Search
- Filter results by:
- View attachments
- https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/Timeout_error_when_disabling_OKMApplies to ONTAP 9.7P3 FAS80xx NetApp Volume Encryption (NVE) Onboard Key Manager (OKM) Issue Trying to disable OKM will fail with the following error: security key-manager onboard disable :: Error: I...Applies to ONTAP 9.7P3 FAS80xx NetApp Volume Encryption (NVE) Onboard Key Manager (OKM) Issue Trying to disable OKM will fail with the following error: security key-manager onboard disable :: Error: Internal error. Failed to determine if keymanager is safe to disable. Reason: Timeout: Operation "keymanager_encrypted_core_check_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "cluster01-01" (VSID: -1) to mgwd at 169.254.xx.xxx].
- https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/OKM_keys_not_restored_after_ONTAP_cluster_expansionRun the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes. If using an external key manager, use the 'security key-manager external show-status' command t...Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes. If using an external key manager, use the 'security key-manager external show-status' command to verify that the network configuration is correct and the key servers are reachable. If using the Onboard Key Manager, use the 'security key-manager key query -key-type SVM-KEK' command to verify that the same SVM-KEKs are present on both the local and remote clusters.
- https://kb.netapp.com/on-prem/ontap/mc/MC-KBs/Onboard_key_manager_keys_don_t_match_between_clusters_in_a_MetroClusterAfter ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in t...After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in the Onboard Key Manager database was not properly updated The "clus_salt" value in the Onboard Key Manager database was not properly updated. From the output of the below command, it is observed that the SVM-KEK and NSE-AK keys match between the clusters:
- https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/One_or_more_nodes_have_onboard_key_management_VEK_keys_that_need_to_be_restoredSee Solution when Command security key-manager key query shows that some of the VEK keys not restored. One or more nodes have onboard key management VEK keys that need to be restored.
- https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/How_to_rotate_encryption_keys_for_NetApp_Storage_Encryption_NSENetApp Storage Encryption (NSE) At times, it may be desirable to rotate encryption keys when using NSE. This article describes the procedure to rotate encryption keys for NSE for ONTAP 9.0 and later. ...NetApp Storage Encryption (NSE) At times, it may be desirable to rotate encryption keys when using NSE. This article describes the procedure to rotate encryption keys for NSE for ONTAP 9.0 and later. The process of rotating keys in an NSE environment depends on whether you are using an External Key Manager (using KMIP) or the OKM. External Key Managers require generating a new authentication key (AK) before the encryption key can be changed. AKs are required to generate new encryption keys.
- https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/What_happens_to_information_stored_in_OKM_in_case_of_disasterWhen a node in the cluster goes down and looses one or more key ID, the cluster-wide passphrase will be used to restore them by syncing with RDB. In case of a disaster and loss of keys through the ent...When a node in the cluster goes down and looses one or more key ID, the cluster-wide passphrase will be used to restore them by syncing with RDB. In case of a disaster and loss of keys through the entirety of the cluster, onboard key-management information will be restored using the backup data gained when you run security key-manager backup show command.
- https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/NSE_Error_Timeout__Operation_km_key_aggr_ui_iterator__next_imp_took_longer_than_25_seconds_to_completeApplies to Onboard key Manager ONTAP 9.1 - 9.5 Issue Running the command ::> security key-manager key show gives the following error: Warning: Unable to list entries on node xxxxx. Timeout: Operation ...Applies to Onboard key Manager ONTAP 9.1 - 9.5 Issue Running the command ::> security key-manager key show gives the following error: Warning: Unable to list entries on node xxxxx. Timeout: Operation "km_key_aggr_ui_iterator::next_imp()" took longer than 25 seconds to complete [from mgwd on node "xxxxx" (VSID: -1) to mgwd at 169.x.x.x] Error: show failed: Timeout: Operation "km_key_aggr_ui_iterator::next_imp()" took longer than 25 seconds to complete
- https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/When_using_Onboard_Key_Management_OKM___VEKs_are_not_listed_for_some_nodes_when_performing_a_key_queryOnboard Key Manager (OKM) VEKs are not listed under some nodes when performing "security key-manager key query" (security key-manager key query) Key Tag Key Type Restored If any listed keys have "fals...Onboard Key Manager (OKM) VEKs are not listed under some nodes when performing "security key-manager key query" (security key-manager key query) Key Tag Key Type Restored If any listed keys have "false" in the "Restored" column, run the "security key-manager external restore" command to restore the keys that are stored on an external key server and run the "security key-manager onboard sync" command to synchronize the keys that are part of the onboard key hierarchy.
