Delete existing external key management server connections before upgrading ONTAP
Suggest changes
PDFs
Before you upgrade ONTAP, if you are running ONTAP 9.2 or earlier with NetApp Storage Encryption (NSE) and upgrading to ONTAP 9.3 or later, you must use the command line interface (CLI) to delete any existing external key management (KMIP) server connections.
-
Verify that the NSE drives are unlocked, open, and set to the default manufacture secure ID 0x0:
storage encryption disk show -disk *Learn more about
storage encryption disk showin the ONTAP command reference. -
Enter the advanced privilege mode:
set -privilege advancedLearn more about
setin the ONTAP command reference. -
Use the default manufacture secure ID 0x0 to assign the FIPS key to the self-encrypting disks (SEDs):
storage encryption disk modify -fips-key-id 0x0 -disk *Learn more about
storage encryption disk modifyin the ONTAP command reference. -
Verify that assigning the FIPS key to all disks is complete:
storage encryption disk show-statusLearn more about
storage encryption disk show-statusin the ONTAP command reference. -
Verify that the mode for all disks is set to data
storage encryption disk showLearn more about
storage encryption disk showin the ONTAP command reference. -
View the configured KMIP servers:
security key-manager keystore showLearn more about
security key-manager keystore showin the ONTAP command reference. -
Delete the configured KMIP servers:
security key-manager delete -address <kmip_ip_address>Learn more about
security key-manager deletein the ONTAP command reference. -
Delete the external key manager configuration:
security key-manager external disableLearn more about
security key-manager external disablein the ONTAP command reference.
This step does not remove the NSE certificates.
After the upgrade is complete, you must reconfigure the KMIP server connections.