Onboard keymanager sync fails after motherboard replacement
Applies to
- ONTAP Version Listed Below Without Fix for Bug ID 1573150
- 9.8P19 and 9.8P20
- 9.9.1P16 and 9.9.1P17
- 9.10.1P13 and 9.10.1P14
- 9.11.1P8 through 9.11.1P11
- 9.12.1P2 through 9.12.1P6
- 9.13.1 and 9.13.1P1
- TPM 5.63
- Onboard Key Manager (OKM)
Issue
- Motherboard (PCM) replaced
- The procedure in Restore onboard key management encryption keys or How to restore onboard key manager server configuration from the ONTAP boot menu followed and completed successfully; however, the following warning is produced:
WARNING!
TPM is not initialized but OKM's key hierarchy is already protected with TPM
- Other possible errors include:
Feb 28 14:45:52 [cluster1:crypto.ssal.failed:ALERT]: SSAL operation failed: SSAL Unseal operation failed
Feb 28 14:45:52 [cluster1:crypto.okmrecovery.failed:ALERT]: ERROR: Import of the onboard key hierarchy failed: failed to import key hierarchy. Additional information: error: ssal unseal failed
::> event log show -message-name gb.sfo.veto.kmgr.keysmissing
<date> <time> <node-name> ERROR gb.sfo.veto.kmgr.keysmissing: Giveback of aggregate <aggr-name> failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node <node-name>.
- After giveback, the OKM sync fails with the following:
::> security key-manager onboard sync
Error: command failed: The Onboard Key Manager has failed to sync on the local node "cluster1-02", error: "Internal error". Failed to setup the Onboard Key Manager on node "cluster1-02"