Skip to main content
NetApp Knowledge Base

Key auto-retrieve failed on node post Ontap Upgrade

  1. Last updated
  2. Save as PDF
Views:
215
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • External Key Management server

Issue

  • During the giveback after Ontap upgrade the keys did not restore.
Sat Jun 18 01:06:14 -0500 [XXXXXXXXXX: mgwd: km.keyretrieve.failed:alert]: Key auto-retrieve failed on node  XXXXXXXXX-02 for Vserver XXXXXXXXXX (ID -1, UUID 4b13acef-e009-11eb-a21e-d039ea30f54d).
 
  • Restoring with 'security key-manager external restore -node XXXXXXXX-02'   produces a permission error.
  • Decrypt the problematic volume , complete the upgrade and encrypt it again.
 
Sat Jun 18 02:06:46 -0500 [XXXXXXXXX: kmip2_client: kmip2.ssl.cannot.connect:alert]: Unable to make SSL/TLS connection to KMIP server. Error: SSL_PARAMS
Sat Jun 18 02:05:28 -0500 [XXXXXXXXX: kmip2_client: kmip2.ssl.cannot.connect:alert]: Unable to make SSL/TLS connection to KMIP server. Error: SSL_PARAMS
 
 
  • Ideally these alerts generate if there are timeouts occurring in the key manager.
 
Sat Jun 18 2022 01:30:03 -05:00 [kern_kmip2_client:info:6931] [Jun 18 01:30:03]: 0x808b47200: 8003e8000006402d: ERR: kmip2::tables::kmip_keytable_v2: [populateFields]:1761: Get command failed. Exception: KmipGetException: Response status: OPERATION_FAILED. Reason: PERMISSION_DENIED. Message:  The KMIP user is not authorized to access the target object.
-0000001d.00006e4f 0000b907 Sat Jun 18 2022 02:03:06 -05:00 [kern_kmip2_client:info:6931] [Jun 18 02:03:06]: 0x808b48600: 8003e800000640fc: ERR: kmip2::tables::kmip_keytable_v2: [populateFields]:1761: Get command failed. Exception: KmipGetException: Response status: OPERATION_FAILED. Reason: PERMISSION_DENIED. Message:  The KMIP user is not authorized to access the target object.
 
  • Here ONTAP is reaching the SKLM server, however it is denying the kmip user information of ONTAP.
  • SKLM team/SKLM vendor has to determine why the key query was rejected with insufficient privileges.

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.