I am trying to create an SVM serving S3 on 9.15 and I thought it would be a good idea to separate them because I predict at some point we will have to serve S3 in a network where I dont't want management to be accessible.
#Does anyone know if you can have separate certificates on LiFs?
whole stag
visual cliff
Certificates have nothing to do with LIFs. They are usually used on services which listen on port 443, "web servers" if you want.
You can choose one certificate for your management traffic of your SVM and another one for the object-store-server.
Then separate the traffic with service-policies on your LIFs.
toxic laurel
For an s3 svm on the Netapp using self signed certs, looks like you create a root-ca.
you can certainly install other root-ca certs and then still make a separate cert for the svm server
Additionally, you should be able to create network interface service-policy entries to limit exposure when applied to lifs
whole stag
thank you. I will give it another show. We have an internal server for creating certificates and I have added that as a trusted certificate authority, as have all clients and servers in the network. I will generate a new certificate for the management and see if I can get it assigned to the right services
median heath
fun fact: for NFS over TLS, you can actually specify a certificate for each LIF (vserver nfs tls interface enable ... -certificate-name xyz) 🙂
toxic laurel
Pretty sure you should say it’s a feature of ONTAP 9.15+ @median heath
whole stag
fun fact: for NFS over TLS, you can actually specify a certificate for each LIF ...
good info.I will be needing that soon too. thanks. 🙂
raven flame
Pretty sure you should say it’s a feature of ONTAP 9.15+ <@189749672921792512>
And a techpreview regarding the blog 😊