security key-manager external enable
Enable external key management
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command enables the external key manager associated with the given Vserver. This command is not supported when a key manager for the given Vserver is already enabled. When enabling the external key manager associated with the admin Vserver, you must run the same command specifying the same set of key servers on the peer cluster. When enabling the external key manager for a data Vserver, you can run the security key-manager external enable
command on the active cluster only, as the configuration will be replicated on the peer cluster. However, you must ensure that the key management servers specified in the security key-manager external enable
command are reachable from both clusters. Only primary key servers can be added using this command.
Parameters
-vserver <vserver name>
- Vserver Name-
Use this parameter to specify the Vserver on which the external key manager is to be enabled.
-key-servers <Hostname and Port>,…
- List of External Key Management Servers-
Use this parameter to specify the list of up to four key management servers that the external key manager uses to store keys.
-client-cert <text>
- Name of the Client Certificate-
Use this parameter to specify the unique name of the client certificate that the key management servers use to ensure the identity of ONTAP.
-server-ca-certs <text>,…
- Names of the Server CA Certificates-
Use this parameter to specify the unique names of server-ca certificates that ONTAP uses to ensure the identify of the key management servers.
[-policy <text>]
- Key Manager Policy-
Use this parameter to specify a specific key manager security policy to be used by this key manager.
Examples
The following example enables the external key manager for Vserver cluster-1. The command includes three key management servers. The first key server's hostname is ks1.local and is listening on port 15696. The second key server's IP address is 10.0.0.10 and is listening on the default port 5696. The third key server's IPv6 address is fd20:8b1e:b255:814e:32bd:f35c:832c:5a09, and is listening on port 1234.
cluster-1::> security key-manager external enable -vserver cluster-1 -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs ServerCaCert1,ServerCaCert2