security key-manager setup

Configure key manager connectivity

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security key-manager setup command provides a way to configure key management. Data ONTAP supports two mutually exclusive key management methods: external via one or more key management and interoperability protocol (KMIP) servers, or internal via an onboard key manager. This command is used to configure an external or internal key manager. When configuring an external key management server, this command creates the association between key management servers and the selected node, establishing boot-time parameters used during the boot process to retrieve the authentication keys, and for server communication in the other key-manager operations. For onboard key management, this command prompts you to configure a passphrase to protect internal keys in encrypted form.

This command can also be used to refresh keys that are missing. If this is necessary, you will be prompted to run this command by the security key-manager key show command.

For onboard key management in a MetroCluster configuration, if the security key-manager update-passphrase command is used to update the passphrase on one site, then run the security key-manager setup command with the new passphrase on the partner site before proceeding with any key-manager operations.

Parameters

[-node <nodename>] - Node Name: When configuring an external key management server, this parameter is used to specify the node that will be used to communicate with the external KMIP server. For onboard key management, this parameter is ignored during the initial configuration of the feature. It is only used when a refresh operation is required (see command description). In either case, if you do not specify a node name, the default is the local node.

Examples

The following example creates a configuration for external key management using IPv4 addresses.

cluster1::> security key-manager setup
Welcome to the key manager setup wizard, which will lead you through
the steps to add boot information.

Enter the following commands at any time
"help" or "?" if you want to have a question clarified,
"back" if you want to change your answers to previous questions, and
"exit" if you want to quit the key manager setup wizard. Any changes
you made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup". To accept a default
or omit a question, do not enter a value.

Would you like to configure onboard key management? {yes, no} [yes]: no
Would you like to configure the KMIP server environment? {yes, no} [yes]: yes

You will now be prompted for a subset of your network configuration
setup. These parameters will define a pre-boot network environment,
allowing secure connections to the registered key server.

Enter the TCP port number for KMIP server [5696]:
Enter the network interface [e0c]:
Would you like to configure an IPv4 address? {yes, no} [yes]:

Enter the IP address [10.63.55.148]:
Enter the netmask [255.255.192.0]:
Enter the gateway [10.63.0.1]:
Would you like to configure an IPv6 address? {yes, no} [no]:

The following example creates a configuration for external key management using RFC 5952 supported IPv6 addresses.

cluster1::> security key-manager setup -node cluster1
Welcome to the key manager setup wizard, which will lead you through
the steps to add boot information.

Enter the following commands at any time
"help" or "?" if you want to have a question clarified,
"back" if you want to change your answers to previous questions, and
"exit" if you want to quit the key manager setup wizard. Any changes
you made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup". To accept a default
or omit a question, do not enter a value.

Would you like to configure onboard key management? {yes, no} [yes]: no
Would you like to configure the KMIP server environment? {yes, no} [yes]: yes

You will now be prompted for a subset of your network configuration
setup. These parameters will define a pre-boot network environment,
allowing secure connections to the registered key server.

Enter the TCP port number for KMIP server [5696]:
Enter the network interface [e0c]:
Would you like to configure an IPv4 address? {yes, no} [yes]:
no

Would you like to configure an IPv6 address? {yes, no} [yes]:
yes
Enter the IPV6 address: fd20:8b1e:b255:208:250:56ff:fea2:206
Enter the IPv6 address prefix length [64]:
Enter the IPv6 gateway: fd20:8b1e:b255:208:250:56ff:fea2:200

The following example creates a configuration for onboard key management.

cluster1::> security key-manager setup
Welcome to the key manager setup wizard, which will lead you through
the steps to add boot information.

Enter the following commands at any time
"help" or "?" if you want to have a question clarified,
"back" if you want to change your answers to previous questions, and
"exit" if you want to quit the key manager setup wizard. Any changes
you made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup".
To accept a default or omit a question, do not enter a value.

Would you like to configure onboard key management? {yes, no} [yes]:

Enter the cluster-wide passphrase for onboard key management. To continue the
configuration, enter the passphrase, otherwise type "exit":
Re-enter the cluster-wide passphrase:
After configuring onboard key management, save the encrypted configuration
data in a safe location so that you can use it if you need to perform a
manual recovery operation. To view the data, use the "security key-manager
backup show" command.