Azure Key Vaultを使用するとボリュームのリホストが失敗する
- Views:
- 12
- Visibility:
- Public
- Votes:
- 0
- Category:
- cloud-volumes-ontap-cvo
- Specialty:
- cloud<a>2009837547</a>
- Last Updated:
- 3/5/2024, 5:52:13 AM
環境
- Azureキーヴォールト(AKV)
- Cloud Volumes ONTAP(CVO)
- ボリュームのリホスト
問題
volume rehostAzure Key Vault環境でコマンドが失敗します。
Cluster::*> volume rehost -vserver svm1 -volume volume1 -destination-vserver svm2
Warning: Rehosting a volume from one Vserver to another Vserver does not change the security information about that volume.If the security domains of the Vservers are not identical, unwanted access might be permitted, and desired access might be denied. An attempt to rehost a volume will disassociate the volume from all volume policies and policy rules. The volume must be reconfigured after a successful or unsuccessful rehost operation.
Do you want to continue? {y|n}: y
[Job 5559] Job is queued: Volume rehost operation on volume "volume1" on Vserver "svm1" to destination Vserver "svm2" by administrator "admin".
Error: command failed: [Job 5559] Job failed:
Volume rehost precheck failed for reasons:
Cannot rehost the encrypted volume "volume1" from Vserver "svm1" using Azure Key Vault to Vserver
"svm2" using Azure Key Vault. Rehost between these key manager types is not supported.
- セキュリティキーを移行できません。
Cluster::> security key-manager key migrate -from-vserver svm1 -to-vserver svm2
Error: This migration option is not supported in this release.
The supported migration options are: (Onboard Key Manager|KMIP External Key Manager) to/from (KMIP External Key Manager|Cloud Key Managers) IBM Key Lore Key Manager to (Onboard Key Manager|KMIP External Key Manager) Where the Cloud Key Managers are Azure Key Vault, Amazon Web Services Key Management, Google Cloud Key Management Service, IBM Key Protect Key Management Service.
- kmip2_clientログには
BAD_DATA、およびを示すメッセージが表示されinvalid client secretます。
Thu Nov 09 2023 14:38:43 -08:00 [kern_kmip2_client:info:7662] [Nov 9 14:38:43]: 0x80a206000: 8003e80000129721: ERR: kmip2::kmipCmds::KmipConnection: [cryptsoftErrorCb]:94: Error: src/tables/kmip_cloud_cmd.cc: 84: error: 11: msg: KMIP_get_data
Thu Nov 09 2023 14:38:43 -08:00 [kern_kmip2_client:info:7662] [Nov 9 14:38:43]: 0x80a206000: 8003e80000129721: ERR: kmip2::tables::kmip_akv_cmd: [getSmdbError]:411: AKV operation failed: get. Cryptsoft error: BAD_DATA, Cryptsoft status: SUCCESS, Cryptsoft reason: SUCCESS, Cryptsoft message: , HTTP response code: 401, HTTP Payload:
Fri Nov 10 2023 08:07:45 -08:00 [kern_kmip2_client:info:7662] [Nov 10 08:07:45]: 0x80a207900: 0: ERR: kmip2::kmipCmds::KmipConnection: [cryptsoftErrorCb]:94: Error: src/AKV/kmip_akv_cmd.c: 852: error: 5: msg: HTTP MESSAGE={"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxxxxxxxxxxx'. Trace ID: xxxxxxxxxxxxx Correlation ID: 716c5f36-d8b7-432f-9510-908b61472b68 Timestamp: 2023-11-10 16:08:01Z","error_codes":[7000215],"timestamp":"2023-11-10 16:08:01Z","trace_id":"xxxxxxxxxxxxx","correlation_id":"xxxxxxxxxxxxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"