ONTAP Discussions

Onboard Key Manager onboard sync question

WAYNEWATKINS
4,888 Views

ONTAP version 9.6P7 - Using Onboard KMS for Aggregate Level Encryption -

 

When I query the KMS using the security key-manager key query command it reports back some keys as False under restored on just one of the nodes (2-node cluster). It then tells me to use the security key-manager onboard sync command to restore a key(s).

 

I've ran the sync command a couple of times and nothing appears to happen? It still displays False keys?

 

The only volume I have at the moment is an SVM root volume which was encrypted at creation time in a data aggregate fine.

 

Has anyone else seen the sync command work before?  

1 ACCEPTED SOLUTION

TMACMD
4,853 Views

Yeah...I think you are seeing the bug I was talking about (Fixed in 9.7 at least, maybe a 9.6P but not sure)

 

It might be this one.

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1259828

(although it says fixed in 9.6P7) 

 

Once you upgrade to ONTAP 9.7, this should be fully resolved. I have seen this before. It is a display bug. You could open a case with NetApp Support so they may track it.

View solution in original post

4 REPLIES 4

TMACMD
4,874 Views

Please provide the exact commands!

 

The commands were modified/deprecated into ONTAP 9.7. For using the onboard key-manager, you should be using the:

security key-manager onboard 

Command sets. Specifically:

security key-manager onboard sync

 I know there was/is a bug when NOT using the "onboard" commands.

WAYNEWATKINS
4,869 Views

I'm using the following command to check key status

security key-manager key query -node node

 

Then using the following

security key-manager onboard sync

This then prompts me for the cluster-wide passphrase.

 

If I check the key status again later it still reports keys needed to be restored?

 

Thanks

TMACMD
4,854 Views

Yeah...I think you are seeing the bug I was talking about (Fixed in 9.7 at least, maybe a 9.6P but not sure)

 

It might be this one.

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1259828

(although it says fixed in 9.6P7) 

 

Once you upgrade to ONTAP 9.7, this should be fully resolved. I have seen this before. It is a display bug. You could open a case with NetApp Support so they may track it.

WAYNEWATKINS
4,832 Views

I did hit that bug so I upgraded to 9.6P7 which stopped the "Loop detected in next()" messages.

Now, I am seeing this new issue? 

May be it will go away if upgraded 9.7? I'm a bit reluctant to go to 9.7 at the moment as we have seen a performance issue after recently upgrading to 9.7 which is under investigation.

Thank you.

Public