security key-manager external modify
Modify external key management
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command modifies the external key manager configuration associated with the given Vserver. When modifying the external key manaager configuration associated with the admin Vserver, you must run the same command specifying the same parameters on the peer cluster. When modifying the external key manager configuration associated with a data Vserver, you can run the security key-manager external modify
command on the active cluster only as the configuration modifications are replicated on the peer cluster. This command is not supported when external key management is not enabled for the given Vserver.
Parameters
-vserver <vserver name>
- Vserver Name-
Use this parameter to specify the Vserver on which the key manager to be modified is located.
[-client-cert <text>]
- Name of the Client Certificate-
Use this parameter to modify the name of the client certificate that the key management servers use to ensure the identity of Data ONTAP. If the keys of the new certificate do not match the keys of the existing certificate, or if the TLS connectivity with key-management servers fails with the new certificate, the operation fails. Running this command in the diagnostic privilege mode ignores failures and allows the command to complete.
[-server-ca-certs <text>,…]
- Names of the Server CA Certificates-
Use this parameter to modify the names of server-ca certificates that Data ONTAP uses to ensure the identity of the key management servers. Note that the list provided completely replaces the existing list of certificates. If the TLS connectivity with key-management servers fails with the new list of server-ca certificates, the operation fails. Running this command in the diagnostic privilege mode ignores failures and allows the command to complete.
Examples
The following example updates the client certificate used with the key management servers:
cluster-1::> security key-manager external modify -vserver cluster-1 -client-cert NewClientCert