Entrust Key Control 5.5 fails to generate NAE encryption keys

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 93

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

Applies to

ONTAP 9.9.1
Entrust Key Control 5.5 and 5.5.1
NetApp Aggregate Encryption (NAE)

Issue

The folllowing error message occur during aggregate creation when the encryption key should be stored on an external key server:

Error: command failed: [Job 1000] Job failed: Failed to create aggregate "aggr_NAE" on "node-01". Reason: Cannot generate encryption key. Use the 'security key-manager external show-status' command to verify that the network configuration is correct and the key manager servers are reachable.

The external key servers are available before running aggregate create command but after failure mentioned above they become unavailable for about 4 hours.

Before:

::> security key-manager external show-status

Node Vserver Key Server Status ---- ------- ------------------------------------------- --------------- node-01 SVM1 192.0.0.1:5696 available 192.0.0.2:5696 available 192.0.0.3:5696 available 192.0.0.4:5696 available node-02 SVM1 192.0.0.1:5696 available 192.0.0.2:5696 available 192.0.0.3:5696 available 192.0.0.4:5696 available 8 entries were displayed.

After:

::> security key-manager external show-status

Node Vserver Key Server Status ---- ------- ------------------------------------------- --------------- node-01 SVM1 192.0.0.1:5696 not-responding Status Details: IO 192.0.0.2:5696 not-responding Status Details: IO 192.0.0.3:5696 not-responding Status Details: IO 192.0.0.4:5696 not-responding Status Details: IO node-02 SVM1 192.0.0.1:5696 not-responding Status Details: IO 192.0.0.2:5696 not-responding Status Details: IO 192.0.0.3:5696 not-responding Status Details: IO 192.0.0.4:5696 not-responding Status Details: IO 8 entries were displayed.

The following errors are present in mgwd.log:

Thu Mar 24 2022 15:00:00 +01:00 [kern_mgwd:info:2511] 0x829b7b600: 0: ERR: keymanager_mgwd::tables::keymanager_import_external_key: [run]:409: Failed to lookup Key ID: 00000000000000000200000000000500520bf82c26d7c453a8f96a0df10250850000000000000000 from kmip for Vserver: [SVM1/4294967295], err: KMIP "Get" command failed on external key server "192.0.0.1:5696". Cryptsoft error: "IO". Thu Mar 24 2022 15:00:26 +01:00 [kern_mgwd:info:2511] 0x829b7b600: 0: ERR: keymanager_mgwd::tables::keymanager_import_external_key: [run]:409: Failed to lookup Key ID: 00000000000000000200000000000500520bf82c26d7c453a8f96a0df10250850000000000000000 from kmip for Vserver: [SVM1/4294967295], err: KMIP "Get" command failed on external key server "192.0.0.2:5696". Cryptsoft error: "IO". Thu Mar 24 2022 15:00:52 +01:00 [kern_mgwd:info:2511] 0x829b7b600: 0: ERR: keymanager_mgwd::tables::keymanager_import_external_key: [run]:409: Failed to lookup Key ID: 00000000000000000200000000000500520bf82c26d7c453a8f96a0df10250850000000000000000 from kmip for Vserver: [SVM1/4294967295], err: KMIP "Get" command failed on external key server "192.0.0.3:5696". Cryptsoft error: "IO". Thu Mar 24 2022 15:01:18 +01:00 [kern_mgwd:info:2511] 0x829b7b600: 0: ERR: keymanager_mgwd::tables::keymanager_import_external_key: [run]:409: Failed to lookup Key ID: 000000000000000002000000000005005e24a1fb85a507e61a68dcceb5c1523c0000000000000000 from kmip for Vserver: [SVM1/4294967295], err: KMIP "Get" command failed on external key server "192.0.0.4:5696". Cryptsoft error: "IO".