Enable external key management in ONTAP 9.5 and earlier

Contributors

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

What you’ll need
  • The KMIP SSL client and server certificates must have been installed.

  • You must be a cluster administrator to perform this task.

  • You must configure the MetroCluster environment before you configure an external key manager.

About this task

ONTAP configures KMIP server connectivity for all nodes in the cluster.

Steps
  1. Configure key manager connectivity for cluster nodes:

    security key-manager setup

    The key manager setup starts.

  2. Enter the appropriate response at each prompt.

  3. Add a KMIP server:

    security key-manager add -address key_management_server_ipaddress

    clusterl::> security key-manager add -address 20.1.1.1
  4. Add an additional KMIP server for redundancy:

    security key-manager add -address key_management_server_ipaddress

    clusterl::> security key-manager add -address 20.1.1.2
  5. Verify that all configured KMIP servers are connected:

    security key-manager show -status

    For complete command syntax, see the man page.

    cluster1::> security key-manager show -status
    
    Node            Port      Registered Key Manager  Status
    --------------  ----      ----------------------  ---------------
    cluster1-01     5696      20.1.1.1                available
    cluster1-01     5696      20.1.1.2                available
    cluster1-02     5696      20.1.1.1                available
    cluster1-02     5696      20.1.1.2                available