Simulator Discussions

NVE and NSE license for ONTAP Simulator

MMF
5,920 Views

Hi there,

 

already opened a different post but I do not meet the requirements of ONTAP Select, so it's back to Simulator. How can I get my hands on the NVE / NSE licenses? AFAIK they are free of charge anyways, but all versions are NODAR (because of export regulations?).

 

I am based in Germany and a NetApp partner.

 

Thanks,

 

MMF

1 ACCEPTED SOLUTION

AlexDawson
5,883 Views

As my colleague @mbeattie says - you will need real steel to try NVE/NSE - NSE requires different physical drives, NVE will work on either NSE/FDE or open drives.

 

The partner solutions center for Germany can be reached via email to solution-center-germany@netapp.com and will be able to let you know what options you have available - some regions have loan equipment available, or options for partners to buy equipment without support/licenses and then use trial licenses and then resell to customers, but I don't know exactly what is available in DACH.

 

Good luck!

View solution in original post

12 REPLIES 12

mbeattie
5,875 Views

Hi MMF

 

I'd advise you contact your NetApp Sales Representative regarding a trial NVE license. Please note that an NVE license will not work on a simulator, i had a similiar issue trying to develop automation for volume moves to encrypt and or decrypt volumes when moving between aggregates and had to use a physical FAS system to test it on. I'm not certain if the feature will be added to the simulator in future. What are you trying to develop or test with the NVE feature?

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

AlexDawson
5,884 Views

As my colleague @mbeattie says - you will need real steel to try NVE/NSE - NSE requires different physical drives, NVE will work on either NSE/FDE or open drives.

 

The partner solutions center for Germany can be reached via email to solution-center-germany@netapp.com and will be able to let you know what options you have available - some regions have loan equipment available, or options for partners to buy equipment without support/licenses and then use trial licenses and then resell to customers, but I don't know exactly what is available in DACH.

 

Good luck!

MMF
5,847 Views

Dear Alex, Matt,

 

thanks a lot. I can see that I would need SEDs / real drives for NSE, but NVE should be a feature which can be tested in hardware. Even if poorly. But I will contact said mail address and see what they can offer.

 

Cheers,

 

MMF

AlexDawson
5,841 Views

I understand your frustration - the physical NetApp system I have does not support DARE, and I would also like to work through configuring it, so I have looked at the simulator too - and while I can get it to run a DARE enabled ONTAP by simply upgrading it, we don't have licenses available.

 

MMF
5,838 Views

For me only the KMIP-integration part would be sufficient. I am struggling with an issue as I have zero visibility in what is going on.

NetApp logs only say "SSL Handshake failed" and tracedump says that the server denies the handshake. Implemented several other KMIP clients and never had that much trouble before. E.g. vCenter, there's a free test version. You can play around.

 

But I contacted them as recommended and I really appreciate your feedback and help 🙂

 

MMF

AlexDawson
5,823 Views

That may work with the simulator then - download the regular vsim, upgrade to regular ONTAP via the cluster upgrade command set, and then try the commands. I don't have certificates available, but this was the output on my simulator not configured with NSE or VE. 

 

Hope this helps!

 

 

c94::> run local version
NetApp Release 9.4P1: Fri Jul 20 23:30:57 EDT 2018

 

c94::> run local sysconfig -a
	NetApp Release 9.4P1: Fri Jul 20 23:30:57 EDT 2018
	System ID: 4082368511 (c94_n1)
	System Serial Number: 4082368-51-1 (c94_n1)
	System Storage Configuration: Unknown
	System ACP Connectivity: NA
	All-Flash Optimized: false
	slot 0: System Board 2.2 GHz (NetApp VSim)
                Model Name:         SIMBOX
                Serial Number:      999999
                Loader version:     1.0
                Processors:         2
                Processor ID:       0x806e9
                Microcode Version:  0x8e
                Memory Size:        8192 MB
                Memory Attributes:  None
                Virtual NVRAM Size: 256 MB

 

 

c94::> security key-manager setup
Welcome to the key manager setup wizard, which will lead you through 
the steps to add boot information.

Enter the following commands at any time
"help" or "?" if you want to have a question clarified,
"back" if you want to change your answers to previous questions, and 
"exit" if you want to quit the key manager setup wizard. Any changes 
you made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup". To accept a default 
or omit a question, do not enter a value.
 
Would you like to configure onboard key management? {yes, no} [yes]: no
Would you like to configure the KMIP server environment? {yes, no} [yes]: 

Error: command failed: The client public SSL certificate and key pair required
       by key manager do not exist. Install a public SSL certificate and private
       key for the cluster using the admin level "security certificate install" command with the " -vserver ", " -type " and " -subtype " options set to
       "<admin_svm_name>", "client" and "kmip-cert" respectively.

 

MMF
5,743 Views

Interesting - mine behaves differently:

Error: command failed: This platform does not support data at rest encryption.

What does the step mean - upgrade to the regular version? I have no cluster upgrade command set 😞

Are we talking about updating a regular OnTap version via cluster image *?

 


 

netapp-cluster::> run local version
NetApp Release 9.4: Fri Jun  8 15:52:39 PDT 2018


netapp-cluster::> run local sysconfig -a
        NetApp Release 9.4: Fri Jun  8 15:52:39 PDT 2018
        System ID: 4082368511 (netapp-cluster-01)
        System Serial Number: 4082368-51-1 (netapp-cluster-01)
        System Storage Configuration: Unknown
        System ACP Connectivity: NA
        All-Flash Optimized: false
        slot 0: System Board 3.5 GHz (NetApp VSim)
                Model Name:         SIMBOX
                Serial Number:      999999
                Loader version:     1.0
                Processors:         2
                Processor ID:       0x306f0
                Microcode Version:  0x3d
                Memory Size:        8192 MB
                Memory Attributes:  None
                Virtual NVRAM Size: 256 MB

Thanks,

 

MMF

AlexDawson
5,733 Views

Correct - just download the regular ONTAP image for a FAS2600 and upgrade the SIM. You will need to ensure there is at least 2GB free in vol0 and on the root aggregate to install this.

MMF
5,725 Views

Excellent Alex, that did the trick!

MMF
4,735 Views

Unfortunately I am caught in a catch 22 situation.

 

security key-manager setup
[...]
Enter the cluster-wide passphrase for onboard key management. To continue the configuration, enter
the passphrase, otherwise type "exit":

So, I don't have it. When I want to update it:

 

netapp-cluster::*> security key-manager update-passphrase

Error: command failed: The onboard key manager is not enabled. To enable it, run "security
       key-manager setup". With MetroCluster configurations, make sure that the onboard key manager
       is enabled on both clusters.

I guess this happens because I lost all the licenses while doing the upgrade to the "normal" ONTAP version.

AlexDawson
4,715 Views

As you’re doing this on the simulator I assume there is no risk of data loss, but I am not that familiar with FDE setup - but isn’t this where you initially set it?

 

I've had the opportunity to try further:

 

 

c94::> version
NetApp Release 9.4P1: Sat Jul 21 03:28:44 UTC 2018

c94::> security key-manager setup
Welcome to the key manager setup wizard, which will lead you through 
the steps to add boot information.

Enter the following commands at any time
"help" or "?" if you want to have a question clarified,
"back" if you want to change your answers to previous questions, and 
"exit" if you want to quit the key manager setup wizard. Any changes 
you made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup". To accept a default 
or omit a question, do not enter a value.
 
Would you like to configure onboard key management? {yes, no} [yes]: no
Would you like to configure the KMIP server environment? {yes, no} [yes]: 

Error: command failed: The client public SSL certificate and key pair required
       by key manager do not exist. Install a public SSL certificate and private
       key for the cluster using the admin level "security certificate install" command with the " -vserver ", " -type " and " -subtype " options set to
       "<admin_svm_name>", "client" and "kmip-cert" respectively.

 

From your response, I can't see for sure that these are the options you followed. Can you please copy and paste the full session (as much as possible - obscure SSL certs)?

SeanHatfield
4,679 Views

I tried this and it skipped past the setup too.  I had to delete the key database.

set adv
security key-manager delete-key-database
set admin

Then I could get into the regular setup wizard.

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public