Monday, January 18, 2010

Installing NetApp VSC According to Best Practices

If you haven't checked out NetApp's Virtual Service Console, you should.  I did an article on it after NetApp Insight which is available here.

Vaughn recently posted on setting up VSC access to the NetApp using RBAC (Role Based Access Control) permissions.  This procedure is not currently in the VSC manual.

Quick tangent: Creating RBAC for every product appears to be an ongoing trend within NetApp.  Documentation exists for RBAC installation on SMVI (it's in the manual), VSC (link above), Snap Drive in a virtual machine, and I think there is a RCU writeup around but I can't find it right now.  This is great from a security perspective but gets a little tedious if you are loading multiple products on the same NetApp controller, and double the pain if it is an HA unit! (HINT to NetApp, figure out a way to consolidate this please!!)

Let's say you were an early adopter to VSC and installed it per the manual.  You probably used root as the user id and you never enabled SSL on the filer.  If this is the case, you are sending the root password in clear text (Yikes!).  Based on Vaughn's article we can easily go back and fix this.

  • Configure and Enable SSH on each NetApp Controller if not already enabled
    • From the command line you can use the secureadmin setup ssl and secureadmin status  command as shown below. This can also be configured from FilerView -> Secure Admin
  •  Create the role, group, and user on each NetApp controller. Enter each line from the command line
    • useradmin role add vsc-role -a login-http-admin,api-aggr-list-info,api-cf-get-partner,api-cf-status,api-disk-list-info,api-ems-autosupport-log,api-fcp-adapter-list-info,api-fcp-get-cfmode,api-license-list-info,api-lun-get-vdisk-attributes,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfs-list-rules,api-qtree-list,api-snmp-get,api-snmp-get-next,api-system-get-info,api-system-get-version,api-volume-autosize-get,api-volume-list-info,api-volume-options-list-info
    • useradmin group add vsc-group -r vsc-role
    • useradmin user add vsc-user -g vsc-group
  • From the vSphere Client, go to the NetApp tab, Repeat the following for each controller
    • Right Click on the controller and click Modify Credentials
  • Enter the newly created vsc-user id and password, check Use SSL and click OK

Congratulations, you have just configured your vCenter Server to communicate with the NetApp systems in safe and secure way!


    Andrew Miler said...

    Absolute agreement on "(HINT to NetApp, figure out a way to consolidate this please!!)"...I'll even add my own exclamation points!

    Especially with the success of the Complete Bundle, we end up setting up more of this stuff than we used to (especially SMVI and VSC) and it gets a bit tedious.

    Andrew Miler said...

    Just a note that if you add the role in ONTap 7.2.x you have to remove the api-lun-get-vdisk-attributes capability or else you get this message.

    Invalid capabilities: api-lun-get-vdisk-attributes
    Could not add role . Error: Invalid capability

    Aaron Delp said...

    Andrew - Thank you for the information!!!