Configuration

Using the web interface

Connect to https://<ip>/ to configure the virtual appliance.

The default credentials to connect to the Web UI are :

Username : admin
Password : Netapp01

Use the same credentials if you want to access the appliance operating system with SSH.

Login window

Home Page

Home page

When logging into NAbox, you are presented with a dashboard displaying basic informations about the status of the virtual appliance.

Configure Harvest user

You should use a non privileged user to connect Harvest to your storage systems.

Below are the required privileges and how to create a dedicated user in ONTAP.

Configure role

Note

Newer versions of NetApp Harvest may require different privileges, the following section reflects the requirements for Harvest 24.02.0

Please consider visiting this page or Harvest official documentation after upgrading Harvest on NAbox.

cDOT7-mode

security login role create -role harvest2-role -access readonly -cmddirname "cluster"
security login role create -role harvest2-role -access readonly -cmddirname "event notification destination show"
security login role create -role harvest2-role -access readonly -cmddirname "event notification destination"
security login role create -role harvest2-role -access readonly -cmddirname "lun"
security login role create -role harvest2-role -access readonly -cmddirname "metrocluster configuration-settings mediator add"
security login role create -role harvest2-role -access readonly -cmddirname "network fcp adapter show"
security login role create -role harvest2-role -access readonly -cmddirname "network interface"
security login role create -role harvest2-role -access readonly -cmddirname "network port show"
security login role create -role harvest2-role -access readonly -cmddirname "network route show"
security login role create -role harvest2-role -access readonly -cmddirname "qos adaptive-policy-group"
security login role create -role harvest2-role -access readonly -cmddirname "qos policy-group"
security login role create -role harvest2-role -access readonly -cmddirname "qos workload show"
security login role create -role harvest2-role -access readonly -cmddirname "security"
security login role create -role harvest2-role -access readonly -cmddirname "snapmirror"
security login role create -role harvest2-role -access readonly -cmddirname "statistics"
security login role create -role harvest2-role -access readonly -cmddirname "storage aggregate"
security login role create -role harvest2-role -access readonly -cmddirname "storage disk"
security login role create -role harvest2-role -access readonly -cmddirname "storage encryption disk"
security login role create -role harvest2-role -access readonly -cmddirname "storage failover show"
security login role create -role harvest2-role -access readonly -cmddirname "storage iscsi-initiator show"
security login role create -role harvest2-role -access readonly -cmddirname "storage shelf"
security login role create -role harvest2-role -access readonly -cmddirname "system chassis fru show"
security login role create -role harvest2-role -access readonly -cmddirname "system health alert show"
security login role create -role harvest2-role -access readonly -cmddirname "system health status show"
security login role create -role harvest2-role -access readonly -cmddirname "system health subsystem show"
security login role create -role harvest2-role -access readonly -cmddirname "system license show"
security login role create -role harvest2-role -access readonly -cmddirname "system node"
security login role create -role harvest2-role -access readonly -cmddirname "system service-processor show"
security login role create -role harvest2-role -access readonly -cmddirname "version"
security login role create -role harvest2-role -access readonly -cmddirname "volume"
security login role create -role harvest2-role -access readonly -cmddirname "vserver"

useradmin role modify harvest2-role -a login-http-admin,api-system-get-version, \
api-system-get-info,api-perf-object-*,api-ems-autosupport-log,api-diagnosis-status-get, \
api-lun-list-info,api-diagnosis-subsystem-config-get-iter,api-disk-list-info, \
api-diagnosis-config-get-iter,api-aggr-list-info,api-volume-list-info, \
api-storage-shelf-environment-list-info,api-qtree-list,api-quota-report

Configure user

ONTAP >= 8.3ONTAP <= 8.2.x7-mode

# ZAPI based access
security login create -user-or-group-name harvest2 -application ontapi -role harvest2-role -authentication-method password

# REST based access
security login create -user-or-group-name harvest2 -application http -role harvest2-role -authentication-method password

security login create -username netapp-harvest -application ontapi -role harvest2-role -authmethod password

useradmin group add netapp-harvest-group -c "Group for performance monitoring by NetApp Harvest" -r netapp-harvest-role
useradmin user add netapp-harvest -c "User account for performance monitoring by NetApp Harvest" \
  -n "NetApp Harvest" -g netapp-harvest-group

Add your first system

TLS Configuration

For 7-mode systems, make sure that TLS is enabled by setting :

options tls.enable on

Harvest page

Click on the ONTAP menu to connect to a Clustered Data ONTAP system or 7-mode, and StorageGRID to add a StorageGRID object storage system.

Fill out the credentials and informations about the cluster or grid.

The metrics will be available in Grafana within a few minutes.

NAbox Settings

Preferences

Network

Admin Password

Time zone

It is recommended to change the admin password from the default Netapp01.

The virtual appliance stores sensible informations like passwords to your storage system, anyone capable of logging can easily retrieve those passwords.

LDAP / Active Directory

LDAP / AD

Configuring an Active Directory or LDAP server in NAbox is easy but you need to make sure you have the correct informations. It is especially important that you make sure that parameters do not have extra space and respect the original character case.

It is recommended that you use the ADSI utility in Windows to browse your users and groups and copy/paste parameters from there.

Bind Account DN and Bind Account Password are the full DN or short username for the user and its password. This is usually a service account created in Active Directory to get limited access to the directory.

Users Search Base DN(s) and Group Search Base DN(s) is usually something like DC=mydomain,DC=com, but in big organizations it might be necessary to restrict the search scope to something more specific.

In The Groups mapping section you specify the full DN for the groups according to Grafana roles that they must have.

It is not uncommon to set "*" (star) in the Viewer DN field to allow everyone to view the dashboards.

SSL

You can configure NAbox SSL certificate to one provided by your organization.

This certificate is used for NAbox web server itself, not to connect to ONTAP systems.

To configure SSL in NAbox, you should ask your Certificate Authority a private key and a certificate chain to paste in this page. By standards, you should start with the server certificate and go down the chain until the root CA certificate.

NAbox expects entries in .pem format.

SSL

Alternatively, you can generate a Certificate Signing Request (CSR) to send to your Certification Authority (CA). They will return a signed certificate that you can then install.

SSL

Finally, you can add to NAbox your enterprise root certificates so NAbox can trust the HTTPS sessions to the systems it's gathering metrics from.

Upgrade

Upgrade Harvest screenshot

You can upgrade NetApp Harvest from this menu.

Upgrade NAbox screenshot

You can upgrade NAbox from this menu

Upgrading NAbox typically does not upgrade NetApp Harvest itself, it must be done separately.