security key-manager external create-config
Suggest changes
PDFs
Create an inactive external key manager
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command enables an ONTAP administrator to create an inactive external key manager configuration for the admin Vserver. This facilitates the switching between the Onboard Key Manager (OKM) and an external key manager (EKM) without migrating the keys to a data SVM
Parameters
-vserver <vserver name>- Vserver Name-
Use this parameter to specify the Vserver on which the external key manager configuration is to be created.
-key-servers <Hostname and Port>,…- List of External Key Management Servers-
Use this parameter to specify a list of up to four key management servers that the external key manager will use to store keys.
-client-cert <text>- Name of the Client Certificate-
Use this parameter to specify the unique name of the client certificate that the key management servers will use to verify the identity of the ONTAP client.
-server-ca-certs <text>,…- Names of the Server CA Certificates-
Use this parameter to specify the unique names of server-ca certificates that ONTAP will use to verify the identity of the key management servers.
Examples
The following example creates an inactive external key manager configuration for Vserver cluster-1 with the configuration name "default". The command includes three key management servers. The first key server's hostname is ks1.local and is listening on port 5696. The second key server's IP address is 10.0.0.10 and is listening on the default port 5696. The third key server's IPv6 address is fd20:8b1e:b255:814e:32bd:f35c:832c:5a09, and is listening on port 5696.
cluster-1::> security key-manager external create-config -vserver cluster-1 -key-servers ks1.local:5696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:5696 -client-cert AdminVserverClientCert -server-ca-certs ServerCaCert1,ServerCaCert2