Enable external key management in ONTAP 9.6 and later (HW-based)

Contributors

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

What you’ll need
  • The KMIP SSL client and server certificates must have been installed.

  • You must be a cluster administrator to perform this task.

  • You must configure the MetroCluster environment before you configure an external key manager.

Steps
  1. Configure key manager connectivity for the cluster:

    security key-manager external enable -vserver admin_SVM -key-servers host_name|IP_address:port,... -client-cert client_certificate -server-ca-cert server_CA_certificates

    Note

    The security key-manager external enable command replaces the security key-manager setup command. You can run the security key-manager external modify command to change the external key management configuration. For complete command syntax, see the man pages.

    The following command enables external key management for cluster1 with three external key servers. The first key server is specified using its hostname and port, the second is specified using an IP address and the default port, and the third is specified using an IPv6 address and port:

    clusterl::> security key-manager external enable -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert
  2. Verify that all configured KMIP servers are connected:

    security key-manager external show-status -node node_name -vserver SVM -key-server host_name|IP_address:port -key-server-status available|not-responding|unknown

    Note

    The security key-manager external show-status command replaces the security key-manager show -status command. For complete command syntax, see the man page.

    cluster1::> security key-manager external show-status
    
    Node  Vserver  Key Server                                     Status
    ----  -------  ---------------------------------------        -------------
    node1
          cluster1
                   10.0.0.10:5696                                 available
                   fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
                   ks1.local:15696                                available
    node2
          cluster1
                   10.0.0.10:5696                                 available
                   fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
                   ks1.local:15696                                available
    
    6 entries were displayed.