Skip to main content
ONTAP MetroCluster

Configure end-to-end encryption in a MetroCluster IP configuration

Contributors netapp-aoife
PDFs

Beginning with ONTAP 9.15.1, you can configure end-to-end encryption to encrypt back-end traffic, such as NVlog and storage replication data, between the sites in a MetroCluster IP configuration.

About this task

  • You must be a cluster administrator to perform this task.

  • Before you can configure end-to-end encryption, you must Configure external key management.

  • Review the supported systems and minimum ONTAP release required to configure end-to-end encryption in a MetroCluster IP configuration:

    Minimum ONTAP release

    Supported systems

    ONTAP 9.15.1

    • AFF A400

    • FAS8300

    • FAS8700

Enable end-to-end encryption

Perform the following steps to enable end-to-end encryption.

Steps

  1. Verify the health of the MetroCluster configuration.

    1. Verify that the MetroCluster components are healthy:

      metrocluster check run
      cluster_A::*> metrocluster check run

      The operation runs in the background.

    2. After the metrocluster check run operation completes, run:

      metrocluster check show

      After approximately five minutes, the following results are displayed:

      cluster_A:::*> metrocluster check show

Component           Result
------------------- ---------
nodes               ok
lifs                ok
config-replication  ok
aggregates          ok
clusters            ok
connections         not-applicable
volumes             ok
7 entries were displayed.

    3. Check the status of the running MetroCluster check operation:

      metrocluster operation history show -job-id <id>

    4. Verify that there are no health alerts:

      system health alert show

  2. Verify that external key management is configured on both clusters:

    security key-manager external show-status

  3. Enable end-to-end encryption for each DR group:

    metrocluster modify -is-encryption-enabled true -dr-group-id <dr_group_id>

    Example

    cluster_A::*> metrocluster modify -is-encryption-enabled true -dr-group-id 1
Warning: Enabling encryption for a DR Group will secure NVLog and Storage
         replication data sent between MetroCluster nodes and have an impact on
         performance. Do you want to continue? {y|n}: y
[Job 244] Job succeeded: Modify is successful.

    Repeat this step for each DR group in the configuration.

  4. Verify that end-to-end encryption is enabled:

    metrocluster node show -fields is-encryption-enabled

    Example

    cluster_A::*> metrocluster node show -fields is-encryption-enabled

dr-group-id cluster    node      configuration-state is-encryption-enabled
----------- ---------- --------  ------------------- -----------------
1           cluster_A  node_A_1  configured          true
1           cluster_A  node_A_2  configured          true
1           cluster_B  node_B_1  configured          true
1           cluster_B  node_B_2  configured          true
4 entries were displayed.

Disable end-to-end encryption

Perform the following steps to disable end-to-end encryption.

Steps

  1. Verify the health of the MetroCluster configuration.

    1. Verify that the MetroCluster components are healthy:

      metrocluster check run
      cluster_A::*> metrocluster check run

      The operation runs in the background.

    2. After the metrocluster check run operation completes, run:

      metrocluster check show

      After approximately five minutes, the following results are displayed:

      cluster_A:::*> metrocluster check show

Component           Result
------------------- ---------
nodes               ok
lifs                ok
config-replication  ok
aggregates          ok
clusters            ok
connections         not-applicable
volumes             ok
7 entries were displayed.

    3. Check the status of the running MetroCluster check operation:

      metrocluster operation history show -job-id <id>

    4. Verify that there are no health alerts:

      system health alert show

  2. Verify that external key management is configured on both clusters:

    security key-manager external show-status

  3. Disable end-to-end encryption on each DR group:

    metrocluster modify -is-encryption-enabled false -dr-group-id <dr_group_id>

    Example

    cluster_A::*> metrocluster modify -is-encryption-enabled false -dr-group-id 1
[Job 244] Job succeeded: Modify is successful.

    Repeat this step for each DR group in the configuration.

  4. Verify that end-to-end encryption is disabled:

    metrocluster node show -fields is-encryption-enabled

    Example

    cluster_A::*> metrocluster node show -fields is-encryption-enabled

dr-group-id cluster    node      configuration-state is-encryption-enabled
----------- ---------- --------  ------------------- -----------------
1           cluster_A  node_A_1  configured          false
1           cluster_A  node_A_2  configured          false
1           cluster_B  node_B_1  configured          false
1           cluster_B  node_B_2  configured          false
4 entries were displayed.