1. Display the key IDs of the authentication keys that are stored on the key management servers:
security key-manager key query -key-type NSE-AK
After the ONTAP 9.6 release, you may have additional key manager types. The types
are
KMIP, AKV, and GCP. The process for confirming these types is the same as
confirming
external or onboard key manager types.
◦
If the
Key Manager type displays external and the Restored column displays yes, it’s safe
to shut down the impaired controller.
◦
If the
Key Manager type displays onboard and the Restored column displays yes, you need
to complete some additional steps.
◦
If the
Key Manager type displays external and the Restored column displays anything other
than
yes, you need to complete some additional steps.
◦
If the
Key Manager type displays external and the Restored column displays anything other
than
yes, you need to complete some additional steps.
2.
If the
Key Manager type displays onboard and the Restored column displays yes, manually back
up the OKM information:
a.
Go to advanced privilege mode and enter
y when prompted to continue: set -priv advanced
b.
Enter the command to display the key management information:
security key-manager
onboard show-backup
c. Copy the contents of the backup information to a separate file or your log file. You’ll need it in
disaster scenarios where you might need to manually recover OKM.
d.
Return to admin mode:
set -priv admin
e. You can safely shut down the controller.
3.
If the
Key Manager type displays external and the Restored column displays anything other
than
yes:
a.
Restore the external key management authentication keys to all nodes in the cluster:
security
key-manager external restore
If the command fails, contact NetApp Support.
mysupport.netapp.com
b.
Verify that the
Restored column equals yes for all authentication keys: security key-
manager key query
c. You can safely shut down the controller.
4.
If the
Key Manager type displays onboard and the Restored column displays anything other than
yes:
a.
Enter the onboard security key-manager sync command:
security key-manager onboard
sync
Enter the customer’s 32 character, alphanumeric onboard key management passphrase at the
prompt. If the passphrase cannot be provided, contact NetApp Support.
mysupport.netapp.com
113
To Next Page
Loading...
