Skip to main content

Remove an external key manager connection in ONTAP

Contributors netapp-aaron-holt netapp-aoife netapp-ahibbard netapp-thomi netapp-aherbin
PDFs

You can disconnect a KMIP server from a node when you no longer need the server. For example, you might disconnect a KMIP server when you are transitioning to volume encryption.

About this task

When you disconnect a KMIP server from one node in an HA pair, the system automatically disconnects the server from all cluster nodes.

Note If you plan to continue using external key management after disconnecting a KMIP server, make sure another KMIP server is available to serve authentication keys.
Before you begin

You must be a cluster or SVM administrator to perform this task.

Step

  1. Disconnect a KMIP server from the current node:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.6 and later

    security key-manager external remove-servers -vserver SVM -key-servers host_name|IP_address:port,…​

    ONTAP 9.5 and earlier

    security key-manager delete -address key_management_server_ipaddress

    In a MetroCluster environment, you must repeat these commands on both clusters for the admin SVM.

    The following ONTAP 9.6 command disables the connections to two external key management servers for cluster1, the first named ks1, listening on the default port 5696, the second with the IP address 10.0.0.20, listening on port 24482:

    clusterl::> security key-manager external remove-servers -vserver cluster-1 -key-servers ks1,10.0.0.20:24482

    Learn more about security key-manager external remove-servers and security key-manager delete in the ONTAP command reference.