Volume rehost fails when using Azure Key Vault

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 111

Visibility:: Public

Votes:: 0

Category:: cloud-volumes-ontap-cvo

Specialty:: cloud

Last Updated:

Applies to

Azure Key Vault (AKV)
Cloud Volumes Ontap (CVO)
Volume Rehost

Issue

The volume rehost command fails in an Azure Key Vault environment:

Cluster::*> volume rehost -vserver svm1 -volume volume1 -destination-vserver svm2

Warning: Rehosting a volume from one Vserver to another Vserver does not change the security information about that volume.If the security domains of the Vservers are not identical, unwanted access might be permitted, and desired access might be denied. An attempt to rehost a volume will disassociate the volume from all volume policies and policy rules. The volume must be reconfigured after a successful or unsuccessful rehost operation. Do you want to continue? {y|n}: y

[Job 5559] Job is queued: Volume rehost operation on volume "volume1" on Vserver "svm1" to destination Vserver "svm2" by administrator "admin".

Error: command failed: [Job 5559] Job failed: Volume rehost precheck failed for reasons: Cannot rehost the encrypted volume "volume1" from Vserver "svm1" using Azure Key Vault to Vserver "svm2" using Azure Key Vault. Rehost between these key manager types is not supported.

Security keys cannot be migrated:

Cluster::> security key-manager key migrate -from-vserver svm1 -to-vserver svm2

Error: This migration option is not supported in this release. The supported migration options are: (Onboard Key Manager|KMIP External Key Manager) to/from (KMIP External Key Manager|Cloud Key Managers) IBM Key Lore Key Manager to (Onboard Key Manager|KMIP External Key Manager) Where the Cloud Key Managers are Azure Key Vault, Amazon Web Services Key Management, Google Cloud Key Management Service, IBM Key Protect Key Management Service.

The kmip2_client logs show messages indicating BAD_DATA and invalid client secret:

Thu Nov 09 2023 14:38:43 -08:00 [kern_kmip2_client:info:7662] [Nov 9 14:38:43]: 0x80a206000: 8003e80000129721: ERR: kmip2::kmipCmds::KmipConnection: [cryptsoftErrorCb]:94: Error: src/tables/kmip_cloud_cmd.cc: 84: error: 11: msg: KMIP_get_data Thu Nov 09 2023 14:38:43 -08:00 [kern_kmip2_client:info:7662] [Nov 9 14:38:43]: 0x80a206000: 8003e80000129721: ERR: kmip2::tables::kmip_akv_cmd: [getSmdbError]:411: AKV operation failed: get. Cryptsoft error: BAD_DATA, Cryptsoft status: SUCCESS, Cryptsoft reason: SUCCESS, Cryptsoft message: , HTTP response code: 401, HTTP Payload:

Fri Nov 10 2023 08:07:45 -08:00 [kern_kmip2_client:info:7662] [Nov 10 08:07:45]: 0x80a207900: 0: ERR: kmip2::kmipCmds::KmipConnection: [cryptsoftErrorCb]:94: Error: src/AKV/kmip_akv_cmd.c: 852: error: 5: msg: HTTP MESSAGE={"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxxxxxxxxxxx'. Trace ID: xxxxxxxxxxxxx Correlation ID: 716c5f36-d8b7-432f-9510-908b61472b68 Timestamp: 2023-11-10 16:08:01Z","error_codes":[7000215],"timestamp":"2023-11-10 16:08:01Z","trace_id":"xxxxxxxxxxxxx","correlation_id":"xxxxxxxxxxxxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"