Configure key manager connectivity
This command can also be used to refresh keys that are missing. If this is necessary, you will be prompted to run this command by the security key-manager key show command.
For onboard key management in a MetroCluster configuration, if the security key-manager update-passphrase command is used to update the passphrase on one site, then run the security key-manager setup command with the new passphrase on the partner site before proceeding with any key-manager operations.
cluster1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: no Would you like to configure the KMIP server environment? {yes, no} [yes]: yes You will now be prompted for a subset of your network configuration setup. These parameters will define a pre-boot network environment, allowing secure connections to the registered key server. Enter the TCP port number for KMIP server [5696]: Enter the network interface [e0c]: Would you like to configure an IPv4 address? {yes, no} [yes]: Enter the IP address [10.63.55.148]: Enter the netmask [255.255.192.0]: Enter the gateway [10.63.0.1]: Would you like to configure an IPv6 address? {yes, no} [no]:The following example creates a configuration for external key management using RFC 5952 supported IPv6 addresses.
cluster1::> security key-manager setup -node cluster1 Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: no Would you like to configure the KMIP server environment? {yes, no} [yes]: yes You will now be prompted for a subset of your network configuration setup. These parameters will define a pre-boot network environment, allowing secure connections to the registered key server. Enter the TCP port number for KMIP server [5696]: Enter the network interface [e0c]: Would you like to configure an IPv4 address? {yes, no} [yes]: no Would you like to configure an IPv6 address? {yes, no} [yes]: yes Enter the IPV6 address: fd20:8b1e:b255:208:250:56ff:fea2:206 Enter the IPv6 address prefix length [64]: Enter the IPv6 gateway: fd20:8b1e:b255:208:250:56ff:fea2:200The following example creates a configuration for onboard key management.
cluster1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: Enter the cluster-wide passphrase for onboard key management. To continue the configuration, enter the passphrase, otherwise type "exit": Re-enter the cluster-wide passphrase: After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager backup show" command.