Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

NetApp ONTAP Data Management Software

Integration with CipherTrust Manager

search

Integration with CipherTrust Manager

This section outlines the steps to integrate Cloud ONTAP with the CipherTrust Manager.

Integrate CipherTrust Manager with ONTAP

Connect to the ONTAP instance using SSH. The ONTAP shell appears. Perform the following steps on the ONTAP shell:

  1. Install Client Certificate for KMIP Server.

    ::> security certificate install -type client
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
Please enter Private Key: Press <Enter> when done
-----BEGIN RSA PRIVATE KEY-----
...
...
-----END RSA PRIVATE KEY-----
Please enter certificates of Certification Authorities (CA) which form the certificate chain of the client certificate. This starts with the issuing CA certificate of the client certificate and can range up to the root CA certificate.
Do you want to continue entering root and/or intermediate certificates
{y|n}: n
You should keep a copy of the private key and the CA-signed digital certificate for future reference.
The installed certificate's CA and serial number for reference:
CA: CA_Name
Serial: xxx
The certificate's generated name for reference: Client_Common_Name

    Here, the client certificate and key are the ones that you have generated in Creating the Client Certificate section.

  2. Install the server-ca certificate for KMIP server.

    ::> security certificate install -type server-ca
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
You should keep a copy of the CA-signed digital certificate for future
reference.
The installed certificate's CA and serial number for reference:
CA: CA_Name
Serial: xxxx
The certificate's generated name for reference: ServerCA_Common_Name

    Here, the server-ca belongs to the Certificate Authority which is used for signing the certs.

  3. Install and enable the external key-management setup.

    ::> security key-manager external enable -key-servers CipherTrust-Manager-private-ip:5696 -client-cert Client_Common_Name -server-ca-certs ServerCA_Common_Name

    Here,
    CipherTrust-Manager-private-ip refers to the IP of CipherTrust Manager
    Client_Common_Name refers to the certificate's generated name received after uploading client certificate and key on ONTAP shell.
    ServerCA_Common_Name refers to the certificate's generated name received after uploading CA on ONTAP Shell.

  4. Verify that external key-management is configured, and its status is available.

    ::> security key-manager external show-status
Node Vserver Key Server Status
---- ------- ------------------------------------------- ---------------
Node1
Admin_vserver_name
KMS-ip:5696 available
1 entries were displayed.

    If the status is set to available it means that the CipherTrust Manager is now configured as the external KMS for the ONTAP.