Setting up Cloud Manager Edit on GitHub

Adding additional AWS accounts to Cloud Manager

When Cloud Manager is associated with an IAM role, it deploys ONTAP Cloud systems in the AWS account from which the Cloud Manager instance was created. If you want to deploy ONTAP Cloud systems in other AWS accounts, then you must delegate access across accounts.

About this task

The following image depicts the steps that you must complete below.

A conceptual graphic that shows a new IAM role that gains permissions from an IAM policy and has a trust relationship with the IAM role attached to the Cloud Manager instance. That IAM role gains permissions from an IAM policy as well. Finally

Steps
  1. Create an IAM role in the AWS account in which you want to deploy ONTAP Cloud systems.

    The role must meet the following requirements:

    • It must adhere to Cloud Manager IAM policy requirements.

    • It must have a trust relationship that allows the IAM role associated with the Cloud Manager instance to assume this new role.

  2. Add a permission to the Cloud Manager IAM role policy that enables it to assume the IAM role that you just created.

    You can find the name of the Cloud Manager IAM role from the EC2 console by viewing a description of the instance.
  3. When you create a new working environment, add the target account in the Details & Credentials page by specifying the AWS account ID of the target account and the name of the IAM role in that account.

As always, you must ensure network connectivity between Cloud Manager and the location of the target ONTAP Cloud systems. This is important when the instances are created by different accounts.

For additional background about this process, refer to AWS Documentation: Tutorial: Delegate Access Across AWS Accounts Using IAM Roles. In this tutorial, the production account is similar to the target account and the development account is similar to the Cloud Manager account.

After you finish

If you have additional accounts, complete these steps for those accounts, as well.

Setting up the AWS KMS

If you want to use Amazon encryption with ONTAP Cloud, then you must set up the AWS Key Management Service (KMS).

Steps
  1. Ensure that an active CMK exists in your account.

    The CMK can be an AWS-managed CMK or a customer-managed CMK.

  2. Add the IAM role associated with the Cloud Manager instance to the list of key users for a CMK.

    This gives Cloud Manager permissions to use the CMK with ONTAP Cloud systems.

Installing an HTTPS certificate for secure access

By default, Cloud Manager uses a self-signed certificate for HTTPS access to the web console. You can install a certificate signed by a certificate authority (CA), which provides better security protection than a self-signed certificate.

Steps
  1. In the upper right of the Cloud Manager console, click the task drop-down list, and then select HTTPS Setup.

  2. In the HTTPS Setup page, install a certificate by generating a certificate signing request (CSR) or by installing your own CA-signed certificate:

    Option Description

    Generate a CSR

    1. Enter the host name or DNS of the Cloud Manager host (its Common Name), and then click Generate CSR.

      Cloud Manager displays a certificate signing request.

    2. Use the CSR to submit an SSL certificate request to a CA.

      The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.

    3. Copy the contents of the signed certificate, paste it in the Certificate field, and then click Install.

    Install your own CA-signed certificate

    1. Select Install CA-signed certificate.

    2. Load both the certificate file and the private key and then click Install.

      The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.

Result

Cloud Manager now uses the CA-signed certificate to provide secure HTTPS access. The following image shows a Cloud Manager system that is configured for secure access:

Screen shot: Shows the HTTPS Setup page after you install a signed certificate. The page shows the certificate properties and an option to renew the certificate.

Adding users to Cloud Manager

If additional users need to use your Cloud Manager system, they must sign up for an account in NetApp Cloud Central. You can then add the users to Cloud Manager.

Steps
  1. If the user does not yet have an account in NetApp Cloud Central, send them a link to your Cloud Manager system and have them sign up.

    Wait until the user confirms that they have signed up for an account.

  2. In Cloud Manager, click the user icon and then click Users.

    Screen shot: Shows the Users option selected in the task drop-down list.

  3. Click Add User.

  4. Enter the email address associated with the user account, select a role, and click Add.

After you finish

Inform the user that they can now log in to the Cloud Manager system.

Linking tenants to a NetApp Support Site account

You should link a tenant to a NetApp Support Site account so Cloud Manager can manage licenses for BYOL systems, register pay-as-you-go instances for support, and upgrade ONTAP Cloud software.

Steps
  1. Click Tenants.

  2. Select the tenant that you want to link to a NetApp Support Site account.

  3. Click Change NSS account.

  4. Enter the user name and password for a NetApp customer-level account (not a guest or temp account) and click Save.

Result

Cloud Manager registers all existing and future ONTAP Cloud systems in the tenant with NetApp support.

Setting up AWS billing and cost management for Cloud Manager

Cloud Manager can display the monthly compute and storage costs associated with running ONTAP Cloud in AWS. Before Cloud Manager can display the costs, users of AWS payer accounts must set up AWS to store billing reports in an S3 bucket, Cloud Manager must have permissions to access that S3 bucket, and AWS report tags must be enabled after you launch your first ONTAP Cloud instance.

Before you begin

You must have granted AWS permissions to Cloud Manager so it can access an S3 bucket. For details, see Granting AWS permissions to Cloud Manager.

About this task

Users of AWS payer accounts must set up AWS to store billing reports in an S3 bucket. Cloud Manager uses the information from the reports to show monthly compute and storage costs associated with an ONTAP Cloud instance, as well as storage cost savings from NetApp product efficiency features (if they are enabled). For an example, see see Monitoring AWS storage and compute costs.

Steps
  1. Go to the Amazon S3 console and set up an S3 bucket for the detailed billing reports:

    1. Create an S3 bucket.

    2. Apply a resource-based bucket policy to the S3 bucket to allow Billing and Cost Management to deposit the billing reports into the S3 bucket.

      For details about using an S3 bucket for detailed billing reports and to use an example bucket policy, see AWS Documentation: Understand Your Usage with Detailed Billing Reports.

  2. From the Billing and Cost Management console, go to Preferences and enable the reports:

    1. Enable Receive Billing Reports and specify the S3 bucket.

    2. Enable Cost allocation report.

  3. When you set up a user account in Cloud Manager, specify the S3 bucket that you created.

    If you grant AWS permissions to Cloud Manager by specifying AWS keys, you must set up a Cloud Manager user account by specifying AWS keys for an IAM user created under the payer account or the AWS keys for the payer account itself.
  4. After you launch your first ONTAP Cloud instance, go back to Billing and Cost Management Preferences, click Manage report tags, and enable the WorkingEnvironmentId tag.

    This tag is not available in AWS until you create your first ONTAP Cloud working environment using any account under the AWS payer account.

Result

Cloud Manager updates the cost information at each 12-hour polling interval.

After you finish

Repeat these steps for other AWS payer accounts for which cost reporting is needed. For details about how to view the cost information, see Monitoring AWS storage and compute costs.

Setting up ONTAP Cloud encryption

The Cloud Manager Admin user must set up Cloud Manager before other users can enable ONTAP Cloud encryption on new ONTAP Cloud systems in AWS.

Key manager requirements

You need a supported key management infrastructure to use ONTAP Cloud encryption.

Supported key managers

An external key manager is a system in your network or in AWS that securely stores authentication keys and provides them upon demand to ONTAP Cloud systems using secure TLS connections. The following key managers are supported:

  • SafeNet Virtual KeySecure k150v

  • SafeNet KeySecure k460

  • Vormetric Data Security Manager

See the NetApp Interoperability Matrix Tool for supported software versions.

Each ONTAP Cloud system supports up to four key managers. You should use multiple key managers in a clustered configuration for redundancy.

Vormetric configuration requirements

The Encryption Setup page in Cloud Manager pertains to SafeNet key managers only. You must refer to the KB article to set up ONTAP Cloud with Vormetric key managers. The rest of this section describes setup for SafeNet key managers.

SafeNet configuration requirements

Each SafeNet key manager must have several certificates, a KMIP server, and a network connection to ONTAP Cloud systems. The key manager must also meet specific requirements if using client certificate authentication. Note that Cloud Manager does not communicate with key managers, so a network connection between Cloud Manager and key managers is not required.

A description of the key manager requirements follows:

Requirement Description

Key managers must have a server certificate

Key managers need a server certificate to authenticate with ONTAP Cloud systems. The SSL certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format. You select this server certificate when you configure the KMIP server on the key manager.

If you plan to use two to four key managers with an ONTAP Cloud system, the same certificate authority (CA) must sign the server certificate for each key manager.

Key managers must trust the signing CA

The CA that signed the server certificate must be known and trusted by the key manager.
Key managers must have a KMIP server Each key manager must have a KMIP server that uses SSL and a specific port. The default and recommended port for ONTAP Cloud is 5696. If needed, you can change this port when you set up Cloud Manager.

Key managers must have a network connection to ONTAP Cloud systems

If the key managers are in AWS, they must have a connection to the subnet in which ONTAP Cloud instances are running. If the key managers are in your network, a VPN connection to the VPC provides the required connection.

Firewall settings must allow communication through the KMIP port.

Key managers must trust the Cloud Manager CA and its root CA, if using client certificate authentication

When you set up Cloud Manager, you configure it to act as an intermediate CA so it can sign ONTAP Cloud client certificates. If a KMIP server requires client certificate authentication, then the Cloud Manager intermediate CA must be known and trusted by key managers.

The root CA that signed the Cloud Manager certificate must also be known and trusted by the key manager.

Key managers must check a compatible user name field, if using client certificate authentication

If the key manager’s KMIP server checks for a user name in client certificates, it must use a field compatible with ONTAP Cloud client certificates. Cloud Manager can create ONTAP Cloud client certificates that include a user name in the CN (Common Name), E (Email address), and OU (Organizational Unit) fields.

KMIP Cryptographic Usage Mask must be set to no

If you use SafeNet OS v8.6, you must do the following:

  1. Connect to the CLI using the admin user

  2. Enter the following commands:

    config
    no kmip cryptographicusagemask

  3. Restart the NAE Server from the user interface

The following graphic depicts these requirements:

This illustration shows the requirements for key managers: a KMIP server

Notes:

  1. The Cloud Manager intermediate CA and its root CA must be trusted only if the KMIP server requires client certificate authentication.

  2. The same CA must have signed the server certificate for both key managers. This CA is called the key manager CA.

After you meet these requirements, you must set up Cloud Manager so users can enable ONTAP Cloud encryption.

Setting up Cloud Manager as an intermediate CA

Cloud Manager must be an intermediate certificate authority (CA) because it needs to create client certificates for ONTAP Cloud. You set up Cloud Manager to be an intermediate CA by generating a certificate signing request (CSR), getting the CSR signed by a root CA, and then installing the certificate in Cloud Manager.

Steps
  1. In the upper-right corner of the Cloud Manager console, click the task drop-down list, and then select Encryption Setup.

  2. In the Intermediate CA tab, click Generate CSR.

    Cloud Manager displays a certificate signing request.

  3. Use the CSR to submit a certificate request to a CA.

    The intermediate CA certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.

  4. Copy the content of the signed certificate and paste it in the Cloud Manager certificate field.

  5. Click Install Cloud Manager Certificate.

Result

Cloud Manager is now an intermediate CA—it can sign client certificates for ONTAP Cloud systems. The following image shows a Cloud Manager system that is configured to be an intermediate CA:

Screen shot: Shows the Cloud Manager certificate in the Intermediate CA tab

After you finish

If a KMIP server requires client certificate authentication, add the Cloud Manager intermediate CA and its root CA to the key manager’s list of trusted CAs. This step is necessary because the key manager must verify that ONTAP Cloud client certificates were signed by a trusted CA.

Adding key managers and CA certificates to Cloud Manager

Cloud Manager needs information about your key managers and CA certificates so users can select them for use with ONTAP Cloud systems.

Steps
  1. In the Encryption Setup page, click Key Manager.

  2. If your key managers use a KMIP port other than 5696, change the port and then click Save.

    Cloud Manager configures ONTAP Cloud systems to connect to key managers using this port.

  3. In the Key Managers table, click Add.

    In the Add Key Manager dialog box, enter details about the key manager, and then click Add:

    Field Action

    Key Manager Name

    Enter a unique name to distinguish the key manager.

    IP Address

    Enter the IP address of the key manager.

    User Name for Client Certificate Authentication

    If the key manager is enabled for client certificate authentication by having the key manager verify a user name from client certificates, specify the field and user name:

    • Select the field in which the key manager should look for a user name.

    • Enter a user name that is defined in the key manager.

    Cloud Manager generates ONTAP Cloud client certificates with the value defined in the user name field.

  4. In the Key Managers' CA Certificates table, click Add.

  5. Paste the certificate of the certificate authority (CA) that signed the key manager’s server certificate and then click Add.

  6. Repeat the steps for any additional key managers and their CA certificates.

Result

Cloud Manager is now set up to create ONTAP Cloud systems with encryption enabled.