Module netapp_ontap.resources.security_config

Copyright © 2022 NetApp Inc. All rights reserved.

Overview

You can use this API for various cluster-wide security-related operations.

"onboard_key_manager_configurable_status" object

Use this API to retrieve details of whether or not the Onboard Key Manager can be configured on the cluster.

  • GET /api/security
  • GET /api/security?fields=onboard_key_manager_configurable_status

"software_data_encryption" object

Contains software data encryption related information.
The following APIs can be used to enable or disable and obtain default software data at rest encryption values:

  • PATCH /api/security -d '{ "software_data_encryption.disabled_by_default" : true }'
  • PATCH /api/security -d '{ "software_data_encryption.disabled_by_default" : false }'
  • GET /api/security
  • GET /api/security?fields=software_data_encryption
    A PATCH request on this API using the parameter "software_data_encryption.conversion_enabled" triggers the conversion of all non-encrypted metadata volumes to encrypted metadata volumes and all non-NAE aggregates to NAE aggregates. For the conversion to start, the cluster must have either an Onboard or an external key manager set up and the aggregates should either be empty or have only metadata volumes. No data volumes should be present in any of the aggregates. For MetroCluster configurations, the PATCH request will fail if the cluster is in the switchover state.
    The following API can be used to initiate software data encryption conversion.

  • PATCH /api/security -d '{ "software_data_encryption.conversion_enabled" : true }'

"fips" object

Contains FIPS mode information.
A PATCH request on this API using the parameter "fips.enabled" switches the system from using the default cryptographic module software implementations to validated ones or vice versa, where applicable. If the value of the parameter is "true" and unapproved algorithms are configured as permitted in relevant subsystems, those algorithms will be disabled in the relevant subsystem configurations. If "false", there will be no implied change to the relevant subsystem configurations.

  • GET /api/security
  • GET /api/security?fields=fips
  • PATCH /api/security -d '{ "fips.enabled" : true }'
  • PATCH /api/security -d '{ "fips.enabled" : false }'

"tls" object

Contains TLS configration information.
A PATCH request on this API using the parameter "tls.cipher_suites" and/or "tls.protocol_versions" configures the permissible cipher suites and/or protocol versions for all TLS-enabled applications in the system.

  • GET /api/security
  • GET /api/security?fields=tls
  • PATCH /api/security -d '{ "tls" : { "protocol_versions" : ["TLSv1.2", "TLSv1.1"], "cipher_suites" : ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] } }'

"management_protocols" object

Contains Security Protocols information.
This security protocols endpoint is used to retrieve and configure security protocols.

  • GET /api/security
  • GET /api/security?fields=management_protocols
  • PATCH /api/security -d '{ "management_protocols" : { "rsh_enabled" : true } }'
  • PATCH /api/security -d '{ "management_protocols" : { "rsh_enabled" : false } }'
  • PATCH /api/security -d '{ "management_protocols" : { "telnet_enabled" : true } }'
  • PATCH /api/security -d '{ "management_protocols" : { "telnet_enabled" : false } }'
  • PATCH /api/security -d '{ "management_protocols" : { "rsh_enabled" : true, "telnet_enabled" : true } }'

GET Examples

Retrieving information about the security configured on the cluster

The following example shows how to retrieve the configuration of the cluster.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityConfig

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityConfig()
    resource.get(fields="*")
    print(resource)

SecurityConfig(
    {
        "fips": {"enabled": False},
        "management_protocols": {"telnet_enabled": False, "rsh_enabled": False},
        "onboard_key_manager_configurable_status": {
            "code": 65537300,
            "message": "Onboard Key Manager cannot be configured on the cluster. There are no self-encrypting disks in the cluster, and the following nodes do not support volume granular encryption: ntap-vsim2.",
            "supported": False,
        },
        "tls": {
            "protocol_versions": ["TLSv1.2", "TLSv1.1"],
            "cipher_suites": [
                "TLS_RSA_WITH_AES_128_GCM_SHA256",
                "TLS_RSA_WITH_AES_128_CBC_SHA",
                "TLS_RSA_WITH_AES_128_CBC_SHA256",
                "TLS_RSA_WITH_AES_256_GCM_SHA384",
                "TLS_RSA_WITH_AES_256_CBC_SHA",
                "TLS_RSA_WITH_AES_256_CBC_SHA256",
                "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
                "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
                "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
                "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
                "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
                "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
                "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
                "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
                "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
                "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
                "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
                "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
                "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
                "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
                "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
                "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
                "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
                "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
                "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
                "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
                "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
                "TLS_PSK_WITH_AES_128_CBC_SHA",
                "TLS_PSK_WITH_AES_128_GCM_SHA256",
                "TLS_PSK_WITH_AES_256_CBC_SHA",
                "TLS_PSK_WITH_AES_256_GCM_SHA384",
                "TLS_RSA_WITH_SEED_CBC_SHA",
                "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
                "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
                "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
                "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
                "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
                "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
            ],
        },
    }
)


```

PATCH Examples

Enabling software encryption conversion in the cluster

The following example shows how to convert all the aggregates and metadata volumes in the cluster from non-encrypted to encrypted.

The API:

PATCH /api/security

The call

curl -X PATCH "https:///api/security" -d '{ "software_data_encryption.conversion_enabled" : true }'

The response:

{ "job": { "uuid": "ebcbd82d-1cd4-11ea-8f75-005056ac4adc", "_links": { "self": { "href": "/api/cluster/jobs/ebcbd82d-1cd4-11ea-8f75-005056ac4adc" } } } } This returns a job UUID. A subsequent GET for this job UUID returns details of the job.

The call

curl -X GET "https:///api/cluster/jobs/ebcbd82d-1cd4-11ea-8f75-005056ac4adc"

The response:

{ "uuid": "ebcbd82d-1cd4-11ea-8f75-005056ac4adc", "description": "PATCH /api/security", "state": "success", "message": "success", "code": 0, "start_time": "2019-12-12T06:45:40-05:00", "end_time": "2019-12-12T06:45:40-05:00", "_links": { "self": { "href": "/api/cluster/jobs/ebcbd82d-1cd4-11ea-8f75-005056ac4adc" } } }

Enabling FIPS mode in the cluster

The following example shows how to enable FIPS mode in the cluster.

The API:

PATCH /api/security

The call

curl -X PATCH "https:///api/security" -d '{ "fips.enabled" : true }'

The response:

{ "job": { "uuid": "8e7f59ee-a9c4-4faa-9513-bef689bbf2c2", "_links": { "self": { "href": "/api/cluster/jobs/8e7f59ee-a9c4-4faa-9513-bef689bbf2c2" } } } } This returns a job UUID. A subsequent GET for this job UUID returns details of the job.

The call

curl -X GET "https:///api/cluster/jobs/8e7f59ee-a9c4-4faa-9513-bef689bbf2c2"

The response:

{ "uuid": "8e7f59ee-a9c4-4faa-9513-bef689bbf2c2", "description": "PATCH /api/security", "state": "success", "message": "success", "code": 0, "start_time": "2020-04-28T06:55:40-05:00", "end_time": "2020-04-28T06:55:41-05:00", "_links": { "self": { "href": "/api/cluster/jobs/8e7f59ee-a9c4-4faa-9513-bef689bbf2c2" } } }

Configuring permissible TLS protocols and cipher suites in the cluster

The following example shows how to configure the cluster to only allow TLSv1.2 with selected cipher suites.

The API:

PATCH /api/security

The call

curl -X PATCH "https:///api/security" -d '{ "tls" : { "protocol_versions" : ["TLSv1.2"], "cipher_suites" : ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] } }'

The response:

{ "job": { "uuid": "b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d", "_links": { "self": { "href": "/api/cluster/jobs/b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d" } } } } This returns a job UUID. A subsequent GET for this job UUID returns details of the job.

The call

curl -X GET "https:///api/cluster/jobs/b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d"

The response:

{ "uuid": "b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d", "description": "PATCH /api/security", "state": "success", "message": "success", "code": 0, "start_time": "2021-03-22T08:52:50-05:00", "end_time": "2021-03-22T08:52:51-05:00", "_links": { "self": { "href": "/api/cluster/jobs/b45b6290-f4f2-442a-aa0e-4d3ffefe5e0d" } } }

Enabling security protocols in the cluster

The following example shows how to enable the security protocol rsh in the cluster.

The API:

PATCH /api/security

The call

curl -X PATCH "https:///api/security" -d '{ "management_protocols" : { "rsh_enabled" : true } }'

The response

{ "job": { "uuid": "2980ba28-adab-11eb-8fa3-005056bbfa84", "_links": { "self": { "href": "/api/cluster/jobs/2980ba28-adab-11eb-8fa3-005056bbfa84" } } } }

The call:

curl -H "accept: application/hal+json" -X GET "https:///api/security/?fields=management_protocols"

The response:

{ "management_protocols": { "rsh_enabled": false, "telnet_enabled": false }, "_links": { "self": { "href": "/api/security" } } }


Classes

class SecurityConfig (*args, **kwargs)

Allows interaction with SecurityConfig objects on the host

Initialize the instance of the resource.

Any keyword arguments are set on the instance as properties. For example, if the class was named 'MyResource', then this statement would be true:

MyResource(name='foo').name == 'foo'

Args

*args
Each positional argument represents a parent key as used in the URL of the object. That is, each value will be used to fill in a segment of the URL which refers to some parent object. The order of these arguments must match the order they are specified in the URL, from left to right.
**kwargs
each entry will have its key set as an attribute name on the instance and its value will be the value of that attribute.

Ancestors

Methods

def certificate_signing_request(self, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

This API generates a Certificate Signing Request(CSR) and a private key pair. A CSR is a message sent securely to a certificate authority (CA) via any electronic media to apply for a digital identity certificate. This is a general utility API for users to generate a CSR.

  • subject_name - Subject details of the certificate.
  • security_strength - Key size of the certificate in bits. Specifying a stronger security strength in bits is recommended when creating a certificate.
  • hash_function - Hashing function.
  • algorithm - Asymmetric algorithm. Algorithm used to generate a public/private key pair when creating a certificate.
  • subject_alternatives - Subject Alternate name extensions.

Default property values

If not specified in POST, the following default property values are assigned: * security_strength - 112 * hash_function - sha256 * algorithm - rsa

  • security certificate generate-csr

Perform a custom action on this resource which is not a simple CRUD action

Args

path
The action verb for this request. This will be added as a postfix to the instance location of the resource.
body
The body of the action request. This should be a Resource instance. The connection and URL will be determined based on the values from this object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def get(self, **kwargs) -> NetAppResponse

Retrieves information about the security configured on the cluster.

Learn more


Fetch the details of the object from the host.

Requires the keys to be set (if any). After returning, new or changed properties from the host will be set on the instance.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def patch(self, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Updates the software FIPS mode or enables conversion of non-encrypted metadata volumes to encrypted metadata volumes and non-NAE aggregates to NAE aggregates.

Learn more


Send the difference in the object's state to the host as a modification request.

Calculates the difference in the object's state since the last time we interacted with the host and sends this in the request body.

Args

hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will normally be sent as query parameters to the host. If any of these pairs are parameters that are sent as formdata then only parameters of that type will be accepted and all others will be discarded.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

Inherited members

class SecurityConfigSchema (*, only: Union[Sequence[str], Set[str]] = None, exclude: Union[Sequence[str], Set[str]] = (), many: bool = False, context: Dict = None, load_only: Union[Sequence[str], Set[str]] = (), dump_only: Union[Sequence[str], Set[str]] = (), partial: Union[bool, Sequence[str], Set[str]] = False, unknown: str = None)

The fields of the SecurityConfig object

Ancestors

  • netapp_ontap.resource.ResourceSchema
  • marshmallow.schema.Schema
  • marshmallow.base.SchemaABC

Class variables

fips GET POST PATCH

The fips field of the security_config.

The links field of the security_config.

management_protocols GET POST PATCH

The management_protocols field of the security_config.

onboard_key_manager_configurable_status GET

The onboard_key_manager_configurable_status field of the security_config.

software_data_encryption GET POST PATCH

The software_data_encryption field of the security_config.

tls GET POST PATCH

The tls field of the security_config.