NetApp ONTAP and Unbound Interoperability Certification
One of our strategic partners, NetAPP wanted us to validate the compatibility and functionality of using the Unbound Key Manager Server for data encryption keys on the NetAPP Filer on behalf of our mutual customer. We chose to do a Proof of Concept in the Advanced Technology Center (ATC) to validate that the two technology solutions could work together in the scenario provided by our customer.
In This Insight
One of the values WWT brings to its customers is our ability to leverage our digital playground called the ATC (Advanced Technology Center). In the ATC, you will find approximately 400 cabinets of equipment spread over 4 separate data centers on the WWT Tech Campus. We leverage this technology to help our customers accelerate technology adoption and provide more confidence in the technology they purchase from us.
Recently, a global banking customer requested that WWT certify compatibility and interoperability between the NetApp AFF A320 storage system running ONTap 9.6 and the Unbound UKC Encryption Key Management platform. The customer already had the Unbound product deployed in their environment to manage encryption keys for other technologies and needed to ensure that ONTAP running systems would function correctly with the Unbound product.
Testing Environment and Goals of Testing
The goal of the testing was to have the Unbound UKC platform to manage the encryption keys for ONTAP while using NetApp Volume Encryption (NVE) provide encryption services for the data. To that end, the WWT ATC (Advanced Technology Center) deployed a Proof of Concept (POC) lab environment with a NetApp AFF320 storage appliance and a virtual Unbound UKC appliance HA Pair. See the diagram below for a high-level topology layout for this LAB.
High-Level Diagram of Test Environment in the ATC
What we found out
The ONTAP system would make KMIP API calls to the Unbound Key Manager to manage all software encryption keys. During testing, WWT confirmed that an interoperability issue existed between the Unbound Key Manager software and the ONTAP code level our customer wanted to deploy in production using NVE.
Working with both the NetApp and Unbound engineering teams who also had remote access into the lab environment, the teams were able to troubleshoot and diagnose problems in real-time. The teams were able to access all the components of the same environment. Unbound provided updated code fixes that were then validated to address some issues identified in the WWT ATC lab environment. After working and testing with both vendors, we eventually confirmed the interoperability of their solutions for our mutual customer.
End goal achieved and the value add
With all the code issues resolved, the design validation was completed successfully. Working with our vendor partners, NetApp and Unbound, we were able to provide the customer a validated solution that they could potentially use in production. We provided value by saving the customer all the operational grief of having to identify these issues in a production environment.
The ability to rally multiple vendors together around test environments in the ATC is part of the tremendous value that WWT can deliver for our customers. By being able to have focused resources work collaboratively and deploy multiple OEM solutions together, we increased our customer's ability to deliver quickly and avoid delays that could have been caused if problems would have needed troubleshooting in the customer environment.
If you face a similar challenge evaluating multi-OEM solutions and could benefit from help from WWT, contact your WWT account team to discuss testing in the ATC.
The goal of the testing was to have the Unbound UKC platform manage the encryption keys for ONTAP while using NetApp Volume Encryption (NVE) provide encryption services for the data. We expected to successfully show this integration through our testing in the Advanced Technology Center (ATC).
NetApp ONTAP AFF400
code level 9.6P5
Unbound KMIP Key Manager
code level 2.0.2001.41660
KMIP testing on NetApp
|Author Name:||Derik Heidemann|
|Current Version Number:||Version 1|
|Current Version Date:||March 9th, 2020|
|The information contained herein is proprietary and confidential to World Wide Technology (WWT) and the specific client for which it was prepared. This document may not be reproduced or redistributed in any format, written or electronic, without express written consent of all parties involved. WWT certifies the information in this document to be correct and true, to the best of its knowledge, at the time of its publication. All reasonable measures have been taken to ensure that the information provided is as accurate and up-to-date as possible at the time this document was completed.|
- Author Derik Heidemann - ATC Lab Services Storage Architect
- Document creation
- Author Derik Heidemann - ATC Lab Services Storage Architect
- Added content
This document contains the results of KMIP testing with adding and removing encryption keys following reboots. The purpose is to prove that no issue will be experienced with reboots of nodes specifically in regard to upgrades on the NetApp array.
NetApp AFF400 code level 9.6P5
Unbound code level 2.0.2001.41660
- A script was provided by NetApp to utilize for testing. The external key manager was setup by Unbound and made available for testing.
- There were two different scripts that needed to be run at periodic times.
- The first script was executed prior to a reboot and the output saved.
- The second script was executed after the reboot to verify the first script ran as it should. Also performed a cleanup.
- Once those tests were complete, a command to enable FIPS on the array was issued and the same two scripts were once again executed.
- The output files that were generated would show the success of each run. This was verified by NetApp and Unbound.
Figure 1 before reboot output
Figure 2 after reboot output
Figure 3 before reboot fips enabled output
Figure 4 after reboot fips enabled output
Tests succeeded only after upgrading the NetApp array to a newer version of code (code level 9.6P5) and NetApp providing the correct script parameters for completing the tests. NetApp signed off that everything tested successfully once the previously mentioned was completed.
Appendix B: WWT Team Information
Client Executive: Marie Santiago (Marie.Santiago@wwt.com)
Consulting Systems Engineer: James Eisert (James.Eisert@wwt.com)
Lead ATC Lab Services Architect: Derik Heidemann (Derik.Heidemann@wwt.com)
ATC Lab Services Project Manager: Tim Winters (Tim.Winters@wwt.com)