Skip to main content
A newer release of this product is available.

ekmip.ikpkms events

Contributors
Suggest changes

ekmip.ikpkms.200.missingField

Severity

ALERT

Description

This message occurs when trying to access the key owned by the IBM Key Protect (IKP) Key Management Service (KMS) and an "OK" response (code 200) is received but one field of the response is not populated. Reasons for IKP KMS key access errors include a disabled key, a destroyed key, key not found, or a user not having sufficient privileges to access the key. ONTAP polls the IKP KMS to verify key accessibility. The missing field is integral in determining the status of the key.

Corrective Action

The IKP KMS provided a response with a status of 200 (OK) that did not contain all of the expected fields. Contact technical support to resolve this issue.

Syslog Message

A 200 OK response was received from IKP KMS but the field "%s" was missing for Vserver "%s" with Keymanager Name "%s" associated with key "%s" owned by IKP KMS region "%s" with instance ID "%s".

Parameters

missingField (STRING): Name of the field that is not populated.
vserver (STRING): Name of the Vserver where the IKP KMS is configured.
kmName (STRING): The name of the IKP KMS.
keyId (STRING): The Key ID associated with this IKP KMS instance.
region (STRING): The region associated with this IKP KMS instance.
instanceId (STRING): IKP KMS Instance ID.

ekmip.ikpkms.available

Severity

NOTICE

Description

This message occurs when a configured IBM Key Protect (IKP) Key Management Service (KMS) that was unavailable for key operations is now available.

Corrective Action

(None).

Syslog Message

The IKP KMS with region: "%s", instance ID: "%s", and key ID: "%s" configured for Vserver "%s" with Keymanager Name "%s" is now available.

Parameters

region (STRING): The region associated with this IKP KMS instance.
instanceId (STRING): IKP KMS Instance ID.
keyId (STRING): The Key ID associated with this IKP KMS instance.
vserver (STRING): Name of the Vserver where the IKP KMS is configured.
kmName (STRING): The name of the IKP KMS.

ekmip.ikpkms.keyVersionChg

Severity

NOTICE

Description

This message occurs when the key version associated with the key ID of the configured IBM Key Protect (IKP) Key Management Service (KMS) changes. The key version might have been auto-rotated or manually changed at the IKP KMS. Additionally, as a result of updated key version, the top-level internal key-protection key has been successfully rewrapped with the current key version of the IKP KMS key ID.

Corrective Action

(None).

Syslog Message

The version of the key "%s" owned by IKP KMS region "%s" and instance ID "%s", configured for Vserver "%s" with Keymanager Name "%s", has been changed from "%s" to "%s".

Parameters

keyId (STRING): The Key ID associated with this IKP KMS instance.
region (STRING): The region associated with this IKP KMS instance.
instanceId (STRING): IKP KMS Instance ID.
vserver (STRING): Name of the Vserver where the IKP KMS is configured.
kmName (STRING): The name of the IKP KMS.
oldKeyVersion (STRING): Prior key version.
newKeyVersion (STRING): New key version.

ekmip.ikpkms.notAvailable

Severity

ALERT

Description

This message occurs when a check for the availability of the configured IBM Key Protect (IKP) Key Management Service (KMS) fails. The IKP KMS might be down or there might be a network-related problem preventing communication. Without access to the IKP KMS, the node might be unable to restore authentication keys needed to unlock NetApp Storage Encryption (NSE) drives or encryption keys needed to mount encrypted volumes. If the IKP KMS is unavailable, then the next time this node boots, the failure to restore the keys might prevent the node from booting successfully or the encrypted volumes hosted on this node from coming online.

Corrective Action

Verify that the IKP KMS configuration is correct by using the "security key-manager external ikp show -vserver <vserver_name>" command, and verify that the IKP KMS cluster state is available. If the cluster state is unavailable, run the "security key-manager external ikp restore" command to bring the cluster state to available. If the issue still persists, contact NetApp technical support.

Syslog Message

The IKP KMS with region: "%s", instance ID: "%s", and key ID: "%s" configured for Vserver "%s" with Keymanager Name "%s" is not available.

Parameters

region (STRING): The region associated with this IKP KMS instance.
instanceId (STRING): IKP KMS Instance ID.
keyId (STRING): The Key ID associated with this IKP KMS instance.
vserver (STRING): Name of the Vserver where the IKP KMS is configured.
kmName (STRING): The name of the IKP KMS.

ekmip.ikpkms.volOffline

Severity

ALERT

Description

This message occurs when the volumes belonging to the Vserver are taken offline due to errors received when trying to access the key owned by the IBM Key Protect (IKP) Key Management Service (KMS). Reasons for IKP KMS key access errors include a disabled key, a destroyed key, key not found, or a user not having sufficient privileges to access the key. ONTAP polls the IKP KMS to verify key accessibility. If, after 60 minutes, ONTAP has not received a successful response to a poll, volumes are taken offline and remain offline until the key access issues are resolved at the IKP KMS. Subsequently, if ONTAP does receive a successful response, the volumes will be brought back online automatically.

Corrective Action

Resolve the key access issues at the IKP KMS portal. Ensure that the key is active and the user has the required privileges to access the key.

Syslog Message

Encrypted volumes belonging to Vserver "%s" with Keymanager Name "%s" were taken offline due to key access errors associated with key "%s" owned by IKP KMS region "%s" and instance ID "%s".

Parameters

vserver (STRING): Name of the Vserver where the IKP KMS is configured.
kmName (STRING): The name of the IKP KMS.
keyId (STRING): The Key ID associated with this IKP KMS instance.
region (STRING): The region associated with this IKP KMS instance.
instanceId (STRING): IKP KMS Instance ID.