Configure clustered external key servers

Contributors netapp-ahibbard

Beginning in ONTAP 9.11.1, you can configure connectivity to clustered external key management servers on an SVM. With clustered key servers, you can designate primary and secondary key servers on a SVM. When registering keys, ONTAP will first attempt to access a primary key server before sequentially attempting to access secondary servers until the operation completes successfully, preventing duplication of keys.

External key servers can be used for NSE, NVE, NAE, and SED keys. An SVM can support up to four primary external KMIP servers. Each primary server can support up to three secondary key servers.

Before you begin

Create a clustered key server

The configuration procedure depends on whether or not you have configured a primary key server.

Add primary and secondary key servers to an SVM
  1. Confirm that no key management has been enabled for the cluster:
    security key-manager external show -vserver vserver_name
    If the SVM already has the maximum of four primary key servers enabled, you must remove one of the existing primary key servers before adding a new one.

  2. Enable the primary key manager:
    security key-manager external enable -vserver vserver_name -key-servers server_ip -client-cert client_cert_name -server-ca-certs server_ca_cert_names

  3. Modify the primary key server to add secondary key servers. The -secondary-key-servers parameter accepts a comma-separated list of up to three key servers.
    security key-manager external modify-server -vserver vserver_name -key-servers primary_key_server -secondary-key-servers list_of_key_servers

Add secondary key servers to an existing primary key server
  1. Modify the primary key server to add secondary key servers. The -secondary-key-servers parameter accepts a comma-separated list of up to three key servers.
    security key-manager external modify-server -vserver vserver_name -key-servers primary_key_server -secondary-key-servers list_of_key_servers
    For more information about secondary key servers, see Modifying secondary key servers.

Modify clustered key servers

You can modify external key servers clusters by changing the status (primary or secondary) of particular key servers, add and removing secondary key servers, or by changing the access order of secondary key servers.

Converting primary and secondary key servers

To convert a primary key server into a secondary key server, you must first remove it from the SVM with the security key-manager external remove-servers command.

To convert a secondary key server into a primary key server, you must first remove the secondary key server from its existing primary key server. See Modifying secondary key servers. If you convert a secondary key server to a primary server while removing an existing key, attempting to add a new server before completing the removal and conversion can result in the the duplication of keys.

Modifying secondary key servers

Secondary key servers are managed with the -secondary-key-servers parameter of the security key-manager external modify-server command. The -secondary-key-servers parameter accepts a comma-separated list. The specified order of the secondary key servers in the list determines the access sequence for the secondary key servers. The access order can be modified by running the command security key-manager external modify-server with the secondary key servers entered in a different sequence.

To remove a secondary key server, the -secondary-key-servers arguments should include the key servers you want to keep while omitting the one to be removed. To remove all secondary key servers, use the argument -, signifying none.

For additional information, refer to the security key-manager external page in the ONTAP command reference.