ONTAP Discussions

Encrypted volume and unreachable external key manager

JaneGil
2,669 Views

We're in a bit of a pickle.

 

In our lab, we have a NetApp appliance running ONTAP 9.6.    It was integrated with an external key manager several months ago that was reconfigured.   There's one encrypted volume on the appliance that we don't care about.  The appliance can no longer communicate with the key manager, but we've loaded new certificates on it to be able to re-establish communication.

 

This is essentially the same situation that you'd encounter if you let a certificate expire, so I'm following those instructions here:  https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nve%2FGUID-D457F0DF-420A-4FE7-A782-040878F0D000.html


When I attempt to remove the server as instructed, I'm told I can't because there's an encrypted volume.

SAT-NVE::*> security key-manager external remove-servers -vserver SAT-NVE -key-servers 10.106.189.27:5696

Error: command failed: The key server at "10.106.189.27" contains volume encryption keys that are currently in use and not available from any other configured key server.

 

When I attempt to delete the encrypted volume, I can't do that because it can't reach the external key manager.

SAT-NVE::*> volume delete -vserver SAT-01 -volume EncryptedVM

Error: command failed: One or more key servers are unavailable for Vserver "SAT-NVE". Use the "security key-manager external show-status -vserver SAT-NVE"  command to check the status of the key servers. Verify that the network configuration is correct.


The -force attribute didn't help.

 

How do I get out of this loop?   

Thanks.

Jane

3 REPLIES 3

TMACMD
2,655 Views

Have you tried "set advanced" and try using the "-force" option with the "volume delete" command?

JaneGil
2,584 Views

Yes, thanks, I tried that, and it didn't help.  

 

I'm concerned for our customers because I don't know they can renew or replace a certificate if they have encrypted volumes (which all our customers do).  

 

 

JaneGil
2,581 Views

I figured it out.  You have use diagnostic mode to force the update of the certificate, and ignore the warning.  Of course the private key will be different for the new certificate, but it will work.  

 

SAT-NVE::security key-manager external*> modify -vserver SAT-NVE -client-cert NetAppNVE_DB1A

Warning: The new client certificate public or private keys are different from the existing client
certificate. This could lead to failure in retrieving the keys from the configured key
servers.
Do you want to continue? {y|n}: y

Public