Preparation for Scanning ONTAP
StorageGuard collects configuration data from ONTAP storage systems by connecting through HTTPS and issuing read-only ONTAP API calls.
The following table lists the requirements for scanning ONTAP:
| # | Description |
| 1 | Provide the Name or IP address of each ONTAP Cluster. |
| 2 | Provide a user account (and password) for each ONTAP cluster. |
| 3 | The user account should be assigned with a role that enables running all read-only API calls. Examples of read-only GET REST APIs used:
|
| 4 | Verify that IP connectivity through HTTPS (default is port 443) is available between the StorageGuard server and each ONTAP cluster. |
Creating a User Account for Scanning ONTAP
The following suggested method can be used to create a user account with appropriate privileges:
CLI
Step 1: Ensure that http (REST) is enabled
system services web show
Step 2: Create a role for REST API with read-only access
security login role create -role cntsw_rest_ro -cmddirname "DEFAULT" -access readonly
security login role create -role cntsw_rest_ro -cmddirname "security" -access readonly
Step 3: Create a role for ONTAPI with read-only access
security login role create -role cntsw_zapi_ro -cmddirname "DEFAULT" -access readonly
Step 4: Assign the roles to the user
security login create -username cntuser -application http -authmethod password -role cntsw_rest_ro
security login create -username cntuser -application ontapi -authmethod password -role cntsw_zapi_ro
NOTES:
- Enable SSH access and grant read-only CLI permissions to the user if you intend to expand the built-in configuration collection with additional, user-defined commands (“custom collection”). Custom collection can be defined using either REST API or CLI.
- In addition to scanning the ONTAP system, StorageGuard can also scan NetApp Active IQ Unified Manager application by running read-only API queries on port 443.
- If you’re planning to use only REST API, it is possible to use REST roles instead of traditional role (ONTAP 9.6 and above)
Comments
0 comments
Please sign in to leave a comment.