Skip to main content
NetApp Knowledge Base

Search

  • Filter results by:
    • View attachments
    Searching in
    About 28 results
    • https://kb.netapp.com/on-prem/ontap/mc/MC-KBs/Metrocluster_OKM__The_list_of_OKM_hierarchy_keys_on_one_or_both_of_the_clusters_is_potentially_corrupted
      Applies to ONTAP 9.8 or later MetroCluster Onboard Key Management (OKM) Issue After a motherboard replacement, upgrade, or reboot the following was observed: km.mcc.okmkey.mismatch: This cluster is pa...Applies to ONTAP 9.8 or later MetroCluster Onboard Key Management (OKM) Issue After a motherboard replacement, upgrade, or reboot the following was observed: km.mcc.okmkey.mismatch: This cluster is part of a MetroCluster configuration. The list of OKM hierarchy keys on one or both of the clusters is potentially corrupted.
    • https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/Unable_to_create_audit_configuration_in_On_board_key-manager_system
      Unable to create auditing in encrypted volumes, getting the below errors: ClusterA::> vserver audit create -vserver clusterA-cifs -destination /storage_audits_ims_image_share -events file-ops,file-sha...Unable to create auditing in encrypted volumes, getting the below errors: ClusterA::> vserver audit create -vserver clusterA-cifs -destination /storage_audits_ims_image_share -events file-ops,file-share -format xml -rotate-schedule-dayofweek Sunday-Saturday -rotate-schedule-hour 0 -rotate-schedule-minute 0 -rotate-limit 3 Error: command failed: Failed to create audit configuration for Vserver "clusterA-cifs -destination". Reason: [Job 11276] Job failed: Metadata verification failed.
    • https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/Error__command_failed__This_platform_does_not_support_data_at_rest_encryption
      Applies to ONTAP 9.1 and later Onboard Key Manager (OKM) NetApp Volume Encryption (NVE) Issue When configuring Onboard Key Management (OKM) the following error is observed: ::> security key-manager on...Applies to ONTAP 9.1 and later Onboard Key Manager (OKM) NetApp Volume Encryption (NVE) Issue When configuring Onboard Key Management (OKM) the following error is observed: ::> security key-manager onboard enable Enter the cluster-wide passphrase for onboard key management: Re-enter the cluster-wide passphrase: Error: command failed: This platform does not support data at rest
    • https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/How_to_backup_Onboard_Key_Manager
      Onboard Key Manager (OKM) has a backup feature that will allow for recovery in disaster scenarios. It is required that every OKM instance have the current back up key management information stored off...Onboard Key Manager (OKM) has a backup feature that will allow for recovery in disaster scenarios. It is required that every OKM instance have the current back up key management information stored offsite in a secure location along with passphrase. In the event of a head swap, cfcard replacement or cfcard corruption, manual recovery of the keys has to be performed. Note: All nodes within the same cluster can use the other node's backup hex dump output in the event a recovery is needed.
    • https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/OKM__How_to_recover_a_lost_Cluster_passphrase_in_ONTAP_9_6_and_later_when_using_NAE
      Applies to NetApp Aggregate Encryption (NAE) Onboard Key Manager (OKM) ONTAP 9.6 and later All nodes MUST be up with data aggregates online Description Cluster passphrase used to configure OKM is unkn...Applies to NetApp Aggregate Encryption (NAE) Onboard Key Manager (OKM) ONTAP 9.6 and later All nodes MUST be up with data aggregates online Description Cluster passphrase used to configure OKM is unknown and there are encrypted volumes, aggregates or disks.
    • https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/OKM_keys_not_restored_after_ONTAP_cluster_expansion
      Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes. If using an external key manager, use the 'security key-manager external show-status' command t...Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes. If using an external key manager, use the 'security key-manager external show-status' command to verify that the network configuration is correct and the key servers are reachable. If using the Onboard Key Manager, use the 'security key-manager key query -key-type SVM-KEK' command to verify that the same SVM-KEKs are present on both the local and remote clusters.
    • https://kb.netapp.com/on-prem/ontap/mc/MC-KBs/Onboard_key_manager_keys_don_t_match_between_clusters_in_a_MetroCluster
      After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in t...After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in the Onboard Key Manager database was not properly updated The "clus_salt" value in the Onboard Key Manager database was not properly updated. From the output of the below command, it is observed that the SVM-KEK and NSE-AK keys match between the clusters:
    • https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/One_or_more_nodes_have_onboard_key_management_VEK_keys_that_need_to_be_restored
      See Solution when Command security key-manager key query shows that some of the VEK keys not restored. One or more nodes have onboard key management VEK keys that need to be restored.
    • https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/Encrypted_volume_move_fails_with_error_Internal_error_Cannot_generate_encryption_key
      Estimated Time of Completion: - Managing Node: Node3 Percentage Complete: - Move Phase: failed Estimated Remaining Duration: - Replication Throughput: - Duration of Move: 00:15:01 Source Aggregate: ag...Estimated Time of Completion: - Managing Node: Node3 Percentage Complete: - Move Phase: failed Estimated Remaining Duration: - Replication Throughput: - Duration of Move: 00:15:01 Source Aggregate: aggr1_node3 c Start Time of Move: Mon Sep 14 15:15:20 2020 Move State: failed Is Source Volume Encrypted: true Encryption Key ID of Source Volume: 00000000000000000200000000000500xxxxxxxxxxxxxxxxxxxxxxxxxxx0000000000000000 Is Destination Volume Encrypted: true Encryption Key ID of Destination Volume:…
    • https://kb.netapp.com/on-prem/ontap/OHW/OHW-KBs/Which_platforms_support_TPM_chips
      Starting with ONTAP 9.8, platforms with TPM chips and a TPM license will generate and seal the node key encryption key to protect the highest level of the OKM keying hierarchy. AFF A1K, AFF A90, AFF A...Starting with ONTAP 9.8, platforms with TPM chips and a TPM license will generate and seal the node key encryption key to protect the highest level of the OKM keying hierarchy. AFF A1K, AFF A90, AFF A70, ASA A1K, ASA A90, ASA A70 AFF A250, AFF C250, ASA A250, ASA C250, FAS500f AFF A400, AFF C400, ASA A400, ASA C400, FAS8700, FAS8300 AFF A800, AFF C800, ASA A800, ASA C800 AFF A220, ASA AFF A220, AFF A150, AFF C190, ASA A150, FAS2750, FAS2720
    • https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/What_happens_to_information_stored_in_OKM_in_case_of_disaster
      When a node in the cluster goes down and looses one or more key ID, the cluster-wide passphrase will be used to restore them by syncing with RDB. In case of a disaster and loss of keys through the ent...When a node in the cluster goes down and looses one or more key ID, the cluster-wide passphrase will be used to restore them by syncing with RDB. In case of a disaster and loss of keys through the entirety of the cluster, onboard key-management information will be restored using the backup data gained when you run security key-manager backup show command.