ONTAP Discussions

Key Manager Cert - Renewal




We have a pair of FAS2240-2 filers running data ontap 8.2.3P6 in 7-mode as a HA pair. We also have two TKLM servers which server the NSE keys for the disks. This has all been working fine for the last two years but the certificates are now expiring and I'm trying to renew them. I was not with the coompany when all this was set up so it's my first run through with this. All certs are signed by our internal CA.


The documentation I have and what I have found from NetApp advises the following:

1. Create and sign a server cert on the TKLM.

2. Install the CA root cert and the signed cert from setp 1 on the TKLM

3. Using OpenSSL generate a private key

4. Using the private key from setp 3 create a certificate signing request and sign with the CA. Save this as 'client.pem'

5. Concatenate client.pem and the private key from step 3 into a new cert called client_private.pem (cut and paste).

6. Install client.pem, client_private.pem and the CA root cert onto the Filer.

7. Add key manager.


Having done all this 3 times (ones following predecessors documentation, once follwoing NetApp's and once more for luck) the key_manager list command show the server responding but the 'key_manager query' command doesn't list any keys, and neither doesn 'key_manager restore'. I have found what I think is a log on the TKLM which says 'access denied' to a request for the keys but it doesn't give any indication of why.


I logged it with NetApp who say it's a TKLM problem, and with IBM who say the problem with with the generation of the NetApp cert so to speak to NetApp. Has anyone any experience with key_servers?






Please refer this KB article https://kb.netapp.com/support/index?page=content&id=3014206&actp=search&viewlocale=en_US&searchid=1454592474012



If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.


Private message sent to from Netapp Support.