Skip to main content
NetApp Knowledge Base

Automatic giveback fails during ONTAP ANDU due to onboard key import failure

Views:
1,058
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.8 and later
  • ONTAP Automatic Non-Disruptive Upgrade
  • Motherboard Replacement with Trusted Platform Module (TPM)
  • Onboard Key Manager

Issue

  • ANDU upgrade from 9.6 to 9.8
  • EMS logs for node-02 show key import failures

Sun Aug 22 17:51:01 -0400 [node-02: wafl_exempt00: crypto.ssal.failed:alert]: SSAL operation failed: SSAL Unseal operation failed.
Sun Aug 22 17:51:01 -0400 [node-02: wafl_exempt00: crypto.debug:info]: Onboard key hierarchy import failed: failed to create NKEK: 31.
Sun Aug 22 17:51:01 -0400 [node-02: wafl_exempt00: crypto.okmrecovery.failed:alert]: ERROR: Import of the onboard key hierarchy failed: failed to import key hierarchy. Additional information: error: ssal unseal failed.

  • TSS errors seen in SKTRACE.GZ

2021-08-22T21:51:01Z 24880865537178 [0:0] SSAL_Error: tss_tpm_load:438 tss_execute failed
2021-08-22T21:51:01Z 24880865540576 [0:0] SSAL_Error: crypto_ssal_tpm_unseal:226 tss_tpm_load failed
2021-08-22T21:51:01Z 24880865638452 [0:0] SSAL_Error: tss_log_error:232 crypto_ssal_tpm_unseal: failed, rc 000b0009
2021-08-22T21:51:01Z 24880865640870 [0:0] SSAL_Error: tss_log_error:234 TSS_RC_BAD_CONNECTION - Failure communicating with lower layer
2021-08-22T21:51:01Z 24880865643199 [0:0] SSAL_Error: crypto_ssal_fs_unseal:167 The public portion of the blob should be NULL and of size 0

  • Giveback was vetoed due to volume encryption keys being unavailable

Sun Aug 22 17:56:47 -0400 [node-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate aggr1_n02 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node node-02.
Sun Aug 22 17:56:47 -0400 [node-01: cf_giveback: sfo.sendhome.subsystemAbort:alert]: The giveback operation of 'aggr1_n02' was aborted by 'keymanager'.

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.