Restore OKM, NSE, and NVE as needed - AFF A200

Contributors netapp-martyh

Once environment variables are checked, you must complete steps specific to systems that have Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) or NetApp Volume Encryption (NVE) enabled.

Determine which section you should use to restore your OKM, NSE, or NVE configurations:

If NSE or NVE are enabled along with Onboard Key Manager you must restore settings you captured at the beginning of this procedure.

Option 1: Restore NVE or NSE when Onboard Key Manager is enabled

Steps
  1. Connect the console cable to the target node.

  2. Use the boot_ontap command at the LOADER prompt to boot the node.

  3. Check the console output:

    If the console displays…​ Then…​

    The LOADER prompt

    Boot the node to the boot menu: boot_ontap menu

    Waiting for giveback…​

    1. Enter Ctrl-C at the prompt

    2. At the message: Do you wish to halt this node rather than wait [y/n]? , enter: y

    3. At the LOADER prompt, enter the boot_ontap menu command.

  4. At the Boot Menu, enter the hidden command, recover_onboard_keymanager and reply y at the prompt

  5. Enter the passphrase for the onboard key manager you obtained from the customer at the beginning of this procedure.

  6. When prompted to enter the backup data, paste the backup data you captured at the beginning of this procedure, when asked. Paste the output of security key-manager backup show OR security key-manager onboard show-backup command

    Note The data is output from either security key-manager backup show or security key-manager onboard show-backup command.

    Example of backup data:

    --------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAADuD+byAAAAACEAAAAAAAAA QAAAAAAAAABvOlH0AAAAAMh7qDLRyH1DBz12piVdy9ATSFMT0C0TlYFss4PDjTaV dzRYkLd1PhQLxAWJwOIyqSr8qY1SEBgm1IWgE5DLRqkiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/ LRzUQRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAACdhTcvAAAAAJ1PXeBf ml4NBsSyV1B4jc4A7cvWEFY6lLG6hc6tbKLAHZuvfQ4rIbYAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA . . . . H4nPQM0nrDRYRa9SCv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA

    ---------------------------END BACKUP---------------------------

  7. At the Boot Menu select the option for Normal Boot.

    The system boots to Waiting for giveback…​ prompt.

  8. Move the console cable to the partner node and login as admin.

  9. Confirm the target node is ready for giveback with the storage failover show command.

  10. Giveback only the CFO aggregates with the storage failover giveback -fromnode local -only-cfo-aggregates true command.

    • If the command fails because of a failed disk, physically dis-engage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.

      Note Terminating CIFS can cause loss of data.
    • If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  11. Once the giveback completes, check the failover and giveback status with the storage failover show and storage failover show-giveback commands.

    Only the CFO aggregates (root aggregate and CFO style data aggregates) will be shown.

  12. Move the console cable to the target node.

  13. If you are running ONTAP 9.5 and earlier, run the key-manager setup wizard:

    1. Start the wizard using the security key-manager setup -nodenodename command, and then enter the passphrase for onboard key management when prompted.

    2. Enter the key-manager key show -detail command to see a detailed view of all keys stored in the onboard key manager and verify that the Restored column = yes for all authentication keys.

      Note If the Restored column = anything other than yes, contact Customer Support.
    3. Wait 10 minutes for the key to synchronize across the cluster.

  14. If you are running ONTAP 9.6 or later, run the security key-manager onboard sync:

    1. Run the security key-manager onboard sync command and then enter the passphrase when prompted.

    2. Enter the security key-manager key query command to see a detailed view of all keys stored in the onboard key manager and verify that the Restored column = yes/true for all authentication keys.

      Note If the Restored column = anything other than yes/true, contact Customer Support.
    3. Wait 10 minutes for the key to synchronize across the cluster.

  15. Move the console cable to the partner node.

  16. Give back the target node using the storage failover giveback -fromnode local command.

  17. Check the giveback status, 3 minutes after it reports complete, using the storage failover show command.

    If giveback is not complete after 20 minutes, contact Customer Support.

  18. At the clustershell prompt, enter the net int show -is-home false command to list the logical interfaces that are not on their home node and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert command.

  19. Move the console cable to the target node and run the version -v command to check the ONTAP versions.

  20. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

Option 2: Restore NSE/NVE on systems running ONTAP 9.5 and earlier

Steps
  1. Connect the console cable to the target node.

  2. Use the boot_ontap command at the LOADER prompt to boot the node.

  3. Check the console output:

    If the console displays…​ Then…​

    The login prompt

    Go to Step 7.

    Waiting for giveback…​

    1. Log into the partner node.

    2. Confirm the target node is ready for giveback with the storage failover show command.

  4. Move the console cable to the partner node and give back the target node storage using the storage failover giveback -fromnode local -only-cfo-aggregates true local command.

    • If the command fails because of a failed disk, physically dis-engage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.

      Note Terminating CIFS can cause loss of data.
    • If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  5. Wait 3 minutes and check the failover status with the storage failover show command.

  6. At the clustershell prompt, enter the net int show -is-home false command to list the logical interfaces that are not on their home node and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert command.

  7. Move the console cable to the target node and run the version -v command to check the ONTAP versions.

  8. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

  9. Use the storage encryption disk show at the clustershell prompt, to review the output.

    Note This command does not work if NVE (NetApp Volume Encryption) is configured
  10. Use the security key-manager query to display the key IDs of the authentication keys that are stored on the key management servers.

    • If the Restored column = yes and all key managers report in an available state, go to Complete the replacement process.

    • If the Restored column = anything other than yes, and/or one or more key managers is not available, use the security key-manager restore -address command to retrieve and restore all authentication keys (AKs) and key IDs associated with all nodes from all available key management servers.

      Check the output of the security key-manager query again to ensure that the Restored column = yes and all key managers report in an available state

  11. If the Onboard Key Management is enabled:

    1. Use the security key-manager key show -detail to see a detailed view of all keys stored in the onboard key manager.

    2. Use the security key-manager key show -detail command and verify that the Restored column = yes for all authentication keys.

      If the Restored column = anything other than yes, use the security key-manager setup -node Repaired(Target)node command to restore the Onboard Key Management settings. Rerun the security key-manager key show -detail command to verify Restored column = yes for all authentication keys.

  12. Connect the console cable to the partner node.

  13. Give back the node using the storage failover giveback -fromnode local command.

  14. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

Option 3: Restore NSE/NVE on systems running ONTAP 9.6 and later

Steps
  1. Connect the console cable to the target node.

  2. Use the boot_ontap command at the LOADER prompt to boot the node.

  3. Check the console output:

    If the console displays…​ Then…​

    The login prompt

    Go to Step 7.

    Waiting for giveback…​

    1. Log into the partner node.

    2. Confirm the target node is ready for giveback with the storage failover show command.

  4. Move the console cable to the partner node and give back the target node storage using the storage failover giveback -fromnode local -only-cfo-aggregates true local command.

    • If the command fails because of a failed disk, physically dis-engage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.

      Note Terminating CIFS can cause loss of data.
    • If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  5. Wait 3 minutes and check the failover status with the storage failover show command.

  6. At the clustershell prompt, enter the net int show -is-home false command to list the logical interfaces that are not on their home node and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert command.

  7. Move the console cable to the target node and run the version -v command to check the ONTAP versions.

  8. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

  9. Use the storage encryption disk show at the clustershell prompt, to review the output.

  10. Use the security key-manager key query command to display the key IDs of the authentication keys that are stored on the key management servers.

    • If the Restored column = yes/true, you are done and can proceed to complete the replacement process.

    • If the Key Manager type = external and the Restored column = anything other than yes/true, use the security key-manager external restore command to restore the key IDs of the authentication keys.

      Note If the command fails, contact Customer Support.
    • If the Key Manager type = onboard and the Restored column = anything other than yes/true, use the security key-manager onboard sync command to re-sync the Key Manager type.

      Use the security key-manager key query to verify that the Restored column = yes/true for all authentication keys.

  11. Connect the console cable to the partner node.

  12. Give back the node using the storage failover giveback -fromnode local command.

  13. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.