Verify security key-manager configuration
Steps
1. Determine if Key Manager is active with the security key-manager keystore show command. For more
information, see the
security key-manager keystore show MAN page
You may have additional key manager types. The types are KMIP, AKV, and GCP. The
process for confirming these types is the same as confirming
external or onboard key
manager types.
◦ If no output is displayed, go to shutdown the impaired controller to shutdown the impaired node.
◦
If the command displays output, the system has
security key-manager active and you need to
display the
Key Manager type and status.
2.
Display the information for the active
Key Manager using the security key-manager key query command.
◦
If the
Key Manager type displays external and the Restored column displays true, it’s safe to
shut down the impaired controller.
◦
If the
Key Manager type displays onboard and the Restored column displays true, you need to
complete some additional steps.
◦
If the
Key Manager type displays external and the Restored column displays anything other than
true, you need to complete some additional steps.
◦
If the
Key Manager type displays onboard and the Restored column displays anything other than
true, you need to complete some additional steps.
3.
If the
Key Manager type displays onboard and the Restored column displays true, manually back up
the OKM information:
a.
Enter
y when prompted to continue: set -priv advanced
b. Enter the command to display the key management information: security key-manager onboard show-
backup
c. Copy the contents of the backup information to a separate file or your log file. You’ll need it in disaster
scenarios where you might need to manually recover OKM.
d. You can safely shut down the impaired controller.
4.
If the
Key Manager type displays onboard and the Restored column displays anything other than
true:
a. Enter the onboard security key-manager sync command: security key-manager onboard sync
Enter the 32 character, alphanumeric onboard key management passphrase at the
prompt. If the passphrase cannot be provided, contact NetApp Support.
mysupport.netapp.com
b.
Verify the
Restored column displays true for all authentication keys: security key-manager
key query
c.
Verify that the
Key Manager type displays onboard, and then manually back up the OKM
information.
d. Enter the command to display the key management backup information: security key-manager onboard
show-backup
3
To Next Page
Loading...
