The Secure Sockets Layer (SSL) protocol improves security by providing a digital certificate that authenticates storage systems and allows encrypted data to pass between the system and a browser.
SSL is built into all major browsers. Therefore, installing a digital certificate on the storage system enables the SSL capabilities between system and browser.
Unlike using FilerView to send the storage system password in plain text, using SSL and Secure FilerView improves security by encrypting the administrator’s password and all administrative communication when you manage your system from a browser.
Data ONTAP supports SSLv2, SSLv3, and Transport Layer Security version 1.0 (TLSv1.0). You should use TLSv1.0 or SSLv3 because it offers better security protections than previous SSL versions.
As a precautionary measure due to security vulnerability CVE-2009-3555, the SSL renegotiation feature is disabled in Data ONTAP.
Next topics
How to manage SSL on page 58 Setting up and starting SSL on page 59
Installing a certificate-authority-signed certificate on page 59 Testing certificates on page 60
Reinitializing SSL on page 61 Enabling or disabling SSL on page 61
Enabling or disabling SSLv2 or SSLv3 on page 61 Enabling or disabling TLS on page 62
How to manage SSL
SSL uses a certificate to provide a secure connection between the storage system and a Web browser.
If your storage system does not have SSL enabled, you can set up SecureAdmin to enable SSL and allow administrative requests over HTTPS to succeed.
Two types of certificates are used—self-signed certificate and certificate-authority-signed certificate.
• Self-signed certificate
A certificate generated by Data ONTAP. Self-signed certificates can be used as is, but they are less secure than certificate-authority signed certificates, because the browser has no way of verifying the signer of the certificate. This means the system could be spoofed by an unauthorized server.
• Certificate-authority-signed certificate
A certificate-authority-signed certificate is a self-signed certificate that is sent to a certificate authority to be signed. The advantage of a certificate-authority-signed certificate is that it verifies to the browser that the system is the system to which the client intended to connect.
Setting up and starting SSL
Setting up SSL enables Data ONTAP to generate a self-signed certificate.
Steps
1. Enter the following command at the storage system prompt:
secureadmin setup ssl
2. If SSL has been previously set up for the storage system, Data ONTAP asks you whether you want to continue.
• Enter Y if you want to change the SSL setup.
• Enter N to exit the SSL setup.
3. Enter information when Data ONTAP prompts you.
The information you are prompted to enter includes the following:
• Country, state, or province name
• Company or organization name
• Domain name
• Administrator email
• Days until expires
• Key length in bits
To use the default settings, press Enter at each of the prompts.
When the SSL setup is complete, Data ONTAP generates secureadmin.pem files and saves them in the appropriate subdirectories (cert, key, and csr) in the /etc/keymgr directory.
Related tasks
Installing a certificate-authority-signed certificate on page 59 Testing certificates on page 60
Installing a certificate-authority-signed certificate
The advantage of a certificate-authority-signed certificate is that it verifies to the browser that the system is the system to which the client intended to connect.
Steps
1. Send the certificate signing request, secureadmin.pem, to the certificate authority. This file is found in the /etc/keymgr/cert directory on the storage system.
Note: This process might take a few days.
2. Back up the secureadmin.pem file by making a copy.
3. When the certificate authority returns the signed certificate, copy the signed certificate into a temporary location on the storage system.
4. Install the certificate by entering the following command:
secureadmin addcert ssl directory_path directory_path is the full path to the certificate.
Example
The following command installs a certificate called secureadmin.pem, currently located in the tempdir directory, into the /etc/keymgr directory:
secureadmin addcert ssl /etc/tempdir/secureadmin.pem 5. Disable SSL by entering the following command:
secureadmin disable ssl
6. Enable SSL by entering the following command:
secureadmin enable ssl
Related tasks
Testing certificates on page 60
Testing certificates
After installing either a self-signed certificate or a certificate-authority-signed certificate, you should test the certification to verify that it is installed correctly.
Steps
1. Start your Web browser.
2. Enter the following URL:
https://systemname/na_admin
systemname is the name of your storage system.
3. Click FilerView.
Secure FilerView starts up in a new browser window.
4. Check your browser to verify that you have made a secure connection.
Note: Most browsers show a small padlock icon in their status bar when they have successfully made a secure connection to the server. If the padlock icon is not displayed, you might not have a secure connection.
Reinitializing SSL
You should reinitialize SSL if you change the domain name of the storage system. When you change the domain name of your system, the domain name recorded in the certificate becomes obsolete. As a result, the storage system is not authenticated after the domain name change, although the connection is still encrypted. The next time you connect to the system, the browser issues a warning that the domain name of the system does not match the record on the certificate.
Changing the domain name for a storage system that is using SSL can cost time and money because you must have the new certificate signed by a certificate authority.
Steps
1. Disable SecureAdmin by entering the following command:
secureadmin disable ssl
2. Use the secureadmin setup ssl command to reinitialize SSL.
Related tasks
Setting up and starting SSL on page 59
Enabling or disabling SSL
Enabling SSL allows administrative requests over HTTPS to succeed. Disabling SSL disallows all administrative requests over HTTPS.
Before enabling SSL for the first time, you must set up SSL and install a certificate signed by a certificate authority.
Step
1. To enable or disable SSH, enter the following command:
secureadmin {enable|disable} ssl
Use enable to start SSL. Use disable to deactivate SSL.
Related tasks
Setting up and starting SSL on page 59
Installing a certificate-authority-signed certificate on page 59 Testing certificates on page 60
Enabling or disabling SSLv2 or SSLv3
If your storage system has the SSL protocol enabled, you can specify the SSL version(s) to use.
Enabling the SSL versions alone does not enable the SSL protocol for the storage system. To use SSL, ensure that the protocol is enabled on your storage system.
TLS offers better security than SSLv3, and SSLv3 offers better security than SSLv2. In addition to enabling the SSL protocol, you must also have at least one of SSLv2, SSLv3, or TLS enabled for the storage system to use SSL for communication.
Step
1. Enter the following command to enable or disable SSLv2 or SSLv3:
To enable or disable this SSL version: Enter the following command:
SSLv2 options ssl.v2.enable {on|off}
SSLv3 options ssl.v3.enable {on|off}
Setting the option to on (the default) enables the SSL version on HTTPS, FTPS, and LDAP connections, if the following options are also set to on:
• httpd.admin.ssl.enable (for HTTPS)
• ftpd.implicit.enable or ftpd.explicit.enable (for FTPS)
• ldap.ssl.enable (for LDAP)
Setting the option to off disables the SSL version on HTTPS, FTPS, and LDAP connections.
For more information about these options, see the na_options(1) man page.
For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide.
Related tasks
Setting up and starting SSL on page 59 Enabling or disabling TLS on page 62
Enabling or disabling TLS
Enabling Transport Layer Security (TLS) allows the storage system to use TLS on HTTPS, FTPS, and LDAP traffic.
TLS is disabled by default, and setting up SSL does not automatically enable TLS. Before enabling TLS, ensure that SSL has been set up and enabled.
Data ONTAP supports TLSv1, SSLv3, and SSLv2. TLSv1 is a protocol version higher than SSLv3, and SSLv3 is a protocol version higher than SSLv2. A negotiation process is built into the TLS and the SSL protocols to use the highest protocol version that is supported by both the client and the server for communication. For TLS to be used for communication, both the client requesting connection and the storage system must support TLS.
Step
1. To enable or disable TLS, enter the following command:
options tls.enable {on|off}
• Use on to enable TLS.
• For TLS to take effect on HTTPS, ensure that the httpd.admin.ssl.enable option is also set to on.
• For TLS to take effect on FTPS, ensure that the ftpd.implicit.enable option or the ftpd.explicit.enable option is also set to on.
• For TLS to take effect on LDAP, ensure that the ldap.ssl.enable option is also set to on.
For more information about these options, see the na_options(1) man page.
For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide.
• Use off (the default) to disable TLS.
When TLS is disabled, SSL is used for communication if SSL has previously been set up and enabled.
Related tasks