Skip to main content
NetApp Knowledge Base

NSE - Bootarg kmip.init.maxwait can cause data loss

Views:
863
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

 

Applies to

NSE storage system

Answer

How to mitigate ARS Risk #3016 - boot_loader option kmip.init.maxwait and/or kmip.init.maxwait.ping is set to OFF. 

They should either be set to ON, or be unset which is the default. By default, the NSE storage system is set to ping the KMIP (External Key Manager) server and wait for a ping response from at least one KMIP server before initiating a secure SSL connection.
If the boot_loader option kmip.init.maxwait and/or kmip.init.maxwait.ping is set to OFF, and NSE disks are locked and in use and if for any reason the system gets into a boot loop, the data on them can be lost. 
By default,  NSE disk drives have a built-in feature that protects their data from unauthorized sequential failed attempts to authenticate correctly. If the sequential authorization fails more than 1024 times, the NSE disk drives will self-erase their internal encryption key and data stored on the drives will be lost forever. There is no revert for this process. If this occurs, the NSE disk drives can only be re-used by going into maintenance mode and running the disk encrypt sanitize -all command to set the NSE disk drives back to factory defaults. A reboot is also required for this to take effect.

To mitigate the issue, perform the following:

  1. At the boot loader prompt unset the variables, which is the default. The setting is ON, but the variable will be hidden. 

unsetenv kmip.init.maxwait 
unsetenv kmip.init.maxwait.ping

  1. At the boot loader promp, set the variables to ON.

setenv kmip.init.maxwait on
setenv kmip.init.maxwait.ping on

Additional Information

Add your text here.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.