KMIP key restore fails on OTS due to missing NSE-AK keys

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 24

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: CORE

Last Updated:

Applies to

Ontap Select
ONTAP 9
KMIP
Automated Non-Disruptive Upgrade (ANDU)

Issue

ANDU validation in OTS fails with:

Error: One or more encryption keys are unavailable.

The non-restored keys are NSE-AK:

::*> key-manager query -restored no (security key-manager query) Node: cluster1-01 Key Manager: 1.1.1.2 Server Status: available Key Tag Key Type Restored ------------------------------------ -------- -------- cluster1-01 NSE-AK no Key ID: 00000000000000000200000000000abcdef12345678900000000000000000

Failure when trying to restore the keys with security key-manager external restore:

Warning: Unable to list entries on node <node>. KMIP "Get" command failed on external key server "x.x.x.x:5696". Cryptsoft error: "Response status: OPERATION_FAILED. Reason: ITEM_NOT_FOUND. Message: No Cryptographic Object found with given Unique Identifier". Error: show failed: KMIP "Get" command failed on external key server "x.x.x.x:5696". Cryptsoft error: "Response status: OPERATION_FAILED. Reason: ITEM_NOT_FOUND. Message: No Cryptographic """.