还原OKM、NSE和NVE—ASA A800
恢复替代启动介质上的加密。
您必须使用在启动介质更换过程开始时捕获的设置完成特定于已启用板载密钥管理器(OKM)、NetApp存储加密(NSE)或NetApp卷加密(NVE)的系统的步骤。
根据系统上配置的密钥管理器、选择以下选项之一、从启动菜单中将其还原。
选项1:还原板载密钥管理器配置
从ONTAP启动菜单还原板载密钥管理器(OKM)配置。
-
还原OKM配置时、请确保您具有以下信息:
-
已输入集群范围的密码短语 "同时启用板载密钥管理"。
-
"板载密钥管理器的备份信息"(英文)
-
-
请先执行此 "如何验证板载密钥管理备份和集群范围的密码短语" 过程、然后再继续。
-
将控制台缆线连接到目标控制器。
-
从ONTAP启动菜单中、从启动菜单中选择适当的选项。
ONTAP 版本 选择此选项 ONTAP 9.8 或更高版本
选择选项10。
显示启动菜单示例
Please choose one of the following: (1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. (10) Set Onboard Key Manager recovery secrets. (11) Configure node for external key management. Selection (1-11)? 10
ONTAP 9 7及更早版本
选择隐藏选项
recover_onboard_keymanager
显示启动菜单示例
Please choose one of the following: (1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. Selection (1-19)? recover_onboard_keymanager
-
确认您要继续恢复过程。
显示示例提示符
This option must be used only in disaster recovery procedures. Are you sure? (y or n):
-
输入集群范围的密码短语两次。
输入密码短语时、控制台不会显示任何输入。
显示示例提示符
Enter the passphrase for onboard key management:
Enter the passphrase again to confirm:
-
输入备份信息。
-
将整个内容从开始备份行粘贴到结束备份行。
显示示例提示符
Enter the backup data: --------------------------BEGIN BACKUP-------------------------- 0123456789012345678901234567890123456789012345678901234567890123 1234567890123456789012345678901234567890123456789012345678901234 2345678901234567890123456789012345678901234567890123456789012345 3456789012345678901234567890123456789012345678901234567890123456 4567890123456789012345678901234567890123456789012345678901234567 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0123456789012345678901234567890123456789012345678901234567890123 1234567890123456789012345678901234567890123456789012345678901234 2345678901234567890123456789012345678901234567890123456789012345 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ---------------------------END BACKUP---------------------------
-
在输入末尾按两次回车键。
恢复过程完成。
显示示例提示符
Trying to recover keymanager secrets.... Setting recovery material for the onboard key manager Recovery secrets set successfully Trying to delete any existing km_onboard.wkeydb file. Successfully recovered keymanager secrets. *********************************************************************************** * Select option "(1) Normal Boot." to complete recovery process. * * Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots. ***********************************************************************************
如果显示的输出不是,请勿继续 Successfully recovered keymanager secrets
。执行故障排除以更正错误。 -
-
从启动菜单中选择选项1以继续启动至ONTAP。
显示示例提示符
*********************************************************************************** * Select option "(1) Normal Boot." to complete the recovery process. * *********************************************************************************** (1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. (10) Set Onboard Key Manager recovery secrets. (11) Configure node for external key management. Selection (1-11)? 1
-
确认控制器的控制台显示以下消息。
Waiting for giveback…(Press Ctrl-C to abort wait)
-
在配对节点上、输入以下命令以对配对控制器进行回指。
storage failover giveback -fromnode local -only-cfo-aggregates true
(英文) -
在仅使用CFO聚合启动后、运行以下命令。
security key-manager onboard sync
-
输入板载密钥管理器的集群范围密码短语。
显示示例提示符
Enter the cluster-wide passphrase for the Onboard Key Manager: All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.
如果同步成功、则会返回集群提示符、而不会显示任何其他消息。如果同步失败、则会在返回集群提示符之前显示一条错误消息。更正错误并成功运行同步之前、请勿继续。 -
输入以下命令、确保所有密钥均已同步。
security key-manager key query -restored false
(英文)There are no entries matching your query.
在reved参数中筛选false时、不应显示任何结果。 -
输入以下命令、从配对节点进行节点回给。
storage failover giveback -fromnode local
-
如果已禁用自动交还、请输入以下命令来还原自动交还。
storage failover modify -node local -auto-giveback true
-
如果启用了AutoSupport、请输入以下命令来恢复自动创建案例。
system node autosupport invoke -node * -type all -message MAINT=END
选项2:还原外部密钥管理器配置
从ONTAP启动菜单还原外部密钥管理器配置。
要还原外部密钥管理器(External Key Manager、EKM)配置、您需要以下信息。
-
另一个集群节点上的/cfcard/kmip/servers.cfg文件的副本或以下信息:
-
KMIP服务器地址。
-
KMIP端口。
-
-
另一个集群节点或客户端证书中的文件副本
/cfcard/kmip/certs/client.crt
。 -
从其他集群节点或客户端密钥获取的文件副本
/cfcard/kmip/certs/client.key
。 -
另一个集群节点或KMIP服务器CA中的文件副本
/cfcard/kmip/certs/CA.pem
。
-
将控制台缆线连接到目标控制器。
-
从ONTAP启动菜单中选择选项11。
显示启动菜单示例
(1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. (10) Set Onboard Key Manager recovery secrets. (11) Configure node for external key management. Selection (1-11)? 11
-
出现提示时、确认您已收集所需信息。
显示示例提示符
Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n} Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n} Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n} Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n}
-
出现提示时、输入客户端和服务器信息。
显示提示符
Enter the client certificate (client.crt) file contents: Enter the client key (client.key) file contents: Enter the KMIP server CA(s) (CA.pem) file contents: Enter the server configuration (servers.cfg) file contents:
显示示例
Enter the client certificate (client.crt) file contents: -----BEGIN CERTIFICATE----- MIIDvjCCAqagAwIBAgICN3gwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTVkwxDzANBgNVBAoTBk5l MSUbQusvzAFs8G3P54GG32iIRvaCFnj2gQpCxciLJ0qB2foiBGx5XVQ/Mtk+rlap Pk4ECW/wqSOUXDYtJs1+RB+w0+SHx8mzxpbz3mXF/X/1PC3YOzVNCq5eieek62si Fp8= -----END CERTIFICATE----- Enter the client key (client.key) file contents: -----BEGIN RSA PRIVATE KEY----- <key_value> -----END RSA PRIVATE KEY----- Enter the KMIP server CA(s) (CA.pem) file contents: -----BEGIN CERTIFICATE----- MIIEizCCA3OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx 7yaumMQETNrpMfP+nQMd34y4AmseWYGM6qG0z37BRnYU0Wf2qDL61cQ3/jkm7Y94 EQBKG1NY8dVyjphmYZv+ -----END CERTIFICATE----- Enter the IP address for the KMIP server: 10.10.10.10 Enter the port for the KMIP server [5696]: System is ready to utilize external key manager(s). Trying to recover keys from key servers.... kmip_init: configuring ports Running command '/sbin/ifconfig e0M' .. .. kmip_init: cmd: ReleaseExtraBSDPort e0M
输入客户端和服务器信息后、恢复过程将完成。
显示示例
System is ready to utilize external key manager(s). Trying to recover keys from key servers.... [Aug 29 21:06:28]: 0x808806100: 0: DEBUG: kmip2::main: [initOpenssl]:460: Performing initialization of OpenSSL Successfully recovered keymanager secrets.
-
从启动菜单中选择选项1以继续启动至ONTAP。
显示示例提示符
*********************************************************************************** * Select option "(1) Normal Boot." to complete the recovery process. * *********************************************************************************** (1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. (10) Set Onboard Key Manager recovery secrets. (11) Configure node for external key management. Selection (1-11)? 1
-
如果已禁用自动交还、请输入以下命令来还原自动交还。
storage failover modify -node local -auto-giveback true
-
如果启用了AutoSupport、请输入以下命令来恢复自动创建案例。
system node autosupport invoke -node * -type all -message MAINT=END