security key-manager setup
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
(DEPRECATED)-Configure key manager connectivity
Availability: This command is available to cluster administrators at the admin privilege level.
Description
This command is deprecated and might be removed in a future release. To set up external key manager, use security key-manager external enable , and to set up the Onboard Key Manager use security key-manager onboard enable instead. |
The security key-manager setup
command enables you to configure key management. Data ONTAP supports two mutually exclusive key management methods: external via one or more key management interoperability protocol (KMIP) servers, or internal via an Onboard Key Manager. This command is used to configure an external or internal key manager. When configuring an external key management server, this command records networking information on all node that is used during the boot process to retrieve keys needed for booting from the KMIP servers. For the Onboard Key Manager, this command prompts you to configure a passphrase to protect internal keys in encrypted form.
This command can also be used to refresh missing onboard keys. For example, if you add a node to a cluster that has the Onboard Key Manager configured, you will run this command to refresh the missing keys.
For the Onboard Key Manager in a MetroCluster configuration, if the security key-manager update-passphrase command is used to update the passphrase on one site, then run the security key-manager setup
command with the new passphrase on the partner site before proceeding with any key-manager operations.
Parameters
[-node <nodename>]
- Node Name-
This parameter is used only with the Onboard Key Manager when a refresh operation is required (see command description). This parameter is ignored when configuring external key management and during the initial setup of the Onboard Key Manager.
[-cc-mode-enabled {yes|no}]
- Enable Common Criteria Mode?-
When configuring the Onboard Key Manager, this parameter is used to specify that Common Criteria (CC) mode should be enabled. When CC mode is enabled, you will be required to provide a cluster passphrase that is between 64 and 256 ASCII character long, and you will be required to enter that passphrase each time a node reboots.
[-sync-metrocluster-config {yes|no}]
- Sync MetroCluster Configuration from Peer-
When configuring the Onboard Key Manager in a MetroCluster configuration, this parameter is used to indicate that the
security key-manager setup
command has been performed on the peer cluster, and that thesecurity key-manager setup
command on this cluster should import the peer's configuration. [-are-unencrypted-metadata-volumes-allowed-in-cc-mode {yes|no}]
- Are Unencrypted Metadata Volumes Allowed in CC-Mode-
If Common Criteria (CC) mode is enabled this parameter allows unencrypted metadata volumes to exist. These metadata volumes are created internally during normal operation. Examples are volumes created during SnapMirror and Vserver migrate operations. The default value is
no
.
Examples
The following example creates a configuration for external key management:
cluster-1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure the Onboard Key Manager? {yes, no} [yes]: no Would you like to configure the KMIP server environment? {yes, no} [yes]: yes
The following example creates a configuration for the Onboard Key Manager:
cluster-1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure the Onboard Key Manager? {yes, no} [yes]: yes Enter the cluster-wide passphrase for the Onboard Key Manager. To continue the configuration, enter the passphrase, otherwise type "exit": Re-enter the cluster-wide passphrase: After configuring the Onboard Key Manager, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager backup show" command.
The following example creates a configuration for the Onboard Key Manager with Common Critera mode enabled:
cluster-1::> security key-manager setup -cc-mode-enabled yes Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure the Onboard Key Manager? {yes, no} [yes]: yes Enter the cluster-wide passphrase for the Onboard Key Manager. To continue the configuration, enter the passphrase, otherwise type "exit": Re-enter the cluster-wide passphrase: After configuring the Onboard Key Manager, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager backup show" command.