Skip to main content
Install and maintain

Restore OKM, NSE, and NVE as needed - FAS2800

Contributors
PDFs

Once environment variables are checked, you must complete steps specific to systems that have Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) or NetApp Volume Encryption (NVE) enabled using settings you captured at the beginning of this procedure.

Note If NSE or NVE are enabled along with Onboard Key Manager you must restore settings you captured at the beginning of this procedure.
Steps

  1. Connect the console cable to the target controller.

  2. Use the boot_ontap command at the LOADER prompt to boot the controller.

  3. Check the console output:

    If the console displays…​ Then…​

    The login prompt

    Go to Step 7.

    Waiting for giveback…​

    1. Log into the partner controller.

    2. Confirm the target controller is ready for giveback with the storage failover show command.

  4. Move the console cable to the partner controller and give back the target controller storage using the storage failover giveback -fromnode local -only-cfo-aggregates true local command.

    • If the command fails because of a failed disk, physically disengage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because of an open CIFS session, check with the customer on how to close out CIFS sessions.

      Note Terminating CIFS can cause loss of data.

    • If the command fails because the partner is "not ready", wait 5 minutes for the NVMEMs to synchronize.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  5. Wait 3 minutes and check the failover status with the storage failover show command.

  6. At the clustershell prompt, enter the net int show -is-home false command to list the logical interfaces that are not on their home controller and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert -vserver Cluster -lif nodename command.

  7. Move the console cable to the target controller and run the version -v command to check the ONTAP versions.

  8. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

  9. Use the storage encryption disk show at the clustershell prompt, to review the output.

  10. Use the security key-manager key query command to display the key IDs of the authentication keys that are stored on the key management servers.

    • If the Restored column = yes/true, you are done and can proceed to complete the replacement process.

    • If the Key Manager type = external and the Restored column = anything other than yes/true, use the security key-manager external restore command to restore the key IDs of the authentication keys.

      Note If the command fails, contact Customer Support.

    • If the Key Manager type = onboard and the Restored column = anything other than yes/true, use the security key-manager onboard sync command to re-sync the Key Manager type.

      Use the security key-manager key query to verify that the Restored column = yes/true for all authentication keys.

  11. Connect the console cable to the partner controller.

  12. Give back the controller using the storage failover giveback -fromnode local command.

  13. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

  14. Restore Autosupport if it was disabled by using the system node autosupport invoke -node * -type all -message MAINT=END