NSE storage system
How to mitigate ARS Risk #3016 - boot_loader option kmip.init.maxwait and/or kmip.init.maxwait.ping is set to OFF.
They should either be set to ON, or be unset which is the default. By default, the NSE storage system is set to ping the KMIP (External Key Manager) server and wait for a ping response from at least one KMIP server before initiating a secure SSL connection.
If the boot_loader option kmip.init.maxwait and/or kmip.init.maxwait.ping is set to OFF, and NSE disks are locked and in use and if for any reason the system gets into a boot loop, the data on them can be lost.
By default, NSE disk drives have a built-in feature that protects their data from unauthorized sequential failed attempts to authenticate correctly. If the sequential authorization fails more than 1024 times, the NSE disk drives will self-erase their internal encryption key and data stored on the drives will be lost forever. There is no revert for this process. If this occurs, the NSE disk drives can only be re-used by going into maintenance mode and running the disk encrypt sanitize -all command to set the NSE disk drives back to factory defaults. A reboot is also required for this to take effect.
To mitigate the issue, perform the following:
- At the boot loader prompt unset the variables, which is the default. The setting is ON, but the variable will be hidden.
- At the boot loader promp, set the variables to ON.
setenv kmip.init.maxwait on
setenv kmip.init.maxwait.ping on
Add your text here.