Configuration

Using the web interface

Connect to https://<ip>/ to configure the virtual appliance.

The default credentials to connect to the Web UI are :

Username : admin
Password : Netapp01

If you want to access the appliance operating system with SSH :

Username : root
Password : NetappGrafanaVA

Login window

Home Page

Home page

When logging into NAbox, you are presented with a dashboard displaying basic informations about the status of the virtual appliance.

Configure Harvest user

You should use a non privileged user to connect Harvest to your storage systems.

Here is the required privileges and how to create a dedicated user in ONTAP :

Configure role

cDOT7-mode

security login role create -role harvest2-role -access readonly -cmddirname "cluster"
security login role create -role harvest2-role -access readonly -cmddirname "event notification destination show"
security login role create -role harvest2-role -access readonly -cmddirname "event notification destination"
security login role create -role harvest2-role -access readonly -cmddirname "lun"
security login role create -role harvest2-role -access readonly -cmddirname "metrocluster configuration-settings mediator add"
security login role create -role harvest2-role -access readonly -cmddirname "network fcp adapter show"
security login role create -role harvest2-role -access readonly -cmddirname "network interface"
security login role create -role harvest2-role -access readonly -cmddirname "network port show"
security login role create -role harvest2-role -access readonly -cmddirname "network route show"
security login role create -role harvest2-role -access readonly -cmddirname "qos adaptive-policy-group"
security login role create -role harvest2-role -access readonly -cmddirname "qos policy-group"
security login role create -role harvest2-role -access readonly -cmddirname "qos workload show"
security login role create -role harvest2-role -access readonly -cmddirname "security"
security login role create -role harvest2-role -access readonly -cmddirname "snapmirror"
security login role create -role harvest2-role -access readonly -cmddirname "statistics"
security login role create -role harvest2-role -access readonly -cmddirname "storage aggregate"
security login role create -role harvest2-role -access readonly -cmddirname "storage disk"
security login role create -role harvest2-role -access readonly -cmddirname "storage encryption disk"
security login role create -role harvest2-role -access readonly -cmddirname "storage failover show"
security login role create -role harvest2-role -access readonly -cmddirname "storage iscsi-initiator show"
security login role create -role harvest2-role -access readonly -cmddirname "storage shelf"
security login role create -role harvest2-role -access readonly -cmddirname "system chassis fru show"
security login role create -role harvest2-role -access readonly -cmddirname "system health alert show"
security login role create -role harvest2-role -access readonly -cmddirname "system health status show"
security login role create -role harvest2-role -access readonly -cmddirname "system health subsystem show"
security login role create -role harvest2-role -access readonly -cmddirname "system license show"
security login role create -role harvest2-role -access readonly -cmddirname "system node"
security login role create -role harvest2-role -access readonly -cmddirname "system service-processor show"
security login role create -role harvest2-role -access readonly -cmddirname "version"
security login role create -role harvest2-role -access readonly -cmddirname "volume"
security login role create -role harvest2-role -access readonly -cmddirname "vserver"

useradmin role modify harvest2-role -a login-http-admin,api-system-get-version, \
api-system-get-info,api-perf-object-*,api-ems-autosupport-log,api-diagnosis-status-get, \
api-lun-list-info,api-diagnosis-subsystem-config-get-iter,api-disk-list-info, \
api-diagnosis-config-get-iter,api-aggr-list-info,api-volume-list-info, \
api-storage-shelf-environment-list-info,api-qtree-list,api-quota-report

Configure user

ONTAP >= 8.3ONTAP <= 8.2.x7-mode

# ZAPI based access
security login create -user-or-group-name harvest2 -application ontapi -role harvest2-role -authentication-method password

# REST based access
security login create -user-or-group-name harvest2 -application http -role harvest2-role -authentication-method password

security login create -username netapp-harvest -application ontapi -role harvest2-role -authmethod password

useradmin group add netapp-harvest-group -c "Group for performance monitoring by NetApp Harvest" -r netapp-harvest-role
useradmin user add netapp-harvest -c "User account for performance monitoring by NetApp Harvest" \
  -n "NetApp Harvest" -g netapp-harvest-group

Add your first system

TLS Configuration

For 7-mode systems, make sure that TLS is enabled by setting :

options tls.enable on

Harvest page

Click on the Systems menu to connect to a Clustered Data ONTAP system or 7-mode

Fill out the credentials and informations about the cluster.

You can connect go to Grafana dashboard interface, within a few minutes, metrics will be visible.

NAbox Settings

Preferences

Network

Admin Password

Time zone

It is recommended to change the admin password and also the root password.

The Virtual Appliance stores sensible informations like passwords to your storage system, anyone capable of logging in as root can easily retrieve these passwords.

LDAP / Active Directory

LDAP / AD

Configuring an Active Directory or LDAP server in NAbox is easy but you need to make sure you have the correct informations. It is especially important that you make sure that parameters do not have extra space and respect the original character case.

It is recommended that you use the ADSI utility in Windows to browse your users and groups and copy/paste parameters from there.

Bind Account DN and Bind Account Password are the full DN or short username for the user and its password. This is usually a service account created in Active Directory to get limited access to the directory.

Users Search Base DN(s) and Group Search Base DN(s) is usually something like DC=mydomain,DC=com, but in big organizations it might be necessary to restrict the search scope to something more specific.

In The Groups mapping section you specify the full DN for the groups according to Grafana roles that they must have.

It is not uncommon to set "*" (star) in the Viewer DN field to allow everyone to view the dashboards.

SSL

You can configure NAbox SSL certificate to one provided by your organization.

This certificate is used for NAbox web server itself, not to connect to ONTAP systems.

To configure SSL in NAbox, you should ask your Certificate Authority a private key and a certificate chain to paste in this page. By standards, you should start with the server certificate and go down the chain until the root CA certificate.

NAbox expects entries in .pem format.

About NAbox 2.x implementation and CSR

In NAbox 2.x, there was a complete form to generate a Certificate Signing Request.

This option is not available in NAbox 3 UI but is available through the API.

A Swagger is available on https://<nabox ip>/api/1.0/ui/

POST on /api/1.0/ssl is used to create the CSR

GET on /api/1.0/ssl is used to get the CSR in PEM format

Swagger

Maintenance

Time zone

You can upgrade and install packages from this menu.

Use this menu to install NAbox updates, new Harvest versions or NMSDK.

Capacity Upgrade

If you run out of space, you can increase the main VMDK file capacity through vCenter, and reboot NAbox.