security key-manager setup
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
Configure key manager connectivity
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The security key-manager setup
command enables you to configure key management. Data ONTAP supports two mutually exclusive key management methods: external via one or more key management interoperability protocol (KMIP) servers, or internal via an onboard key manager. This command is used to configure an external or internal key manager. When configuring an external key management server, this command records networking information on all node that is used during the boot process to retrieve keys needed for booting from the KMIP servers. For onboard key management, this command prompts you to configure a passphrase to protect internal keys in encrypted form.
This command can also be used to refresh missing onboard keys. For example, if you add a node to a cluster that has onboard key management configured, you will run this command to refresh the missing keys.
For onboard key management in a MetroCluster configuration, if the security key-manager update-passphrase command is used to update the passphrase on one site, then run the security key-manager setup
command with the new passphrase on the partner site before proceeding with any key-manager operations.
Parameters
[-node <nodename>]
- Node Name-
This parameter is used only with onboard key management when a refresh operation is required (see command description). This parameter is ignored when configuring external key management and during the initial setup of onboard key management.
[-cc-mode-enabled {yes|no}]
- Enable Common Criteria Mode?-
When configuring onboard key management, this parameter is used to specify that Common Criteria (CC) mode should be enabled. When CC mode is enabled, you will be required to provide a cluster passphrase that is between 64 and 256 ASCII character long, and you will be required to enter that passphrase each time a node reboots.
[-sync-metrocluster-config {yes|no}]
- Sync MetroCluster Configuration from Peer-
When configuring onboard key management in a MetroCluster configuration, this parameter is used to indicate that the
security key-manager setup
command has been performed on the peer cluster, and that thesecurity key-manager setup
command on this cluster should import the peer's configuration.
Examples
The following example creates a configuration for external key management:
cluster-1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: no Would you like to configure the KMIP server environment? {yes, no} [yes]: yes
The following example creates a configuration for onboard key management:
cluster-1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: yes Enter the cluster-wide passphrase for onboard key management. To continue the configuration, enter the passphrase, otherwise type "exit": Re-enter the cluster-wide passphrase: After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager backup show" command.
The following example creates a configuration for onboard key management with Common Critera mode enabled:
cluster-1::> security key-manager setup -cc-mode-enabled yes Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: yes Enter the cluster-wide passphrase for onboard key management. To continue the configuration, enter the passphrase, otherwise type "exit": Re-enter the cluster-wide passphrase: After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager backup show" command.