Post boot media replacement steps for OKM, NSE, and NVE - FAS9500
Once environment variables are checked, you must complete steps specific to restore Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) and NetApp Volume Encryption (NVE).
-
Determine which section you should use to restore your OKM, NSE, or NVE configurations: If NSE or NVE are enabled along with Onboard Key Manager you must restore settings you captured at the beginning of this procedure.
-
If NSE or NVE are enabled and Onboard Key Manager is enabled, go to Restore NVE or NSE when Onboard Key Manager is enabled.
-
If NSE or NVE are enabled for ONTAP 9.6, go to Restore NSE/NVE on systems running ONTAP 9.6 and later.
-
Restore NVE or NSE when Onboard Key Manager is enabled
-
Connect the console cable to the target node.
-
Use the
boot_ontap
command at the LOADER prompt to boot the node. -
Check the console output:
If the console displays… Then… The LOADER prompt
Boot the node to the boot menu:
boot_ontap menu
Waiting for giveback….
-
Enter
Ctrl-C
at the prompt -
At the message: Do you wish to halt this node rather than wait [y/n]? , enter:
y
-
At the LOADER prompt, enter the
boot_ontap menu
command.
-
-
At the Boot Menu, enter the hidden command,
recover_onboard_keymanager
, and replyy
at the prompt. -
Enter the passphrase for the onboard key manager you obtained from the customer at the beginning of this procedure.
-
When prompted to enter the backup data, paste the backup data you captured at the beginning of this section, when asked. Paste the output of
security key-manager backup show
ORsecurity key-manager onboard show-backup
command.The data is output from either security key-manager backup show
or security key-manager onboard show-backup` command.Example of backup data:
Enter the backup data:
--------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAADuD+byAAAAACEAAAAAAAAA QAAAAAAAAABvOlH0AAAAAMh7qDLRyH1DBz12piVdy9ATSFMT0C0TlYFss4PDjTaV dzRYkLd1PhQLxAWJwOIyqSr8qY1SEBgm1IWgE5DLRqkiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/ LRzUQRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAACdhTcvAAAAAJ1PXeBf ml4NBsSyV1B4jc4A7cvWEFY6lLG6hc6tbKLAHZuvfQ4rIbYAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA . . . . H4nPQM0nrDRYRa9SCv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA
---------------------------END BACKUP---------------------------
-
At the Boot Menu select the option for Normal Boot.
The system boots to Waiting for giveback… prompt.
-
Move the console cable to the partner node and log in as admin.
-
Confirm the target node is ready for giveback with the
storage failover show
command. -
Give back only the CFO aggregates with the
storage failover giveback -fromnode local -only-cfo-aggregates true
command.-
If the command fails because of a failed disk, physically disengage the failed disk, but leave the disk in the slot until a replacement is received.
-
If the command fails because of an open CIFS session, check with the customer how to close out CIFS sessions.
Terminating CIFS can cause loss of data. -
If the command fails because the partner "not ready", wait 5 minutes for the NVRAMs to synchronize.
-
If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate content for more information.
-
-
Once the giveback completes, check the failover and giveback status with the
storage failover show
and storage failover show-giveback commands.Only the CFO aggregates (root aggregate and CFO style data aggregates) will be shown.
-
If you are running ONTAP 9.6 or later, run the security key-manager onboard sync:
-
Run the
security key-manager onboard sync
command and then enter the passphrase when prompted. -
Enter the
security key-manager key-query
command to see a detailed view of all keys stored in the onboard key manager and verify that theRestored
column =yes/true
for all authentication keys.If the Restored
column = anything other thanyes/true
, contact Customer Support. -
Wait 10 minutes for the key to synchronize across the cluster.
-
-
Move the console cable to the partner node.
-
Give back the target node using the
storage failover giveback -fromnode local
command. -
Check the giveback status, three minutes after it reports complete, using the
storage failover show
command.If giveback is not complete after 20 minutes, contact Customer Support.
-
At the clustershell prompt, enter the
net int show -is-home false
command to list the logical interfaces that are not on their home node and port.If any interfaces are listed as
false
, revert those interfaces back to their home port using thenet int revert
command. -
Move the console cable to the target node and run the
version -v
command to check the ONTAP versions. -
Restore automatic giveback if you disabled it by using the
storage failover modify -node local -auto-giveback true
command.
Restore NSE/NVE on systems running ONTAP 9.6 and later
-
Connect the console cable to the target node.
-
Use the
boot_ontap
command at the LOADER prompt to boot the node. -
Check the console output:
If the console displays… Then… The login prompt
Go to step 7.
Waiting for giveback…
-
Log into the partner node.
-
Confirm the target node is ready for giveback with the
storage failover show
command.
-
-
Move the console cable to the partner node and give back the target node storage using the
storage failover giveback -fromnode local -only-cfo-aggregates true local
command.-
If the command fails because of a failed disk, physically disengage the failed disk, but leave the disk in the slot until a replacement is received.
-
If the command fails because of an open CIFS sessions, check with customer how to close out CIFS sessions.
Terminating CIFS can cause loss of data. -
If the command fails because the partner is "not ready", wait 5 minutes for the NVMEMs to synchronize.
-
If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate content for more information.
-
-
Wait 3 minutes and check the failover status with the
storage failover show
command. -
At the clustershell prompt, enter the
net int show -is-home false
command to list the logical interfaces that are not on their home node and port.If any interfaces are listed as
false
, revert those interfaces back to their home port using thenet int revert
command. -
Move the console cable to the target node and run the
version -v
command to check the ONTAP versions. -
Restore automatic giveback if you disabled it by using the
storage failover modify -node local -auto-giveback true
command. -
Use the
storage encryption disk show
at the clustershell prompt, to review the output. -
Use the
security key-manager key-query
command to display the encryption and authentication keys that are stored on the key management servers.-
If the
Restored
column =yes/true
, you are done and can proceed to complete the replacement process. -
If the
Key Manager type
=external
and theRestored
column = anything other thanyes/true
, use thesecurity key-manager external restore
command to restore the key IDs of the authentication keys.If the command fails, contact Customer Support. -
If the
Key Manager type
=onboard
and theRestored
column = anything other thanyes/true
, use thesecurity key-manager onboard sync
command to re-sync the Key Manager type.Use the
security key-manager key-query
command to verify that theRestored
column =yes/true
for all authentication keys.
-
-
Connect the console cable to the partner node.
-
Give back the node using the
storage failover giveback -fromnode local
command. -
Restore automatic giveback if you disabled it by using the
storage failover modify -node local -auto-giveback true
command.