Skip to main content
NetApp Knowledge Base

Onboard Key-manager cannot be enabled

  1. Last updated
  2. Save as PDF
Views:
5
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • FAS/AFF System
  • Onboard Key-Manager

Issue

  • The OKM creation is failing with the below error:

Cluster::*> security key-manager onboard enable

Enter the SVM1-wide passphrase for the Onboard Key Manager:


Re-enter the SVM1-wide passphrase:Error: command failed: Internal error. Failed to generate SVM1 key encryption key in kernel. Key manager returned: 18. Crypto return code: 10.

  • From the event logs, we can see that CPKEK creation is failing.

Thu Oct 30 09:22:47 -0400 [Cluster-01: sshd-session: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for admin from 10.116.69.235 port 52706 ssh2  '}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000', 'key_digest': 'c8579c2b9878d09c9de93b70c3b5967ad92dbba201a62b1e1cec49912e38a2f1'}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '000000000000000002000000000008006491085af75e1ebe51080bc719c968fb0000000000000000', 'key_digest': '1c40520de3a7f16a7d0ac44cda4fc45af5084e8ce4bb8bfac99ac553238c5034'}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '000000000000000002000000000009006af7b4903f2d1cd44111f0bfed5a5af00000000000000000', 'key_digest': '6818cc94a6d2dede43771b75755af3bb5aa24420565cf3081957c12baa62b4c4'}Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000', 'key_digest': 'c8579c2b9878d09c9de93b70c3b5967ad92dbba201a62b1e1cec49912e38a2f1'}Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.debug:info]: Onboard key hierarchy creation failed: CPKEK creation failed: 10.

  • Its taking more than 25 seconds for the table cryptomod_create_okm_base_hierarchy.

Thu Oct 30 09:25:52 -0400 [Cluster-01: ksmf_timeout_thread: ksmf.svc.watchdog:debug]: "kSMF service thread held > 25 (sec) by application for table cryptomod_create_okm_base_hierarchy"Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:35:22 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:37:56 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:52:22 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.

  • From the MGWD logs,it was observed that the file cannot be opened /cfcard/kmip/km_onboard.wkeydb for input.

Thu Oct 30 2025 09:25:01 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_mgwd::tables::setup_wizard: [setupOKM]:1484: ENTER: First-time configuration of onboard key manager
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_shared::KeymanagerConfigFile: [read]:259: File stream error -- unable to open /cfcard/kmip/km_onboard.wkeydb for input
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_shared::OkmKeyDatabase: [getWriter]:385: WKEYDB: Writer is ready to update wkeydb
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_mgwd::tables::SVM1_kdb: [create_onboard_key_hier_imp]:958: Creating OKM base key hierarchy
Thu Oct 30 2025 09:25:52 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::SVM1_kdb: [create_onboard_key_hier_imp]:979: cryptomod_create_okm_base_hierarchy_iterator failed. Internal error: Timeout: Operation "cryptomod_create_okm_base_hierarchy_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "Cluster-01" (VSID: -1) to kernel at 127.0.0.1]
Thu Oct 30 2025 09:25:52 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::setup_wizard: [first_time_setup_km_onboard]:622: Failed to create onboard key hierarchy, err = Timeout: Operation "cryptomod_create_okm_base_hierarchy_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "Cluster-01" (VSID: -1) to kernel at 127.0.0.1]

  • From the sktrace, we are seeing TPM getting unseal.

2025-10-30T13:25:28Z 10346238237101035    [0:0] SSAL_Log:  tss_tpm_seal:4672025-10-30T13:28:45Z 10346573549617619    [15:0] SSAL_Log:  tss_tpm_unseal:250

  • Also, processing for table cryptomod_create_okm_base_hierarchy taking more than 25 sec.

2025-10-30T13:24:19Z 10346122503639135    [12:0] KSMF_SMF_SVC_NORM:  update_quarantine: Table crypto_tpm_status is quarantined. Active thread count:0
2025-10-30T13:26:10Z 10346310244488666    [0:0] KSMF_SMF_SVC_NORM:  process_request: Processing for table cryptomod_create_okm_base_hierarchy took 43533 msec which is longer than the client's timeout of 25000
2025-10-30T13:26:10Z 10346310244490786    [0:0] KSMF_SMF_SVC_NORM:  update_quarantine: Table cryptomod_create_okm_base_hierarchy is quarantined. 

  • Increased the timeout value from 25 secs to 60 secs, still the same issue.

cluster::*> debug smdb table dsmdb_config modify -dist-timeout 60

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.