Skip to main content

Configure clustered external key servers in ONTAP

Contributors netapp-aoife netapp-ahibbard netapp-aaron-holt netapp-bhouser netapp-dbagwell
PDFs

Beginning with ONTAP 9.11.1, you can configure connectivity to clustered external key management servers on an SVM. With clustered key servers, you can designate primary and secondary key servers on an SVM. When registering or retrieving keys, ONTAP first attempts to access the primary key server before sequentially attempting to access secondary servers until the operation completes successfully.

You can use external key servers for NetApp Storage Encryption (NSE), NetApp Volume Encryption (NVE), and NetApp Aggregate Encryption (NAE) keys. An SVM can support up to four primary external KMIP servers. Each primary server can support up to three secondary key servers.

About this task
Before you begin

  • KMIP key management must be enabled for the SVM.

  • All nodes in the cluster must be running ONTAP 9.11.1 or later.

  • The order of servers listed in the -secondary-key-servers parameter reflects the access order of the external key management (KMIP) servers.

Create a clustered key server

The configuration procedure depends on whether or not you have configured a primary key server.

Add primary and secondary key servers to an SVM
Steps

  1. Confirm that no key management has been enabled for the cluster (admin SVM):

    security key-manager external show -vserver <svm_name>

    If the SVM already has the maximum of four primary key servers enabled, you must remove one of the existing primary key servers before adding a new one.

  2. Enable the primary key manager:

    security key-manager external enable -vserver <svm_name> -key-servers <primary_key_server_ip> -client-cert <client_cert_name> -server-ca-certs <server_ca_cert_names>

    • If you don't specify a port in the -key-servers parameter, the default port 5696 is used.

      Note If you are running the security key-manager external enable command for the admin SVM in a MetroCluster configuration, you must run the command on both clusters. If you are running the command for an individual data SVM, you don't need to run the command on both clusters. NetApp strongly recommends using the same key servers on both clusters.

  3. Modify the primary key server to add secondary key servers. The -secondary-key-servers parameter accepts a comma-separated list of up to three key servers:

    security key-manager external modify-server -vserver <svm_name> -key-servers <primary_key_server> -secondary-key-servers <list_of_key_servers>

    • Do not include a port number for secondary key servers in the -secondary-key-servers parameter. It uses the same port number as the primary key server.

      Note If you are running the security key-manager external command for the admin SVM in a MetroCluster configuration, you must run the command on both clusters. If you are running the command for an individual data SVM, you don't need to run the command on both clusters. NetApp strongly recommends using the same key servers on both clusters.
Add secondary key servers to an existing primary key server
Steps

  1. Modify the primary key server to add secondary key servers. The -secondary-key-servers parameter accepts a comma-separated list of up to three key servers:

    security key-manager external modify-server -vserver <svm_name> -key-servers <primary_key_server> -secondary-key-servers <list_of_key_servers>

    • Do not include a port number for secondary key servers in the -secondary-key-servers parameter. It uses the same port number as the primary key servers.

      Note If you are running the security key-manager external modify-server command for the admin SVM in a MetroCluster configuration, you must run the command on both clusters. If you are running the command for an individual data SVM, you don't need to run the command on both clusters. NetApp strongly recommends using the same key servers on both clusters.

For more information about secondary key servers, see Modify secondary key servers.

Modify clustered key servers

You can modify clustered external key servers by adding and removing secondary key servers, changing the access order of secondary key servers, or by changing the designation (primary or secondary) of particular key servers. If you modify clustered external key servers in a MetroCluster configuration, NetApp strongly recommends using the same key servers on both clusters.

Modify secondary key servers

Use the -secondary-key-servers parameter of the security key-manager external modify-server command to manage secondary key servers . The -secondary-key-servers parameter accepts a comma-separated list. The specified order of the secondary key servers in the list determines the access sequence for the secondary key servers. You can modify the access order by running the command security key-manager external modify-server with the secondary key servers entered in a different sequence. Do not include a port number for secondary key servers.

Note If you are running the security key-manager external modify-server command for the admin SVM in a MetroCluster configuration, you must run the command on both clusters. If you are running the command for an individual data SVM, you don't need to run the command on both clusters.

To remove a secondary key server, include the key servers you want to keep in the -secondary-key-servers parameter and omit the one you want to remove. To remove all secondary key servers, use the argument -, signifying none.

Convert primary and secondary key servers

You can use the following steps to change the designation (primary or secondary) of particular key servers.

Convert a primary key server into a secondary key server
Steps

  1. Remove the primary key server from the SVM:

    security key-manager external remove-servers

    Note If you are running the security key-manager external remove-servers command for the admin SVM in a MetroCluster configuration, you must run the command on both clusters. If you are running the command for an individual data SVM, you don't need to run the command on both clusters.

  2. Perform the Create a clustered key server procedure using the former primary key server as a secondary key server.

Convert a secondary key server into a primary key server
Steps

  1. Remove the secondary key server from its existing primary key server:

    security key-manager external modify-server -secondary-key-servers

    Note

    • If you are running the security key-manager external modify-server -secondary-key-servers command for the admin SVM in a MetroCluster configuration, you must run the command on both clusters. If you are running the command for an individual data SVM, you don't need to run the command on both clusters.

    • If you convert a secondary key server to a primary key server while removing an existing key server, attempting to add a new key server before completing the removal and conversion can result in the the duplication of keys.

  2. Perform the Create a clustered key server procedure using the former secondary key server as the primary key server of the new clustered key server.

Refer to Modify secondary key servers for more information.

Related information