ekmip.gckms events

Contributors

ekmip.gckms.available

Severity

NOTICE

Description

This message occurs when a configured Google Cloud Key Management Service (GCKMS) that was previously reported as unavailable for key operations is now available.

Corrective Action

(None).

Syslog Message

The GCKMS with project ID: %s, key ring location: %s, key ring: %s and key name: %s configured for Vserver "%s" is now available.

Parameters

projectId (STRING): Project ID.
keyringLocation (STRING): Location of the key ring.
keyringName (STRING): Name of the key ring.
keyName (STRING): Name of the key.
vserver (STRING): Name of the Vserver where the GCKMS is configured.

ekmip.gckms.keyVersionChg

Severity

NOTICE

Description

This message occurs when a change is made to the current key version associated with the key name of the configured Google Cloud KMS (GCKMS). The key version might have been auto-rotated or manually changed at the GCKMS. Additionally, the top-level internal key-protection key has been successfully re-wrapped with the current key version of the GCKMS key name.

Corrective Action

(None).

Syslog Message

The version of the key "%s" owned by Google Cloud KMS Project "%s", with key ring "%s" at "%s", configured for Vserver "%s", has been changed from "%s" to "%s".

Parameters

keyName (STRING): Name of the key.
projectId (STRING): Project ID of the GCKMS.
keyringName (STRING): Name of the key ring.
keyringLocation (STRING): Location of the key ring.
vserver (STRING): Name of the Vserver where the GCKMS is configured.
oldKeyVersion (STRING): Prior key version.
newKeyVersion (STRING): New key version.

ekmip.gckms.notAvailable

Severity

ALERT

Description

This message occurs when a check for the availability of the configured Google Cloud Key Management Service (GCKMS) fails. The GCKMS might be down or there might be a network-related problem preventing communication. Without access to the GCKMS, the node might not be able to restore authentication keys needed to unlock NSE drives or encryption keys needed to mount encrypted volumes. If the GCKMS is not available, then the next time this node boots, the failure to restore the keys might prevent the node from booting successfully or the encrypted volumes hosted on this node from coming online.

Corrective Action

Verify that the GCKMS configuration is correct by using the "security key-manager external gcp show -vserver <vserver_name>" command, and verify that the cluster state is available. If the cluster state is not available, run the "security key-manager external gcp restore" command to bring the cluster state to available. If the issue still persists, contact technical support.

Syslog Message

The GCKMS with project ID: %s, key ring location: %s, key ring: %s and key name: %s configured for Vserver "%s" is not available.

Parameters

projectId (STRING): Project ID.
keyringLocation (STRING): Location of the key ring.
keyringName (STRING): Name of the key ring.
keyName (STRING): Name of the key.
vserver (STRING): Name of the Vserver where the GCKMS is configured.

ekmip.gckms.volOffline

Severity

ALERT

Description

This message occurs when the volumes belonging to the Vserver have been taken offline due to errors received when trying to access the key owned by the Google Cloud KMS (GCKMS). Reasons for GCKMS key access errors include a disabled key, a destroyed key, key not found, or a user not having sufficient privileges to access the key. ONTAP polls the GCKMS every 15 minutes to verify key accessibility. If, after 60 minutes, ONTAP has not received a successful response to a poll, volumes are taken offline and remain offline until the key access issues are resolved at the GCKMS. Subsequently, if ONTAP does receive a successful response, the volumes will be brought back online automatically.

Corrective Action

Resolve the key access issues at the GCKMS portal. Ensure that the key is active and the user has the required privileges to access the key.

Syslog Message

Encrypted volumes belonging to Vserver "%s" have been taken offline due to key access errors associated with key "%s" owned by Google Cloud KMS Project "%s" with key ring location "%s" and key ring "%s".

Parameters

vserver (STRING): Name of the Vserver where the GCKMS is configured.
keyName (STRING): Name of the key.
projectId (STRING): ID of the GCKMS project.
keyringLocation (STRING): Location of the key ring.
keyringName (STRING): Name of the key ring.