メインコンテンツへスキップ

オンボード Key-manager は有効にできません

  1. 最後の更新
  2. PDFとして保存
Views:
1
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

環境

  • ONTAP 9
  • FAS/AFF システム
  • Onboard Key-Manager

問題

  • OKMの作成が以下のエラーで失敗しています:

Cluster::*> security key-manager onboard enable

Enter the SVM1-wide passphrase for the Onboard Key Manager:


Re-enter the SVM1-wide passphrase:Error: command failed: Internal error. Failed to generate SVM1 key encryption key in kernel. Key manager returned: 18. Crypto return code: 10.

  • イベントログから、CPKEKの作成が失敗していることがわかります。

Thu Oct 30 09:22:47 -0400 [Cluster-01: sshd-session: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for admin from 10.116.69.235 port 52706 ssh2  '}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000', 'key_digest': 'c8579c2b9878d09c9de93b70c3b5967ad92dbba201a62b1e1cec49912e38a2f1'}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '000000000000000002000000000008006491085af75e1ebe51080bc719c968fb0000000000000000', 'key_digest': '1c40520de3a7f16a7d0ac44cda4fc45af5084e8ce4bb8bfac99ac553238c5034'}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '000000000000000002000000000009006af7b4903f2d1cd44111f0bfed5a5af00000000000000000', 'key_digest': '6818cc94a6d2dede43771b75755af3bb5aa24420565cf3081957c12baa62b4c4'}Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000', 'key_digest': 'c8579c2b9878d09c9de93b70c3b5967ad92dbba201a62b1e1cec49912e38a2f1'}Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.debug:info]: Onboard key hierarchy creation failed: CPKEK creation failed: 10.

  • テーブル cryptomod_create_okm_base_hierarchy に25秒以上かかります。

Thu Oct 30 09:25:52 -0400 [Cluster-01: ksmf_timeout_thread: ksmf.svc.watchdog:debug]: "kSMF service thread held > 25 (sec) by application for table cryptomod_create_okm_base_hierarchy"Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:35:22 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:37:56 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:52:22 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.

  • MGWD ログから、入力用にファイル /cfcard/kmip/km_onboard.wkeydb を開くことができないことが確認されました。

Thu Oct 30 2025 09:25:01 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_mgwd::tables::setup_wizard: [setupOKM]:1484: ENTER: First-time configuration of onboard key manager
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_shared::KeymanagerConfigFile: [read]:259: File stream error -- unable to open /cfcard/kmip/km_onboard.wkeydb for input
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_shared::OkmKeyDatabase: [getWriter]:385: WKEYDB: Writer is ready to update wkeydb
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_mgwd::tables::SVM1_kdb: [create_onboard_key_hier_imp]:958: Creating OKM base key hierarchy
Thu Oct 30 2025 09:25:52 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::SVM1_kdb: [create_onboard_key_hier_imp]:979: cryptomod_create_okm_base_hierarchy_iterator failed. Internal error: Timeout: Operation "cryptomod_create_okm_base_hierarchy_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "Cluster-01" (VSID: -1) to kernel at 127.0.0.1]
Thu Oct 30 2025 09:25:52 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::setup_wizard: [first_time_setup_km_onboard]:622: Failed to create onboard key hierarchy, err = Timeout: Operation "cryptomod_create_okm_base_hierarchy_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "Cluster-01" (VSID: -1) to kernel at 127.0.0.1]

  • sktraceから、TPMのシールが解除されているのがわかります。

2025-10-30T13:25:28Z 10346238237101035   [0:0] SSAL_Log:  tss_tpm_seal:4672025-10-30T13:28:45Z 10346573549617619   [15:0] SSAL_Log:  tss_tpm_unseal:250

  • また、テーブル cryptomod_create_okm_base_hierarchy の処理に25秒以上かかります。

2025-10-30T13:24:19Z 10346122503639135   [12:0] KSMF_SMF_SVC_NORM:  update_quarantine: Table crypto_tpm_status is quarantined. Active thread count:0
2025-10-30T13:26:10Z 10346310244488666   [0:0] KSMF_SMF_SVC_NORM:  process_request: Processing for table cryptomod_create_okm_base_hierarchy took 43533 msec which is longer than the client's timeout of 25000
2025-10-30T13:26:10Z 10346310244490786   [0:0] KSMF_SMF_SVC_NORM:  update_quarantine: Table cryptomod_create_okm_base_hierarchy is quarantined. 

  • タイムアウト値を25秒から60秒に増やしましたが、同じ問題が発生しています。

cluster::*> debug smdb table dsmdb_config modify -dist-timeout 60

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.