Module netapp_ontap.resources.security_config
Copyright © 2022 NetApp Inc. All rights reserved.
Overview
You can use this API for various cluster-wide security-related operations.
"onboard_key_manager_configurable_status" object
Use this API to retrieve details of whether or not the Onboard Key Manager can be configured on the cluster.
- GET /api/security
- GET /api/security?fields=onboard_key_manager_configurable_status
"software_data_encryption" object
Contains software data encryption related information.
The following APIs can be used to enable or disable and obtain default software data at rest encryption values:
- PATCH /api/security -d '{ "software_data_encryption.disabled_by_default" : true }'
- PATCH /api/security -d '{ "software_data_encryption.disabled_by_default" : false }'
- GET /api/security
-
GET /api/security?fields=software_data_encryption
A PATCH request on this API using the parameter "software_data_encryption.conversion_enabled" triggers the conversion of all non-encrypted metadata volumes to encrypted metadata volumes and all non-NAE aggregates to NAE aggregates. For the conversion to start, the cluster must have either an Onboard or an external key manager set up and the aggregates should either be empty or have only metadata volumes. No data volumes should be present in any of the aggregates. For MetroCluster configurations, the PATCH request will fail if the cluster is in the switchover state.
The following API can be used to initiate software data encryption conversion. -
PATCH /api/security -d '{ "software_data_encryption.conversion_enabled" : true }'
"fips" object
Contains FIPS mode information.
A PATCH request on this API using the parameter "fips.enabled" switches the system from using the default cryptographic module software implementations to validated ones or vice versa, where applicable. If the value of the parameter is "true" and unapproved algorithms are configured as permitted in relevant subsystems, those algorithms will be disabled in the relevant subsystem configurations. If "false", there will be no implied change to the relevant subsystem configurations.
- GET /api/security
- GET /api/security?fields=fips
- PATCH /api/security -d '{ "fips.enabled" : true }'
- PATCH /api/security -d '{ "fips.enabled" : false }'
"tls" object
Contains TLS configration information.
A PATCH request on this API using the parameter "tls.cipher_suites" and/or "tls.protocol_versions" configures the permissible cipher suites and/or protocol versions for all TLS-enabled applications in the system.
- GET /api/security
- GET /api/security?fields=tls
- PATCH /api/security -d '{ "tls" : { "protocol_versions" : ["TLSv1.2", "TLSv1.1"], "cipher_suites" : ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] } }'
"management_protocols" object
Contains Security Protocols information.
This security protocols endpoint is used to retrieve and configure security protocols.
- GET /api/security
- GET /api/security?fields=management_protocols
- PATCH /api/security -d '{ "management_protocols" : { "rsh_enabled" : true } }'
- PATCH /api/security -d '{ "management_protocols" : { "rsh_enabled" : false } }'
- PATCH /api/security -d '{ "management_protocols" : { "telnet_enabled" : true } }'
- PATCH /api/security -d '{ "management_protocols" : { "telnet_enabled" : false } }'
- PATCH /api/security -d '{ "management_protocols" : { "rsh_enabled" : true, "telnet_enabled" : true } }'
GET Examples
Retrieving information about the security configured on the cluster
The following example shows how to retrieve the configuration of the cluster.
from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityConfig
with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
resource = SecurityConfig()
resource.get(fields="*")
print(resource)
SecurityConfig(
{
"fips": {"enabled": False},
"management_protocols": {"telnet_enabled": False, "rsh_enabled": False},
"onboard_key_manager_configurable_status": {
"code": 65537300,
"message": "Onboard Key Manager cannot be configured on the cluster. There are no self-encrypting disks in the cluster, and the following nodes do not support volume granular encryption: ntap-vsim2.",
"supported": False,
},
"tls": {
"protocol_versions": ["TLSv1.2", "TLSv1.1"],
"cipher_suites": [
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DHE_DSS_WITH_SEED_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DHE_RSA_WITH_SEED_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_PSK_WITH_AES_128_CBC_SHA",
"TLS_PSK_WITH_AES_128_GCM_SHA256",
"TLS_PSK_WITH_AES_256_CBC_SHA",
"TLS_PSK_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_SEED_CBC_SHA",
"TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
"TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
],
},
}
)
```
PATCH Examples
Enabling software encryption conversion in the cluster
The following example shows how to convert all the aggregates and metadata volumes in the cluster from non-encrypted to encrypted.
The API:
PATCH /api/security
The call
curl -X PATCH "https://
The response:
{ "job": { "uuid": "ebcbd82d-1cd4-11ea-8f75-005056ac4adc", "_links": { "self": { "href": "/api/cluster/jobs/ebcbd82d-1cd4-11ea-8f75-005056ac4adc" } } } } This returns a job UUID. A subsequent GET for this job UUID returns details of the job.
The call
curl -X GET "https://
The response:
{ "uuid": "ebcbd82d-1cd4-11ea-8f75-005056ac4adc", "description": "PATCH /api/security", "state": "success", "message": "success", "code": 0, "start_time": "2019-12-12T06:45:40-05:00", "end_time": "2019-12-12T06:45:40-05:00", "_links": { "self": { "href": "/api/cluster/jobs/ebcbd82d-1cd4-11ea-8f75-005056ac4adc" } } }
Enabling FIPS mode in the cluster
The following example shows how to enable FIPS mode in the cluster.
The API:
PATCH /api/security
The call
curl -X PATCH "https://
The response:
{ "job": { "uuid": "8e7f59ee-a9c4-4faa-9513-bef689bbf2c2", "_links": { "self": { "href": "/api/cluster/jobs/8e7f59ee-a9c4-4faa-9513-bef689bbf2c2" } } } } This returns a job UUID. A subsequent GET for this job UUID returns details of the job.
The call
curl -X GET "https://
The response:
{ "uuid": "8e7f59ee-a9c4-4faa-9513-bef689bbf2c2", "description": "PATCH /api/security", "state": "success", "message": "success", "code": 0, "start_time": "2020-04-28T06:55:40-05:00", "end_time": "2020-04-28T06:55:41-05:00", "_links": { "self": { "href": "/api/cluster/jobs/8e7f59ee-a9c4-4faa-9513-bef689bbf2c2" } } }
Configuring permissible TLS protocols and cipher suites in the cluster
The following example shows how to configure the cluster to only allow TLSv1.2 with selected cipher suites.
The API:
PATCH /api/security
The call
curl -X PATCH "https://
The response:
{ "job": { "uuid": "b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d", "_links": { "self": { "href": "/api/cluster/jobs/b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d" } } } } This returns a job UUID. A subsequent GET for this job UUID returns details of the job.
The call
curl -X GET "https://
The response:
{ "uuid": "b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d", "description": "PATCH /api/security", "state": "success", "message": "success", "code": 0, "start_time": "2021-03-22T08:52:50-05:00", "end_time": "2021-03-22T08:52:51-05:00", "_links": { "self": { "href": "/api/cluster/jobs/b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d" } } }
Enabling security protocols in the cluster
The following example shows how to enable the security protocol rsh in the cluster.
The API:
PATCH /api/security
The call
curl -X PATCH "https://
The response
{ "job": { "uuid": "2980ba28-adab-11eb-8fa3-005056bbfa84", "_links": { "self": { "href": "/api/cluster/jobs/2980ba28-adab-11eb-8fa3-005056bbfa84" } } } }
The call:
curl -H "accept: application/hal+json" -X GET "https://
The response:
{ "management_protocols": { "rsh_enabled": false, "telnet_enabled": false }, "_links": { "self": { "href": "/api/security" } } }
Classes
class SecurityConfig (*args, **kwargs)-
Allows interaction with SecurityConfig objects on the host
Initialize the instance of the resource.
Any keyword arguments are set on the instance as properties. For example, if the class was named 'MyResource', then this statement would be true:
MyResource(name='foo').name == 'foo'Args
*args- Each positional argument represents a parent key as used in the URL of the object. That is, each value will be used to fill in a segment of the URL which refers to some parent object. The order of these arguments must match the order they are specified in the URL, from left to right.
**kwargs- each entry will have its key set as an attribute name on the instance and its value will be the value of that attribute.
Ancestors
Methods
def certificate_signing_request(self, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse-
This API generates a Certificate Signing Request(CSR) and a private key pair. A CSR is a message sent securely to a certificate authority (CA) via any electronic media to apply for a digital identity certificate. This is a general utility API for users to generate a CSR.
Recommended optional properties
subject_name- Subject details of the certificate.security_strength- Key size of the certificate in bits. Specifying a stronger security strength in bits is recommended when creating a certificate.hash_function- Hashing function.algorithm- Asymmetric algorithm. Algorithm used to generate a public/private key pair when creating a certificate.subject_alternatives- Subject Alternate name extensions.
Default property values
If not specified in POST, the following default property values are assigned: *
security_strength- 112 *hash_function- sha256 *algorithm- rsaRelated ONTAP commands
security certificate generate-csr
Perform a custom action on this resource which is not a simple CRUD action
Args
path- The action verb for this request. This will be added as a postfix to the instance location of the resource.
body- The body of the action request. This should be a Resource instance. The connection and URL will be determined based on the values from this object.
poll- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
NetAppResponseobject containing the details of the HTTP response.Raises
NetAppRestError: If the API call returned a status code >= 400 def get(self, **kwargs) -> NetAppResponse-
Retrieves information about the security configured on the cluster.
Learn more
Fetch the details of the object from the host.
Requires the keys to be set (if any). After returning, new or changed properties from the host will be set on the instance.
Returns
A
NetAppResponseobject containing the details of the HTTP response.Raises
NetAppRestError: If the API call returned a status code >= 400 def patch(self, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse-
Updates the software FIPS mode or enables conversion of non-encrypted metadata volumes to encrypted metadata volumes and non-NAE aggregates to NAE aggregates.
Learn more
Send the difference in the object's state to the host as a modification request.
Calculates the difference in the object's state since the last time we interacted with the host and sends this in the request body.
Args
hydrate- If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs- Any key/value pairs passed will normally be sent as query parameters to the host. If any of these pairs are parameters that are sent as formdata then only parameters of that type will be accepted and all others will be discarded.
Returns
A
NetAppResponseobject containing the details of the HTTP response.Raises
NetAppRestError: If the API call returned a status code >= 400
Inherited members
class SecurityConfigSchema (*, only: Union[Sequence[str], Set[str]] = None, exclude: Union[Sequence[str], Set[str]] = (), many: bool = False, context: Dict = None, load_only: Union[Sequence[str], Set[str]] = (), dump_only: Union[Sequence[str], Set[str]] = (), partial: Union[bool, Sequence[str], Set[str]] = False, unknown: str = None)-
The fields of the SecurityConfig object
Ancestors
- netapp_ontap.resource.ResourceSchema
- marshmallow.schema.Schema
- marshmallow.base.SchemaABC
Class variables
-
fips GET POST PATCH -
The fips field of the security_config.
-
links GET -
The links field of the security_config.
-
management_protocols GET POST PATCH -
The management_protocols field of the security_config.
-
onboard_key_manager_configurable_status GET -
The onboard_key_manager_configurable_status field of the security_config.
-
software_data_encryption GET POST PATCH -
The software_data_encryption field of the security_config.
-
tls GET POST PATCH -
The tls field of the security_config.
