Onboard key manager keys don't match between clusters in a MetroCluster
- Views:
- 934
- Visibility:
- Public
- Votes:
- 0
- Category:
- metrocluster
- Specialty:
- metrocluster
- Last Updated:
- 6/24/2024, 2:47:51 PM
Applies to
- ONTAP 9
- MetroCluster
- Onboard Key Manager (OKM)
- NetApp Volume Encryption (NVE)
Issue
- After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded:
::> system health subsystem show
Subsystem Health
----------------- ------------------
SAS-connect ok
Environment ok
Memory ok
Service-Processor ok
Switch-Health ok
CIFS-NDO ok
Motherboard ok
IO ok
MetroCluster degraded
MetroCluster_Node ok
FHM-Switch ok
FHM-Bridge ok
SAS-connect_Cluster ok
13 entries were displayed.
- The following error is reported in metrocluster check or during switchover simulation:
::> metrocluster operation show
Operation: switchover-simulate
State: failed
Errors: Failed to validate the node and cluster components before the switchover operation.
node1 (overridable veto): Internal Error. The "clus_salt" value in the Onboard Key Manager database was not properly updated
Type of Check: onboard-key-management
Cluster Name: Cluster1
Result of the Check: warning
Additional Information/Recovery Steps: Internal Error. The "clus_salt" value in the Onboard Key Manager database was not properly updated.
- From the output of the below command, it is observed that the SVM-KEK and NSE-AK keys match between the clusters:
::> security key-manager key show -used-by SVM-KEK,NSE-AK
