Skip to main content
NetApp Knowledge Base

MetroCluster switchover-simulate fails due to missing encryption keys

Views:
168
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
metrocluster
Last Updated:
10/2/2023, 10:05:29 AM

Applies to

  • ONTAP 9
  • MetroCluster
  • Thales CipherTrust Manager (CTM)
  • External key Manager (EKM)

Issue

  • The following error is observed:
MCC-A::> metrocluster operation show
       Operation: switchover-simulate
           State: failed
      Start Time: 9/1/2023 16:13:31
        End Time: 9/1/2023 16:13:40
          Errors: Failed to validate the node and cluster components before the switchover operation.
                  MCC-A (overridable veto): Partner cluster node: MCC-A-01 missing keymanager encryption key with key-id 00000000000000000200000000000xxxxxxxxxxxxxx0000000000000000.

 

  • When re-adding a removed key-server after promoting a secondary key-server to the primary the keys are also not synced.
  • ONTAP is able to publish the keys to the EKM when encrypting the volume and is able to locate them. We see this in the KMIP2-CLIENT.GZ AutopSupport section:

DEBUG: kmip2::kmipCmds::KmipLocateCmd: [doCmdImp]:123: KMIP Locate executed successfully!

  • The KmipGet fails, however:

ERR: kmip2::tables::kmip_keytable_v2: [queryKeyserverForKey]:1965: Get command failed: KmipGetException: NOT_FOUND (11)

  • In CTM Records/Loki Audit records section,  a record not found error is given at the same time. The metadata can be viewed in CTM to match the identifier to the ONTAP key-id:
{
    "acc": "user1",
    "acct": "user1:user1:admin:accounts:user1",
    "iss": "sallyport",
    "sub": "efbbdcf4-c523-4ad0-8152-xxxxxxxxxxxx"
}
details
{
    "errorMessage": "record not found",
    "identifier": "9e968b1433004c61b2c38fd73d452d53b05ca2087fbe4332af80xxxxxxxxxxxx"    
}

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.