Simple script to show the use of the ONTAP REST API when authenticating with certificate based authentication.
Example of certificate creation and required ONTAP configuration:
- Create the certificate for the "cert_user" account. This account name, as well as the key and pem filenames, can be changed as required.
linux$ openssl req -x509 -nodes -days 1095 -newkey rsa:2048 \
-keyout restcert.key -out restcert.pem \
-subj "/C=US/ST=NC/L=RTP/O=NetApp/CN=cert_user"
- Install the restcert.pem file into the cluster or svm:
ontap::> security certificate install -type client-ca -vserver {clus|svm}
- Enable SSL client based authentication for the cluster or svm:
ontap::> security ssl modify -vserver {clus|svm} -client-enabled true
- Create the account in ONTAP for this user, matching the username given in step 1 above. Note that the application is "http" for the REST API, and you can use a different role as required to meet your needs.
::> security login create -user-or-group-name cert_user -application http \
-authentication-method cert -role {admin|vsadmin} -vserver {clus|svm}
Other requirements:
- Python 3.5 or higher.
- The netapp-ontap Python package as described at: https://pypi.org/project/netapp-ontap/
- ONTAP 9.6 or higher.
Notes:
- If using a custom role (other than admin or vsadmin), the custom role must must have access to the rest web service of the vserver:
vserver services web access create -vserver {svm} -name rest -role {role}