Friday, December 2, 2016

WFA Command to install a Root CA Certificate on a SVM

For a customer I had to create SVM's and join them in AD.  However, the Active Directory Server was using a public certificate.  Thus, to be able to join the SVM in AD, we first had to install the Root CA certificate on the SVM.  A troublesome manouvre if you have to it manually with the CLI.  Since were provisioning with WFA, why not just create a command to do this.  The customer also has lots of site and DC's, so we added the functionality to set the preferred DC as well.
Below is the code, but I've also added the DAR file.

param (
  [parameter(Mandatory=$true, HelpMessage="Cluster IP address")]

  [parameter(Mandatory=$true, HelpMessage="Vserver name")]
  [parameter(Mandatory=$true, HelpMessage="Fully Qualified domain name of the Windows Active Directory this CIFS server will belongs to")]

  [parameter(Mandatory=$true, HelpMessage="Domaincontrollers")]
  [parameter(Mandatory=$false, HelpMessage="Optional Preferred DC before adding to AD")]

  [parameter(Mandatory=$true, HelpMessage="Certificate path")]

# connect to controller
Connect-WfaCluster $Cluster

# check path
if(Test-Path $CertificatePath){
  Get-WFALogger -Info -message $("Certificate path is correct : $CertificatePath")
  # changing cifs security to TLS for AD
  Get-WFALogger -Info -message $("Changing cifs server security type to TLS for ADLdap for vserver : $Vserver")
  Set-NcCifsSecurity -UseStartTlsForAdLdap $true -VserverContext $VserverName -ErrorAction Stop

  # installing certificate

    Get-WFALogger -Info -message $("Reading certificate : $CertificatePath")
    $certificate = Get-Content $CertificatePath | Out-String

    Get-WFALogger -Info -message $("Validating certificate")
    $CRT = New-Object System.Security.Cryptography.X509Certificates.X509Certificate

    Get-WFALogger -Info -message $("Valid certificate : " + $CRT.Subject)
    Install-NcSecurityCertificate -Vserver $VserverName -type server_ca -Certificate $certificate  

    Get-WFALogger -Info -message $("Certificate installed succesfully")
    Get-WFALogger -Info -message $("Set Preferred DC for join in AD")
    Add-NcCifsPreferredDomainController -Domain $Domain -DomainControllers $DomainControllers -Vservercontext $VserverName

  catch [Exception]{
    Get-WFALogger -Error -message $("Failed Installing certificate : $_.Exception.Message")


  Get-WFALogger -Info -message $("Certificate path does not exist : $CertificatePath")
  Throw $("Path $CertificatePath does not exist")

# check Preferred DC parameter
if ($PrefDc -ne "") {
    Get-WFALogger -Info -message $("A Preferred Domain Controller has been specified $PrefDc")
     # set Preferred Dc

    Get-WFALogger -Info -message $("Set Preferred DC : $PrefDc for Domain $Domain")
    Add-NcCifsPreferredDomainController -Domain $Domain -DomainControllers $PrefDc -Vservercontext $VserverName

  catch [Exception]{
    Get-WFALogger -Error -message $("Failed to set Preferred DC : $_.Exception.Message")


  Get-WFALogger -Info -message $("No Preferred DC installed")
  Throw $("No Preferred Dc specified")


Download the dar file

No comments :

Post a Comment