Key manager requirements for ONTAP Cloud encryption

You need a supported key management infrastructure to use ONTAP Cloud encryption.

Supported key managers

An external key manager is a system in your network or in AWS that securely stores authentication keys and provides them upon demand to ONTAP Cloud systems using secure TLS connections. The following key managers are supported:

See the NetApp Interoperability Matrix Tool for supported software versions.

Each ONTAP Cloud system supports up to four key managers. You should use multiple key managers in a clustered configuration for redundancy.

Vormetric configuration requirements

See NetApp KB article 000033069.

Note: The Encryption Setup page in Cloud Manager pertains to SafeNet key managers only. You must refer to the KB article to set up ONTAP Cloud with Vormetric key managers.

SafeNet configuration requirements

Each SafeNet key manager must have several certificates, a KMIP server, and a network connection to ONTAP Cloud systems. The key manager must also meet specific requirements if using client certificate authentication. Note that Cloud Manager does not communicate with key managers, so a network connection between Cloud Manager and key managers is not required.

A description of the key manager requirements follows:

Requirement Description
Key managers must have a server certificate Key managers need a server certificate to authenticate with ONTAP Cloud systems. The SSL certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format. You select this server certificate when you configure the KMIP server on the key manager.

If you plan to use two to four key managers with an ONTAP Cloud system, the same certificate authority (CA) must sign the server certificate for each key manager.

Key managers must trust the signing CA The CA that signed the server certificate must be known and trusted by the key manager.
Key managers must have a KMIP server Each key manager must have a KMIP server that uses SSL and a specific port. The default and recommended port for ONTAP Cloud is 5696. If needed, you can change this port when you set up Cloud Manager.
Key managers must have a network connection to ONTAP Cloud systems If the key managers are in AWS, they must have a connection to the subnet in which ONTAP Cloud instances are running. If the key managers are in your network, a VPN connection to the VPC provides the required connection.

Firewall settings must allow communication through the KMIP port.

Key managers must trust the Cloud Manager CA and its root CA, if using client certificate authentication When you set up Cloud Manager, you configure it to act as an intermediate CA so it can sign ONTAP Cloud client certificates. If a KMIP server requires client certificate authentication, then the Cloud Manager intermediate CA must be known and trusted by key managers.

The root CA that signed the Cloud Manager certificate must also be known and trusted by the key manager.

Key managers must check a compatible user name field, if using client certificate authentication If the key manager's KMIP server checks for a user name in client certificates, it must use a field compatible with ONTAP Cloud client certificates. Cloud Manager can create ONTAP Cloud client certificates that include a user name in the CN (Common Name), E (Email address), and OU (Organizational Unit) fields.
KMIP Cryptographic Usage Mask must be set to no If you use SafeNet OS v8.6, you must do the following:
  1. Connect to the CLI using the admin user
  2. Enter the following commands:
    • config
    • no kmip cryptographicusagemask
  3. Restart the NAE Server from the user interface

The following graphic depicts these requirements:

This illustration shows the requirements for key managers: a KMIP server, a server certificate, a CA certificate, the Cloud Manager certificate, and a VPN or subnet route to ONTAP Cloud


  1. The Cloud Manager intermediate CA and its root CA must be trusted only if the KMIP server requires client certificate authentication.
  2. The same CA must have signed the server certificate for both key managers. This CA is called the key manager CA.

After you meet these requirements, you must set up Cloud Manager so users can enable ONTAP Cloud encryption.