ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

Encrypted volume and unreachable external key manager

JaneGil
‎2020-06-29 03:08 PM
2,670 Views

We're in a bit of a pickle.

 

In our lab, we have a NetApp appliance running ONTAP 9.6.    It was integrated with an external key manager several months ago that was reconfigured.   There's one encrypted volume on the appliance that we don't care about.  The appliance can no longer communicate with the key manager, but we've loaded new certificates on it to be able to re-establish communication.

 

This is essentially the same situation that you'd encounter if you let a certificate expire, so I'm following those instructions here:  https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nve%2FGUID-D457F0DF-420A-4FE7-A782-040878F0D000.html


When I attempt to remove the server as instructed, I'm told I can't because there's an encrypted volume.

SAT-NVE::*> security key-manager external remove-servers -vserver SAT-NVE -key-servers 10.106.189.27:5696

Error: command failed: The key server at "10.106.189.27" contains volume encryption keys that are currently in use and not available from any other configured key server.

 

When I attempt to delete the encrypted volume, I can't do that because it can't reach the external key manager.

SAT-NVE::*> volume delete -vserver SAT-01 -volume EncryptedVM

Error: command failed: One or more key servers are unavailable for Vserver "SAT-NVE". Use the "security key-manager external show-status -vserver SAT-NVE"  command to check the status of the key servers. Verify that the network configuration is correct.


The -force attribute didn't help.

 

How do I get out of this loop?   

Thanks.

Jane

0 Kudos
3 REPLIES 3

TMACMD
NetApp A-Team
‎2020-06-29 03:29 PM
2,656 Views

Have you tried "set advanced" and try using the "-force" option with the "volume delete" command?

0 Kudos

JaneGil
‎2020-06-30 06:02 AM
In response to TMACMD
2,585 Views

Yes, thanks, I tried that, and it didn't help.  

 

I'm concerned for our customers because I don't know they can renew or replace a certificate if they have encrypted volumes (which all our customers do).  

 

 

0 Kudos

JaneGil
‎2020-06-30 06:46 AM
In response to JaneGil
2,582 Views

I figured it out.  You have use diagnostic mode to force the update of the certificate, and ignore the warning.  Of course the private key will be different for the new certificate, but it will work.  

 

SAT-NVE::security key-manager external*> modify -vserver SAT-NVE -client-cert NetAppNVE_DB1A

Warning: The new client certificate public or private keys are different from the existing client
certificate. This could lead to failure in retrieving the keys from the configured key
servers.
Do you want to continue? {y|n}: y

0 Kudos
All Community Forums
Public