Changing the peering encryption status

You can use System Manager to change the peering encryption status for the selected cluster.

About this task

The encryption status can be enabled or disabled. You can change the status from enabled to disabled or from disabled to enabled by selecting Change Encryption.

Steps

  1. Click Configuration > Cluster Peers.
  2. Select the peered cluster, and click Edit
    The drop-down menu displays.
  3. Click Change Encryption.
    This action is not available if the encryption status is "N/A".
    The Change Encryption dialog window displays. The toggle button indicates the current encryption status.
  4. Slide the toggle button to change the peering encryption status and proceed.
    • If the current encryption status is "none", you can enable encryption by sliding the toggle button to change the status to "tls_psk".
    • If the current encryption status is "tls_psk", you can disable the encryption by sliding the toggle button to change the status to "none".
  5. After you enable or disable peering encryption, you can either generate a new passphrase and provide it at the peered cluster or you can apply an existing passphrase that was already generated at the peered cluster.
    Note: If the passphrase used on the local site does not match the passphrase used on the remote site, the cluster peering relationship will not function properly.

    Select one of the following:

    • Generate a passphrase: Proceed to Step 6.
    • Already have a passphrase: Proceed to Step 9.
  6. If you chose Generate a passphrase, complete the necessary fields:
    • IPspace: Select the IPspace from the drop-down menu.
    • Passphrase Validity: Select from the drop-down menu the duration for which you want the passphrase to be valid.
    • SVM Permissions: Select one of the following:
      • All SVMs to indicate that all SVMs are permitted to access the cluster.
      • Selected SVMs to indicate specific SVMs that are permitted to access the cluster. Highlight the SVM names in the field that you want to specify.
  7. Optional: Select the checkbox if the effective cluster version of the remote cluster is earlier than ONTAP 9.6. Otherwise, the passphrase fails to generate.
  8. Click Apply.
    The passphrase is generated for the relationship and displayed. You can either copy the passphrase or email it.

    The authentication status for the local cluster is displayed as ok_and_offer for the selected passphrase validity period until you provide the passphrase at the remote cluster.

  9. If you already generated a new passphrase in the remote cluster, then perform the following substeps:
    1. Click Already have a passphrase.
    2. Enter in the Passphrase field the same passphrase that was generated in the remote cluster.
    3. Click Apply.