NetApp cDOT | Scan Requirements

Preparation for Scanning Clustered Data ONTAP (cDOT)

StorageGuard collects configuration data from NetApp cDOT storage system by connecting them using HTTP or HTTPS and issuing read-only commands using either the NetApp ZAPI API or the REST API.

The following table lists the requirements for scanning clustered ONTAP systems:

Creating a User Account for Scanning Clustered Data ONTAP (cDOT)

The following suggested method can be used to create a user account with appropriate privileges:

CLI

Step 1: Ensure that http (REST) is enabled
system services web show

Step 2: Create a role for REST API with read-only access

security login role create -role cntsw_rest_ro -cmddirname "DEFAULT" -access readonly
security login role create -role cntsw_rest_ro -cmddirname "security" -access readonly

Step 3: Create a role for ONTAPI with read-only access
security login role create -role cntsw_zapi_ro -cmddirname "DEFAULT" -access readonly

Step 4: Assign the roles to the user
security login create -username cntuser -application http -authmethod password -role cntsw_rest_ro
security login create -username cntuser -application ontapi -authmethod password -role cntsw_zapi_ro

NOTES:

• Enable SSH access and grant read-only CLI permissions to the user if you intend to expand the built-in configuration collection with additional, user-defined commands (“custom collection”). Custom collection can be defined using either REST API or CLI.
  
• In addition to scanning the ONTAP system, StorageGuard can also scan NetApp Active IQ Unified Manager application by running read-only API queries on port 443.
  
• If you’re planning to use only REST API, it is possible to use REST roles instead of traditional role (ONTAP 9.6 and above)