ONTAP 9 Manuals ( CA08871-402 )

Prepare to use AutoSupport

You can configure an ONTAP cluster to deliver AutoSupport messages to us. As part of this, you can also send a copy of the messages to local email addresses, typically within your organization. You should prepare to configure AutoSupport by reviewing the available options.

Deliver AutoSupport messages to us

AutoSupport messages can be delivered to us using either the HTTP or SMTP protocol. To improve security you can use TLS with HTTP. Beginning with ONTAP 9.15.1, you can also use TLS with SMTP.

Use HTTP with TLS (HTTPS) whenever possible.

Also note the following:

  • Only one delivery channel to us can be configured for the AutoSupport messages. You cannot use two protocols to deliver AutoSupport messages to us.

  • AutoSupport limits the maximum file size for each protocol. If the size of an AutoSupport message exceeds the configured limit, AutoSupport delivers as much of the message as possible but truncation will occur.

  • You can change the maximum file size if needed. See the command system node autosupport modify for more information.

  • Both protocols can be transported over IPv4 or IPv6 based on the address family to which the name resolves.

  • The TCP connection established by ONTAP to send AutoSupport messages is temporary and short-lived.

HTTP

This provides the most robust features. Note the following:

  • An HTTP PUT request is attempted first. If the request fails during transmission, the request restarts where it stopped.

  • If the server does not support PUT, the HTTP POST method is used instead.

  • The default limit for HTTP transfers is 25 MB.

  • The unsecured HTTP protocol uses port 80.

SMTP

As a general rule, you should use SMTP only if HTTPS/HTTP is not allowed or unsupported for some reason. Note the following:

  • If SMTP sign-in credentials are configured, they are sent unencrypted and in the clear.

  • The default limit for HTTP transfers is 5 MB.

  • The unsecured SMTP protocol uses port 25.

Improve security with TLS

When using either HTTP or SMTP, all traffic is unencrypted and can be easily intercepted and read. When using HTTP, you should always configure the protocol to also use TLS (HTTPS).

Beginning with ONTAP 9.15.1 you can also use TLS with SMTP (SMTPS). In this case, explicit TLS is used which activates the secure channel after the TCP connection is established.
Ports for secure protocols

The following ports are typically used for the secure versions of these protocols:

  • HTTPS - port 443

  • SMTPS - port 587

Certificate validation

With TLS, the certificate downloaded from the server is validated by ONTAP based on the root CA certificate. Before using HTTPS or SMTPS, you need to make sure the root certificate is installed in ONTAP. See Install the server certificate for more information.

Additional configuration considerations

There are a few additional considerations when configuring AutoSupport.

Sending a local copy using email

Regardless of the protocol used to deliver AutoSupport messages to us, you can also send a copy of each message to one or more local email addresses. For example, you might send messages to your internal support organization or a partner organization.

If you deliver messages to us using SMTP (or SMTPS) and you also send local email copies of those messages, the same email server configuration is used.

HTTP proxy

Depending on your network configuration, the HTTPS protocol may require additional configuration of a proxy URL. If HTTPS is used to send AutoSupport messages to our Support and you have a proxy, you must identify the URL for the proxy. If the proxy uses a port other than the default (port 3128) you can specify the port for that proxy. You can also optionally specify a user name and password for proxy authentication.

Install the server certificate

If you use TLS (HTTPS or SMTPS), you need to make sure ONTAP can validate the server certificate. This validation is performed based on the CA that signed the server certificate.

ONTAP includes a large number of pre-installed root CA certificates. So in many cases, the certificate for your server will be immediately recognized by ONTAP without additional configuration. But depending on how the server certificate was signed, you may need to install a root CA certificate and any intermediate certificates.

Follow the instructions provided below to install the certificate if needed. You should install all the required certificates at the cluster level.

Example 1. Steps
ONTAP System Manager
  1. In ONTAP System Manager, select Cluster > Settings.

  2. Scroll down to the Security section.

  3. Select right arrow next to Certificates.

  4. Under the Trusted certificate authorities tab click Add.

  5. Click Import and select the certificate file.

  6. Complete the configuration parameters for your environment.

  7. Click Add.

CLI
  1. Begin the installation:

    security certificate install -type server-ca

  2. Look for the following console message:

    Please enter Certificate: Press <Enter> when done

  3. Open the certificate file with a text editor.

  4. Copy the entire certificate including the following lines:

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

  5. Paste the certificate into the terminal after the command prompt.

  6. Press Enter to complete the installation.

  7. Confirm the certificate is installed using one of the following:

    security certificate show-user-installed

    security certificate show

Top of Page