directory:
secureadmin addcert ssl /etc/tempdir/secureadmin.pem 5. Disable SSL by entering the following command:
secureadmin disable ssl
6. Enable SSL by entering the following command:
secureadmin enable ssl
Related tasks
Testing certificates on page 63
Testing certificates
After installing either a self-signed certificate or a certificate-authority-signed certificate, you should test the certification to verify that it is installed correctly.
Steps
1. Start your Web browser.
2. Enter the following URL:
https://systemname/na_admin
systemname is the name of your storage system.
3. Click FilerView.
Secure FilerView starts up in a new browser window.
4. Check your browser to verify that you have made a secure connection.
Note: Most browsers show a small padlock icon in their status bar when they have successfully made a secure connection to the server. If the padlock icon is not displayed, you might not have a secure connection.
Reinitializing SSL
You should reinitialize SSL if you change the domain name of the storage system. When you change the domain name of your system, the domain name recorded in the certificate becomes obsolete. As a result, the storage system is not authenticated after the domain name change, although the connection is still encrypted. The next time you connect to the system, the browser issues a warning that the domain name of the system does not match the record on the certificate.
Changing the domain name for a storage system that is using SSL can cost time and money because you must have the new certificate signed by a certificate authority.
Steps
1. Disable SecureAdmin by entering the following command:
secureadmin disable ssl
2. Use the secureadmin setup ssl command to reinitialize SSL.
Related tasks
Setting up and starting SSL on page 62
Enabling or disabling SSL
Enabling SSL allows administrative requests over HTTPS to succeed. Disabling SSL disallows all administrative requests over HTTPS.
Before enabling SSL for the first time, you must set up SSL and install a certificate signed by a certificate authority.
Step
1. To enable or disable SSH, enter the following command:
secureadmin {enable|disable} ssl
Use enable to start SSL. Use disable to deactivate SSL.
Related tasks
Setting up and starting SSL on page 62
Installing a certificate-authority-signed certificate on page 63 Testing certificates on page 63
Enabling or disabling SSLv2 or SSLv3
If your storage system has the SSL protocol enabled, you can specify the SSL version(s) to use.
Enabling the SSL versions alone does not enable the SSL protocol for the storage system. To use SSL, ensure that the protocol is enabled on your storage system.
SSLv3 is recommended over SSLv2 because SSLv3 offers better security protection than SSLv2.
You can leave both SSL versions enabled, or you can disable one of them. In addition to enabling the SSL protocol, you must also have at least one SSL version enabled for the storage system to use SSL for communication.
Step
1. Enter the following command to enable or disable SSLv2 or SSLv3:
To enable or disable this SSL version: Enter the following command:
SSLv2 options ssl.v2.enable {on|off}
SSLv3 options ssl.v3.enable {on|off}
Setting the option to on (the default) enables the SSL version on HTTPS and LDAP connections, if the following options are also set to on:
• httpd.admin.ssl.enable (for HTTPS)
• ldap.ssl.enable (for LDAP)
Setting the option to off disables the SSL version on HTTPS and LDAP connections.
For more information about these options, see the na_options(1) man page.
For more information about LDAP, see the Data ONTAP 7-Mode File Access and Protocols Management Guide.
Related tasks
Setting up and starting SSL on page 62