Enabling external key management in ONTAP 9.6 and later (HW-based)

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

Before you begin

Steps

  1. Configure key manager connectivity for the cluster: security key-manager external enable -vserver admin_SVM -key-servers host_name|IP_address:port,... -client-cert client_certificate -server-ca-cert server_CA_certificates
    Note: The security key-manager external enable command replaces the security key-manager setup command. You can run the security key-manager external modify command to change the external key management configuration. For complete command syntax, see the man pages.
    Example

    The following command enables external key management for cluster1 with three external key servers. The first key server is specified using its hostname and port, the second is specified using an IP address and the default port, and the third is specified using an IPv6 address and port:

    clusterl::> security key-manager external enable -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert
  2. Verify that all configured KMIP servers are connected: security key-manager external show-status -node node_name -vserver SVM -key-server host_name|IP_address:port -key-server-status available|not-responding|unknown
    Note: The security key-manager external show-status command replaces the security key-manager show -status command. For complete command syntax, see the man page.
    Example
    cluster1::> security key-manager external show-status
    
    Node  Vserver  Key Server                                     Status
    ----  -------  ---------------------------------------        -------------
    node1
          cluster1
                   10.0.0.10:5696                                 available
                   fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
                   ks1.local:15696                                available
    node2
          cluster1
                   10.0.0.10:5696                                 available
                   fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
                   ks1.local:15696                                available
    
    6 entries were displayed.