Skip to main content

security key-manager external enable

Contributors
Suggest changes

Enable external key management

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command enables the external key manager associated with the given Vserver. This command is not supported when a key manager for the given Vserver is already enabled. When enabling the external key manager associated with the admin Vserver, you must run the same command specifying the same set of key servers on the peer cluster. When enabling the external key manager for a data Vserver, you can run the security key-manager external enable command on the active cluster only, as the configuration will be replicated on the peer cluster. However, you must ensure that the key management servers specified in the security key-manager external enable command are reachable from both clusters. Only primary key servers can be added using this command.

Parameters

-vserver <vserver name> - Vserver Name

Use this parameter to specify the Vserver on which the external key manager is to be enabled.

-key-servers <Hostname and Port>,…​ - List of External Key Management Servers

Use this parameter to specify the list of up to four key management servers that the external key manager uses to store keys.

-client-cert <text> - Name of the Client Certificate

Use this parameter to specify the unique name of the client certificate that the key management servers use to ensure the identity of ONTAP.

-server-ca-certs <text>,…​ - Names of the Server CA Certificates

Use this parameter to specify the unique names of server-ca certificates that ONTAP uses to ensure the identify of the key management servers.

[-policy <text>] - Key Manager Policy

Use this parameter to specify a specific key manager security policy to be used by this key manager.

Examples

The following example enables the external key manager for Vserver cluster-1. The command includes three key management servers. The first key server's hostname is ks1.local and is listening on port 15696. The second key server's IP address is 10.0.0.10 and is listening on the default port 5696. The third key server's IPv6 address is fd20:8b1e:b255:814e:32bd:f35c:832c:5a09, and is listening on port 1234.

cluster-1::> security key-manager external enable -vserver cluster-1 -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs ServerCaCert1,ServerCaCert2