ONTAP Discussions

Onboard Key Manager onboard sync question

WAYNEWATKINS

ONTAP version 9.6P7 - Using Onboard KMS for Aggregate Level Encryption -

 

When I query the KMS using the security key-manager key query command it reports back some keys as False under restored on just one of the nodes (2-node cluster). It then tells me to use the security key-manager onboard sync command to restore a key(s).

 

I've ran the sync command a couple of times and nothing appears to happen? It still displays False keys?

 

The only volume I have at the moment is an SVM root volume which was encrypted at creation time in a data aggregate fine.

 

Has anyone else seen the sync command work before?  

1 ACCEPTED SOLUTION

TMAC_CTG

Yeah...I think you are seeing the bug I was talking about (Fixed in 9.7 at least, maybe a 9.6P but not sure)

 

It might be this one.

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1259828

(although it says fixed in 9.6P7) 

 

Once you upgrade to ONTAP 9.7, this should be fully resolved. I have seen this before. It is a display bug. You could open a case with NetApp Support so they may track it.

View solution in original post

4 REPLIES 4

TMAC_CTG

Please provide the exact commands!

 

The commands were modified/deprecated into ONTAP 9.7. For using the onboard key-manager, you should be using the:

security key-manager onboard 

Command sets. Specifically:

security key-manager onboard sync

 I know there was/is a bug when NOT using the "onboard" commands.

WAYNEWATKINS

I'm using the following command to check key status

security key-manager key query -node node

 

Then using the following

security key-manager onboard sync

This then prompts me for the cluster-wide passphrase.

 

If I check the key status again later it still reports keys needed to be restored?

 

Thanks

TMAC_CTG

Yeah...I think you are seeing the bug I was talking about (Fixed in 9.7 at least, maybe a 9.6P but not sure)

 

It might be this one.

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1259828

(although it says fixed in 9.6P7) 

 

Once you upgrade to ONTAP 9.7, this should be fully resolved. I have seen this before. It is a display bug. You could open a case with NetApp Support so they may track it.

View solution in original post

WAYNEWATKINS

I did hit that bug so I upgraded to 9.6P7 which stopped the "Loop detected in next()" messages.

Now, I am seeing this new issue? 

May be it will go away if upgraded 9.7? I'm a bit reluctant to go to 9.7 at the moment as we have seen a performance issue after recently upgrading to 9.7 which is under investigation.

Thank you.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public