MetroCluster switchover-simulate fails due to missing encryption keys
- Views:
- 168
- Visibility:
- Public
- Votes:
- 0
- Category:
- ontap-9
- Specialty:
- metrocluster
- Last Updated:
- 10/2/2023, 10:05:29 AM
Applies to
- ONTAP 9
- MetroCluster
- Thales CipherTrust Manager (CTM)
- External key Manager (EKM)
Issue
- The following error is observed:
MCC-A::> metrocluster operation show
Operation: switchover-simulate
State: failed
Start Time: 9/1/2023 16:13:31
End Time: 9/1/2023 16:13:40
Errors: Failed to validate the node and cluster components before the switchover operation.
MCC-A (overridable veto): Partner cluster node: MCC-A-01 missing keymanager encryption key with key-id 00000000000000000200000000000xxxxxxxxxxxxxx0000000000000000.
- When re-adding a removed key-server after promoting a secondary key-server to the primary the keys are also not synced.
- ONTAP is able to publish the keys to the EKM when encrypting the volume and is able to locate them. We see this in the
KMIP2-CLIENT.GZ
AutopSupport section:
DEBUG: kmip2::kmipCmds::KmipLocateCmd: [doCmdImp]:123: KMIP Locate executed successfully!
- The
KmipGet
fails, however:
ERR: kmip2::tables::kmip_keytable_v2: [queryKeyserverForKey]:1965: Get command failed: KmipGetException: NOT_FOUND (11)
- In CTM Records/Loki Audit records section, a record not found error is given at the same time. The metadata can be viewed in
CTM
to match theidentifier
to the ONTAPkey-id
:
{
"acc": "user1",
"acct": "user1:user1:admin:accounts:user1",
"iss": "sallyport",
"sub": "efbbdcf4-c523-4ad0-8152-xxxxxxxxxxxx"
}
details
{
"errorMessage": "record not found",
"identifier": "9e968b1433004c61b2c38fd73d452d53b05ca2087fbe4332af80xxxxxxxxxxxx"
}