Restore OKM, NSE, and NVE as needed - AFF fas8300 and FAS8700

Contributors netapp-martyh

Once environment variables are checked, you must complete steps specific to systems that have Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) or NetApp Volume Encryption (NVE) enabled.

  1. Determine which section you should use to restore your OKM, NSE, or NVE configurations: If NSE or NVE are enabled along with Onboard Key Manager you must restore settings you captured at the beginning of this procedure.

Restore NVE or NSE when Onboard Key Manager is enabled

Steps
  1. Connect the console cable to the target node.

  2. Use the boot_ontap command at the LOADER prompt to boot the node.

  3. Check the console output:

    If the console displays…​ Then…​

    The LOADER prompt

    Boot the node to the boot menu: boot_ontap menu

    Waiting for giveback…​.

    1. Enter Ctrl-C at the prompt

    2. At the message: Do you wish to halt this node rather than wait [y/n]? , enter: y

    3. At the LOADER prompt, enter the boot_ontap menu command.

  4. At the Boot Menu, enter the hidden command, recover_onboard_keymanager and reply y at the prompt

  5. Enter the passphrase for the onboard key manager you obtained from the customer at the beginning of this procedure.

  6. When prompted to enter the backup data, paste the backup data you captured at the beginning of this procedure, when asked. Paste the output of security key-manager backup show OR security key-manager onboard show-backup command

    Note The data is output from either security key-manager backup show or security key-manager onboard show-backup command.

    Example of backup data:

    --------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAADuD+byAAAAACEAAAAAAAAA QAAAAAAAAABvOlH0AAAAAMh7qDLRyH1DBz12piVdy9ATSFMT0C0TlYFss4PDjTaV dzRYkLd1PhQLxAWJwOIyqSr8qY1SEBgm1IWgE5DLRqkiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/ LRzUQRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAACdhTcvAAAAAJ1PXeBf ml4NBsSyV1B4jc4A7cvWEFY6lLG6hc6tbKLAHZuvfQ4rIbYAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA . . . . H4nPQM0nrDRYRa9SCv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA

    ---------------------------END BACKUP---------------------------

  7. At the Boot Menu select the option for Normal Boot.

    The system boots to Waiting for giveback…​ prompt.

  8. Move the console cable to the partner node and login as "admin".

  9. Confirm the target node is ready for giveback with the storage failover show command.

  10. Giveback only the CFO aggregates with the storage failover giveback -fromnode local -only-cfo-aggregates true command.

    • If the command fails because of a failed disk, physically dis-engage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.

      Note Terminating CIFS can cause loss of data.
    • If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  11. Once the giveback completes, check the failover and giveback status with the storage failover show and storage failover show-giveback commands.

    Only the CFO aggregates (root aggregate and CFO style data aggregates) will be shown.

  12. Move the console cable to the target node.

    1. If you are running ONTAP 9.6 or later, run the security key-manager onboard sync:

    2. Run the security key-manager onboard sync command and then enter the passphrase when prompted.

    3. Enter the security key-manager key query command to see a detailed view of all keys stored in the onboard key manager and verify that the Restored column = yes/true for all authentication keys.

      Note If the Restored column = anything other than yes/true, contact Customer Support.
    4. Wait 10 minutes for the key to synchronize across the cluster.

  13. Move the console cable to the partner node.

  14. Give back the target node using the storage failover giveback -fromnode local command.

  15. Check the giveback status, 3 minutes after it reports complete, using the storage failover show command.

    If giveback is not complete after 20 minutes, contact Customer Support.

  16. At the clustershell prompt, enter the net int show -is-home false command to list the logical interfaces that are not on their home node and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert command.

  17. Move the console cable to the target node and run the version -v command to check the ONTAP versions.

  18. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

Restore NSE/NVE on systems running ONTAP 9.6 and later

Steps
  1. Connect the console cable to the target node.

  2. Use the boot_ontap command at the LOADER prompt to boot the node.

  3. Check the console output:

    If the console displays…​

    Then…​

    The login prompt

    Go to Step 7.

    Waiting for giveback…​

    1. Log into the partner node.

    2. Confirm the target node is ready for giveback with the storage failover show command.

  4. Move the console cable to the partner node and give back the target node storage using the storage failover giveback -fromnode local -only-cfo-aggregates true local command.

    • If the command fails because of a failed disk, physically dis-engage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.

      Note Terminating CIFS can cause loss of data.
    • If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  5. Wait 3 minutes and check the failover status with the storage failover show command.

  6. At the clustershell prompt, enter the net int show -is-home false command to list the logical interfaces that are not on their home node and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert command.

  7. Move the console cable to the target node and run the version -v command to check the ONTAP versions.

  8. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

  9. Use the storage encryption disk show at the clustershell prompt, to review the output.

  10. Use the security key-manager key query command to display the key IDs of the authentication keys that are stored on the key management servers.

    • If the Restored column = yes/true, you are done and can proceed to complete the replacement process.

    • If the Key Manager type = external and the Restored column = anything other than yes/true, use the security key-manager external restore command to restore the key IDs of the authentication keys.

      Note If the command fails, contact Customer Support.
    • If the Key Manager type = onboard and the Restored column = anything other than yes/true, use the security key-manager onboard sync command to re-sync the Key Manager type.

      Use the security key-manager key query command to verify that the Restored column = yes/true for all authentication keys.

  11. Connect the console cable to the partner node.

  12. Give back the node using the storage failover giveback -fromnode local command.

  13. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.