One of the most requested features for our Ansible modules has been the ability to not have to use username/password authentication.  We are happy to announce that with the release of the NetApp ONTAP Ansible collection 20.6.0 the ability to use certificates for authentication has been added.

Using certificates takes a little bit of setup per certificate to be used, but the steps are easy to follow.  You will need to create a certificate on the machine that will be running Ansible, add the certificate to the ONTAP system, and allow the user to authenticate with this certificate.

Step 1. Create a certificate on the machine that will be running Ansible:

A  self-signed certificate will be created for this using the openssl application.

[linux ~]$ openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout name.key -out name.pem -subj “/C=US/ST=NC/L=RTP/O=NetApp/CN=cert_user”

The parts you will need to change are the name of the key and the cert_user.  You can also change the C/ST/L options if you want to use your specific country, state, location.  In the above example I use name.key and name.pem.  I would probably use the username of the account I wanted to connect as to make it easier to follow; admin.key admin.pem.  For the CN=cert_user this needs to be the user that will be connecting, so for admin again it would be CN=admin.

Step 2. Install the self-signed certificate on the ONTAP cluster.

Copy the contents of the .pem file to the clipboard including the -----BEGIN CERTIFICATE------ and -----END CERTIFICATE----- parts.  Now on the ONTAP cluster run the command.

# security certificate install -type client-ca -cert-name <name> -vserver <cluster short name>

If this is being installed for the admin user on a cluster called Ansible01 the command would look like this:

security certificate install -type client-ca -cert-name admin -vserver Ansible01

Step 3. Enable ssl allowance on Cluster vserver

This command will allow ssl client authentication with certificates.

# security ssl modify -vserver <cluster short name> -client-enabled true

Step 4. Authorize the user to authenticate with certificates

Now the user that will be authenticated with this certificate needs that as an authentication method for both http and ontapi.  Here I am using the ‘admin’ account

# security login create -user-or-group-name admin -application ontapi -authentication-method cert
# security login create -user-or-group-name admin -application http -authentication-method cert

Since you can’t authenticate console with certificates that isn’t added.  It also means the na_ontap_command module cannot be used with certificates.

Now on the Ansible side you can update your credential area.

If you were using this:

hostname: Ansible01
username: admin
password: netapp123
https: true
validate_certs: false

With the .pem and .key files in the same directory as the playbook you could instead use this

hostname: Ansible01
cert_filepath: name.pem
key_filepath: name.key
validate_certs: false

You no longer need the https: true as this is a ssl link only and has to be https.

If you are going to use Tower and still want to be able to do this, just put your .pem and .key files in the same repo as your playbooks and it will work fine with Tower.

As usual if you have any questions you can find myself and others on our Slack workspace in the #configurationmgmt channel.  If you aren’t in our Slack workspace yet, get an invite at


About David Blackwell

David is a twenty year IT veteran who has been an admin for just about every aspect of a DataCenter at one time or another. When not working, or tinkering with new software at home, David spends most of his free time with his six year old son and his lovely wife.

Pin It on Pinterest