Integration of NetApp ONTAP through KMIP in the CM sub-domain
This section outlines the steps to to integrate ONTAP through KMIP in the CM sub-domain.
On CipherTrust Manager:
Perform the following steps to be performed on CipherTrust Manager:
Navigate to Admin Settings > Domains.
Click Add Domain. The Add Domain page appears.
Specify the following information:
Name - Enter the domain name.
Admins - Select the admins (one or more) from the list available in the drop down. For example, admin.
Parent CA - Select parent CA as root CA.
Allow Subdomain User Management - Select this check box if you want to enable the subdomain user management through this domain.
Click Save.
Switch to the newly created domain.
Navigate to Products > KMIP.
Create Client Profile using the following steps:
Click Client Profile on the navigation pane and click Add Profile. The Add Profile page appears.
Enter the Profile Name.
Select UID or OU in Username Location in Certificate from the drop-down list or select the check box Do not modify subject DN if this field is not required.
Select UID or OU as Subject DN field to modify from the drop-down list.
Expand Certificate Details and add UID or OU as
<domain>||<username>.example abcd||admin
(here domain is abcd and the user is admin).Click Save.
Create Registration Token using the following steps:
Navigate to Registration Token, click New Registration Token. The Create New Registration Token screen appears.
Click Begin to start token creation. The Configure Token screen is displayed.
Add a Name Prefix.
Click Select CA.
Select CA Type as Local.
Select appropriate CA from drop-down list and click Select Profile.
Select the Client Profile from drop-down which you have created.
Click Create Token.
Copy the Token created and click Done.
Go to Registered Clients and click Add Client.
Specify client name and paste the generated Registration Token.
Click Save to save the client certificate and its private key.
Go to CA > Local , download the local CA of the sub-domain.
Switch back to root domain from sub-domain.
Go to CA > External
On the CA page, click Add External CA.
Add Display name and Paste the contents of the sub-domain CA which you have downloaded and click Save.
Navigate to Admin settings > Interfaces.
Edit the required KMIP interface.
Uncheck the Auto-Registration box if checked.
Add the External CA which you have created under the "External Trusted CAs".
On ONTAP using CLI
Perform the following steps to be performed on ONTAP CLI:
Connect to the desired ONTAP machine.
Run the following commands to enter the client certificate.
Note
You will receive a cert chain of three certs when you download the client certificate.
Run the command
security certificate install -type client
. It will display the message:Please enter Certificate: Press Enter when done.
Paste the first certificate from the chain of three certs and press Enter. It will display the message:
Please enter Private Key: Press Enter when done.
Paste the private key that you have downloaded and press Enter. It will display the message:
Enter certificates of certification authorities (CA) which form the certificate chain of the client certificate. This starts with the issuing CA certificate of the client certificate and can range up to the root CA certificate. Do you want to continue entering root and/or intermediate certificates {y|n}:
Press 'y' and press Enter. It will display the message:
Enter Intermediate Certificate: Press Enter when done.
Paste the second certificate from the chain of three certs that you have download and press enter. It will display the message:
Do you want to continue entering root and/or intermediate certificates {y|n}:
Press 'y' and press Enter.
Paste the third certificate from the chain of three certs which you have downloaded and press Enter. It will display the message:
Do you want to continue entering root and/or intermediate certificates {y|n}:
Press 'n' and press Enter. The following message gets displayed:
You should keep a copy of the private key and the CA-signed digital certificate for future reference. The installed certificate's CA and serial number for reference:** CA: KeySecure CA for Domain mydom** serial: 04C3480BCA4C872C016562340032CC28** The certificate's generated name for reference: ontaped7b27ee-48ef-4357-ad91-0eddbfa1889b_04C3480BCA4C872C016562340032CC28
Run the following commands to enter the server-ca certificate
Run the command
security certificate install -type server-ca
. It will display the message:security certificate install -type server-ca
Paste the third certificate from chain of three certs which you have download above in step 7 and press enter.
It will display the message "You should keep a copy of the CA-signed digital certificate for future reference. The installed certificate's CA and serial number for reference: CA: KeySecure Root CA serial: 5551C1C4862C3BD34F86A37530243105 The certificate's generated name for reference: KeySecureCAforDomainabcd_5551C1C4862C3BD34F86A37530243105
After executing the above commands, run the next steps as required to create the connection between CipherTrust Manager and ONTAP.