Skip to main content
NetApp Knowledge Base

Search

  • Filter results by:
    • View attachments
    Searching in
    About 28 results
    • Metrocluster OKM: The list of OKM hierarchy keys on one or both of the clusters is potentially corrupted
      https://kb.netapp.com/on-prem/ontap/mc/MC-KBs/Metrocluster_OKM__The_list_of_OKM_hierarchy_keys_on_one_or_both_of_the_clusters_is_potentially_corrupted
      Applies to ONTAP 9.8 or later MetroCluster Onboard Key Management (OKM) Issue After a motherboard replacement, upgrade, or reboot the following was observed: km.mcc.okmkey.mismatch: This cluster is pa...Applies to ONTAP 9.8 or later MetroCluster Onboard Key Management (OKM) Issue After a motherboard replacement, upgrade, or reboot the following was observed: km.mcc.okmkey.mismatch: This cluster is part of a MetroCluster configuration. The list of OKM hierarchy keys on one or both of the clusters is potentially corrupted.
    • OKM keys not restored after ONTAP cluster expansion
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/OKM_keys_not_restored_after_ONTAP_cluster_expansion
      Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes. If using an external key manager, use the 'security key-manager external show-status' command t...Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes. If using an external key manager, use the 'security key-manager external show-status' command to verify that the network configuration is correct and the key servers are reachable. If using the Onboard Key Manager, use the 'security key-manager key query -key-type SVM-KEK' command to verify that the same SVM-KEKs are present on both the local and remote clusters.
    • Unable to create audit configuration in On board key-manager system
      https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/Unable_to_create_audit_configuration_in_On_board_key-manager_system
      Unable to create auditing in encrypted volumes, getting the below errors: ClusterA::> vserver audit create -vserver clusterA-cifs -destination /storage_audits_ims_image_share -events file-ops,file-sha...Unable to create auditing in encrypted volumes, getting the below errors: ClusterA::> vserver audit create -vserver clusterA-cifs -destination /storage_audits_ims_image_share -events file-ops,file-share -format xml -rotate-schedule-dayofweek Sunday-Saturday -rotate-schedule-hour 0 -rotate-schedule-minute 0 -rotate-limit 3 Error: command failed: Failed to create audit configuration for Vserver "clusterA-cifs -destination". Reason: [Job 11276] Job failed: Metadata verification failed.
    • OKM: How to recover from a lost Cluster passphrase in ONTAP 9.6 and later when using NAE
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/OKM__How_to_recover_a_lost_Cluster_passphrase_in_ONTAP_9_6_and_later_when_using_NAE
      Applies to NetApp Aggregate Encryption (NAE) Onboard Key Manager (OKM) ONTAP 9.6 and later All nodes MUST be up with data aggregates online Description Cluster passphrase used to configure OKM is unkn...Applies to NetApp Aggregate Encryption (NAE) Onboard Key Manager (OKM) ONTAP 9.6 and later All nodes MUST be up with data aggregates online Description Cluster passphrase used to configure OKM is unknown and there are encrypted volumes, aggregates or disks.
    • Error: command failed: This platform does not support data at rest encryption
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/Error__command_failed__This_platform_does_not_support_data_at_rest_encryption
      Applies to ONTAP 9.1 and later Onboard Key Manager (OKM) NetApp Volume Encryption (NVE) Issue When configuring Onboard Key Management (OKM) the following error is observed: ::> security key-manager on...Applies to ONTAP 9.1 and later Onboard Key Manager (OKM) NetApp Volume Encryption (NVE) Issue When configuring Onboard Key Management (OKM) the following error is observed: ::> security key-manager onboard enable Enter the cluster-wide passphrase for onboard key management: Re-enter the cluster-wide passphrase: Error: command failed: This platform does not support data at rest
    • How to backup Onboard Key Manager (OKM)
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/How_to_backup_Onboard_Key_Manager
      Onboard Key Manager (OKM) has a backup feature that will allow for recovery in disaster scenarios. It is required that every OKM instance have the current back up key management information stored off...Onboard Key Manager (OKM) has a backup feature that will allow for recovery in disaster scenarios. It is required that every OKM instance have the current back up key management information stored offsite in a secure location along with passphrase. In the event of a head swap, cfcard replacement or cfcard corruption, manual recovery of the keys has to be performed. Note: All nodes within the same cluster can use the other node's backup hex dump output in the event a recovery is needed.
    • Onboard key manager keys don't match between clusters in a MetroCluster
      https://kb.netapp.com/on-prem/ontap/mc/MC-KBs/Onboard_key_manager_keys_don_t_match_between_clusters_in_a_MetroCluster
      After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in t...After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in the Onboard Key Manager database was not properly updated The "clus_salt" value in the Onboard Key Manager database was not properly updated. From the output of the below command, it is observed that the SVM-KEK and NSE-AK keys match between the clusters:
    • Encrypted volume move fails with error "Internal error. Cannot generate encryption key"
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/Encrypted_volume_move_fails_with_error_Internal_error_Cannot_generate_encryption_key
      Estimated Time of Completion: - Managing Node: Node3 Percentage Complete: - Move Phase: failed Estimated Remaining Duration: - Replication Throughput: - Duration of Move: 00:15:01 Source Aggregate: ag...Estimated Time of Completion: - Managing Node: Node3 Percentage Complete: - Move Phase: failed Estimated Remaining Duration: - Replication Throughput: - Duration of Move: 00:15:01 Source Aggregate: aggr1_node3 c Start Time of Move: Mon Sep 14 15:15:20 2020 Move State: failed Is Source Volume Encrypted: true Encryption Key ID of Source Volume: 00000000000000000200000000000500xxxxxxxxxxxxxxxxxxxxxxxxxxx0000000000000000 Is Destination Volume Encrypted: true Encryption Key ID of Destination Volume:…
    • One or more nodes have onboard key management VEK keys that need to be restored
      https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/One_or_more_nodes_have_onboard_key_management_VEK_keys_that_need_to_be_restored
      See Solution when Command security key-manager key query shows that some of the VEK keys not restored. One or more nodes have onboard key management VEK keys that need to be restored.
    • How to return SED to factory-configured settings after OKM data authentication key is lost
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/How_to_return_SED_to_factory-configured_settings_after_OKM_data_authentication_key_is_lost
      Sanitizing one or more self-encrypting disks (SEDs), renders the existing data on the SEDs impossible to retrieve. The only method to restore the encryption key is by having cluster passphrase and res...Sanitizing one or more self-encrypting disks (SEDs), renders the existing data on the SEDs impossible to retrieve. The only method to restore the encryption key is by having cluster passphrase and restoring the backup information of Onboard key Manager with output from This operation employs the inherent erase capability of SEDs to perform all of the following changes: Sets the data authentication key (AK) to the default manufacture secure ID (MSID).
    • Unable to encrypt volume after NDU. Error: The encryption metadata for the volume is inconsistent
      https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/Unable_to_encrypt_volume_after_NDU_Error__The_encryption_metadata_for_the_volume_is_inconsistent
      Applies to 9.8 and later BURT 1320985 Issue If plain text volumes exist in an encrypted aggregate as a result of bug: 1320985 and the system is upgraded to ONTAP 9.8+ before resolving, subsequent NVE ...Applies to 9.8 and later BURT 1320985 Issue If plain text volumes exist in an encrypted aggregate as a result of bug: 1320985 and the system is upgraded to ONTAP 9.8+ before resolving, subsequent NVE creation and volume move fail with error: Failed to create the volume on node "". Reason: The encryption metadata for the volume is inconsistent. Contact technical support for assistance.