Skip to main content

Enable external key management in ONTAP 9.6 and later (HW-based)

Contributors netapp-aoife netapp-ahibbard netapp-thomi netapp-aherbin
PDFs

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

Beginning in ONTAP 9.11.1, you can add up to 3 secondary key servers per primary key server to create a clustered key server. For more information, see Configure clustered external key servers.

Before you begin

  • The KMIP SSL client and server certificates must have been installed.

  • You must be a cluster administrator to perform this task.

  • You must configure the MetroCluster environment before you configure an external key manager.

  • In a MetroCluster environment, you must install the same KMIP SSL certificate on both clusters.

Steps

  1. Configure key manager connectivity for the cluster:

    security key-manager external enable -vserver admin_SVM -key-servers host_name|IP_address:port,... -client-cert client_certificate -server-ca-cert server_CA_certificates

    Note

    • The security key-manager external enable command replaces the security key-manager setup command. You can run the security key-manager external modify command to change the external key management configuration. For complete command syntax, see the man pages.

    • In a MetroCluster environment, if you are configuring external key management for the admin SVM, you must repeat the security key-manager external enable command on the partner cluster.

    The following command enables external key management for cluster1 with three external key servers. The first key server is specified using its hostname and port, the second is specified using an IP address and the default port, and the third is specified using an IPv6 address and port:

    clusterl::> security key-manager external enable -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert

  2. Verify that all configured KMIP servers are connected:

    security key-manager external show-status -node node_name -vserver SVM -key-server host_name|IP_address:port -key-server-status available|not-responding|unknown

    Note

    The security key-manager external show-status command replaces the security key-manager show -status command. For complete command syntax, see the man page.

    		 
    cluster1::> security key-manager external show-status

Node  Vserver  Key Server                                     Status
----  -------  ---------------------------------------        -------------
node1
      cluster1
               10.0.0.10:5696                                 available
               fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
               ks1.local:15696                                available
node2
      cluster1
               10.0.0.10:5696                                 available
               fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
               ks1.local:15696                                available

6 entries were displayed.