Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

NSE - Bootarg kmip.init.maxwait can cause data loss

Views:
437
Visibility:
Public
Votes:
0
Category:
e-series-disk-shelves
Specialty:
dp
Last Updated:

 

Applies to

NSE storage system

Answer

How to mitigate ARS Risk #3016 - boot_loader option kmip.init.maxwait and/or kmip.init.maxwait.ping is set to OFF. 

They should either be set to ON, or be unset which is the default. By default, the NSE storage system is set to ping the KMIP (External Key Manager) server and wait for a ping response from at least one KMIP server before initiating a secure SSL connection.
If the boot_loader option kmip.init.maxwait and/or kmip.init.maxwait.ping is set to OFF, and NSE disks are locked and in use and if for any reason the system gets into a boot loop, the data on them can be lost. 
By default,  NSE disk drives have a built-in feature that protects their data from unauthorized sequential failed attempts to authenticate correctly. If the sequential authorization fails more than 1024 times, the NSE disk drives will self-erase their internal encryption key and data stored on the drives will be lost forever. There is no revert for this process. If this occurs, the NSE disk drives can only be re-used by going into maintenance mode and running the disk encrypt sanitize -all command to set the NSE disk drives back to factory defaults. A reboot is also required for this to take effect.

To mitigate the issue, perform the following:

  1. At the boot loader prompt unset the variables, which is the default. The setting is ON, but the variable will be hidden. 

unsetenv kmip.init.maxwait 
unsetenv kmip.init.maxwait.ping

  1. At the boot loader promp, set the variables to ON.

setenv kmip.init.maxwait on
setenv kmip.init.maxwait.ping on

Additional Information

Add your text here.

 

Scan to view the article on your device