Restore OKM, NSE, and NVE as needed - AFF fas8300 and FAS8700
Once environment variables are checked, you must complete steps specific to systems that have Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) or NetApp Volume Encryption (NVE) enabled.
-
Determine which section you should use to restore your OKM, NSE, or NVE configurations: If NSE or NVE are enabled along with Onboard Key Manager you must restore settings you captured at the beginning of this procedure.
-
If NSE or NVE are enabled and Onboard Key Manager is enabled, go to Restore NVE or NSE when Onboard Key Manager is enabled.
-
If NSE or NVE are enabled for ONTAP 9.6, go to Restore NSE/NVE on systems running ONTAP 9.6 and later.
-
Restore NVE or NSE when Onboard Key Manager is enabled
-
Connect the console cable to the target controller.
-
Use the
boot_ontap
command at the LOADER prompt to boot the controller. -
Check the console output:
If the console displays… Then… The LOADER prompt
Boot the controller to the boot menu:
boot_ontap menu
Waiting for giveback….
-
Enter
Ctrl-C
at the prompt -
At the message: Do you wish to halt this node rather than wait [y/n]? , enter:
y
-
At the LOADER prompt, enter the
boot_ontap menu
command.
-
-
At the Boot Menu, enter the hidden command,
recover_onboard_keymanager
and replyy
at the prompt -
Enter the passphrase for the onboard key manager you obtained from the customer at the beginning of this procedure.
-
When prompted to enter the backup data, paste the backup data you captured at the beginning of this procedure, when asked. Paste the output of
security key-manager backup show
ORsecurity key-manager onboard show-backup
commandThe data is output from either security key-manager backup show
orsecurity key-manager onboard show-backup
command.Example of backup data:
--------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAADuD+byAAAAACEAAAAAAAAA QAAAAAAAAABvOlH0AAAAAMh7qDLRyH1DBz12piVdy9ATSFMT0C0TlYFss4PDjTaV dzRYkLd1PhQLxAWJwOIyqSr8qY1SEBgm1IWgE5DLRqkiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/ LRzUQRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAACdhTcvAAAAAJ1PXeBf ml4NBsSyV1B4jc4A7cvWEFY6lLG6hc6tbKLAHZuvfQ4rIbYAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA . . . . H4nPQM0nrDRYRa9SCv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA
---------------------------END BACKUP---------------------------
-
At the Boot Menu select the option for Normal Boot.
The system boots to Waiting for giveback… prompt.
-
Confirm the target controller is ready for giveback with the
storage failover show
command. -
Giveback only the CFO aggregates with the
storage failover giveback -fromnode local -only-cfo-aggregates true
command.-
If the command fails because of a failed disk, physically disengage the failed disk, but leave the disk in the slot until a replacement is received.
-
If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.
Terminating CIFS can cause loss of data. -
If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.
-
If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.
-
-
Once the giveback completes, check the failover and giveback status with the
storage failover show
and`storage failover show
-giveback` commands.Only the CFO aggregates (root aggregate and CFO style data aggregates) will be shown.
-
Move the console cable to the target controller.
-
If you are running ONTAP 9.6 or later, run the security key-manager onboard sync:
-
Run the
security key-manager onboard sync
command and then enter the passphrase when prompted. -
Enter the
security key-manager key query
command to see a detailed view of all keys stored in the onboard key manager and verify that theRestored
column =yes/true
for all authentication keys.If the Restored
column = anything other thanyes/true
, contact Customer Support. -
Wait 10 minutes for the key to synchronize across the cluster.
-
-
Move the console cable to the partner controller.
-
Give back the target controller using the
storage failover giveback -fromnode local
command. -
Check the giveback status, 3 minutes after it reports complete, using the
storage failover show
command.If giveback is not complete after 20 minutes, contact Customer Support.
-
At the clustershell prompt, enter the
net int show -is-home false
command to list the logical interfaces that are not on their home controller and port.If any interfaces are listed as
false
, revert those interfaces back to their home port using thenet int revert -vserver Cluster -lif nodename
command. -
Move the console cable to the target controller and run the
version -v
command to check the ONTAP versions. -
Restore automatic giveback if you disabled it by using the
storage failover modify -node local -auto-giveback true
command.
Restore NSE/NVE on systems running ONTAP 9.6 and later
-
Connect the console cable to the target controller.
-
Use the
boot_ontap
command at the LOADER prompt to boot the controller. -
Check the console output:
If the console displays…
Then…
The login prompt
Go to Step 7.
Waiting for giveback…
-
Log into the partner controller.
-
Confirm the target controller is ready for giveback with the
storage failover show
command.
-
-
Move the console cable to the partner controller and give back the target controller storage using the
storage failover giveback -fromnode local -only-cfo-aggregates true local
command.-
If the command fails because of a failed disk, physically disengage the failed disk, but leave the disk in the slot until a replacement is received.
-
If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.
Terminating CIFS can cause loss of data. -
If the command fails because the partner "not ready", wait 5 minutes for the NVMEMs to synchronize.
-
If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.
-
-
Wait 3 minutes and check the failover status with the
storage failover show
command. -
At the clustershell prompt, enter the
net int show -is-home false
command to list the logical interfaces that are not on their home controller and port.If any interfaces are listed as
false
, revert those interfaces back to their home port using thenet int revert -vserver Cluster -lif nodename
command. -
Move the console cable to the target controller and run the
version -v
command to check the ONTAP versions. -
Restore automatic giveback if you disabled it by using the
storage failover modify -node local -auto-giveback true
command. -
Use the
storage encryption disk show
at the clustershell prompt, to review the output. -
Use the
security key-manager key query
command to display the key IDs of the authentication keys that are stored on the key management servers.-
If the
Restored
column =yes/true
, you are done and can proceed to complete the replacement process. -
If the
Key Manager type
=external
and theRestored
column = anything other thanyes/true
, use thesecurity key-manager external restore
command to restore the key IDs of the authentication keys.If the command fails, contact Customer Support. -
If the
Key Manager type
=onboard
and theRestored
column = anything other thanyes/true
, use thesecurity key-manager onboard sync
command to re-sync the Key Manager type.Use the
security key-manager key query
command to verify that theRestored
column =yes/true
for all authentication keys.
-
-
Connect the console cable to the partner controller.
-
Give back the controller using the
storage failover giveback -fromnode local
command. -
Restore automatic giveback if you disabled it by using the
storage failover modify -node local -auto-giveback true
command.