Simulator Discussions
Simulator Discussions
Hi there,
already opened a different post but I do not meet the requirements of ONTAP Select, so it's back to Simulator. How can I get my hands on the NVE / NSE licenses? AFAIK they are free of charge anyways, but all versions are NODAR (because of export regulations?).
I am based in Germany and a NetApp partner.
Thanks,
MMF
Solved! See The Solution
As my colleague @mbeattie says - you will need real steel to try NVE/NSE - NSE requires different physical drives, NVE will work on either NSE/FDE or open drives.
The partner solutions center for Germany can be reached via email to solution-center-germany@netapp.com and will be able to let you know what options you have available - some regions have loan equipment available, or options for partners to buy equipment without support/licenses and then use trial licenses and then resell to customers, but I don't know exactly what is available in DACH.
Good luck!
Hi MMF
I'd advise you contact your NetApp Sales Representative regarding a trial NVE license. Please note that an NVE license will not work on a simulator, i had a similiar issue trying to develop automation for volume moves to encrypt and or decrypt volumes when moving between aggregates and had to use a physical FAS system to test it on. I'm not certain if the feature will be added to the simulator in future. What are you trying to develop or test with the NVE feature?
/Matt
As my colleague @mbeattie says - you will need real steel to try NVE/NSE - NSE requires different physical drives, NVE will work on either NSE/FDE or open drives.
The partner solutions center for Germany can be reached via email to solution-center-germany@netapp.com and will be able to let you know what options you have available - some regions have loan equipment available, or options for partners to buy equipment without support/licenses and then use trial licenses and then resell to customers, but I don't know exactly what is available in DACH.
Good luck!
Dear Alex, Matt,
thanks a lot. I can see that I would need SEDs / real drives for NSE, but NVE should be a feature which can be tested in hardware. Even if poorly. But I will contact said mail address and see what they can offer.
Cheers,
MMF
I understand your frustration - the physical NetApp system I have does not support DARE, and I would also like to work through configuring it, so I have looked at the simulator too - and while I can get it to run a DARE enabled ONTAP by simply upgrading it, we don't have licenses available.
For me only the KMIP-integration part would be sufficient. I am struggling with an issue as I have zero visibility in what is going on.
NetApp logs only say "SSL Handshake failed" and tracedump says that the server denies the handshake. Implemented several other KMIP clients and never had that much trouble before. E.g. vCenter, there's a free test version. You can play around.
But I contacted them as recommended and I really appreciate your feedback and help 🙂
MMF
That may work with the simulator then - download the regular vsim, upgrade to regular ONTAP via the cluster upgrade command set, and then try the commands. I don't have certificates available, but this was the output on my simulator not configured with NSE or VE.
Hope this helps!
c94::> run local version NetApp Release 9.4P1: Fri Jul 20 23:30:57 EDT 2018
c94::> run local sysconfig -a NetApp Release 9.4P1: Fri Jul 20 23:30:57 EDT 2018 System ID: 4082368511 (c94_n1) System Serial Number: 4082368-51-1 (c94_n1) System Storage Configuration: Unknown System ACP Connectivity: NA All-Flash Optimized: false slot 0: System Board 2.2 GHz (NetApp VSim) Model Name: SIMBOX Serial Number: 999999 Loader version: 1.0 Processors: 2 Processor ID: 0x806e9 Microcode Version: 0x8e Memory Size: 8192 MB Memory Attributes: None Virtual NVRAM Size: 256 MB
c94::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: no Would you like to configure the KMIP server environment? {yes, no} [yes]: Error: command failed: The client public SSL certificate and key pair required by key manager do not exist. Install a public SSL certificate and private key for the cluster using the admin level "security certificate install" command with the " -vserver ", " -type " and " -subtype " options set to "<admin_svm_name>", "client" and "kmip-cert" respectively.
Interesting - mine behaves differently:
Error: command failed: This platform does not support data at rest encryption.
What does the step mean - upgrade to the regular version? I have no cluster upgrade command set 😞
Are we talking about updating a regular OnTap version via cluster image *?
netapp-cluster::> run local version NetApp Release 9.4: Fri Jun 8 15:52:39 PDT 2018 netapp-cluster::> run local sysconfig -a NetApp Release 9.4: Fri Jun 8 15:52:39 PDT 2018 System ID: 4082368511 (netapp-cluster-01) System Serial Number: 4082368-51-1 (netapp-cluster-01) System Storage Configuration: Unknown System ACP Connectivity: NA All-Flash Optimized: false slot 0: System Board 3.5 GHz (NetApp VSim) Model Name: SIMBOX Serial Number: 999999 Loader version: 1.0 Processors: 2 Processor ID: 0x306f0 Microcode Version: 0x3d Memory Size: 8192 MB Memory Attributes: None Virtual NVRAM Size: 256 MB
Thanks,
MMF
Correct - just download the regular ONTAP image for a FAS2600 and upgrade the SIM. You will need to ensure there is at least 2GB free in vol0 and on the root aggregate to install this.
Excellent Alex, that did the trick!
Unfortunately I am caught in a catch 22 situation.
security key-manager setup [...] Enter the cluster-wide passphrase for onboard key management. To continue the configuration, enter the passphrase, otherwise type "exit":
So, I don't have it. When I want to update it:
netapp-cluster::*> security key-manager update-passphrase Error: command failed: The onboard key manager is not enabled. To enable it, run "security key-manager setup". With MetroCluster configurations, make sure that the onboard key manager is enabled on both clusters.
I guess this happens because I lost all the licenses while doing the upgrade to the "normal" ONTAP version.
As you’re doing this on the simulator I assume there is no risk of data loss, but I am not that familiar with FDE setup - but isn’t this where you initially set it?
I've had the opportunity to try further:
c94::> version NetApp Release 9.4P1: Sat Jul 21 03:28:44 UTC 2018 c94::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: no Would you like to configure the KMIP server environment? {yes, no} [yes]: Error: command failed: The client public SSL certificate and key pair required by key manager do not exist. Install a public SSL certificate and private key for the cluster using the admin level "security certificate install" command with the " -vserver ", " -type " and " -subtype " options set to "<admin_svm_name>", "client" and "kmip-cert" respectively.
From your response, I can't see for sure that these are the options you followed. Can you please copy and paste the full session (as much as possible - obscure SSL certs)?
I tried this and it skipped past the setup too. I had to delete the key database.
set adv security key-manager delete-key-database set admin
Then I could get into the regular setup wizard.