メインコンテンツまでスキップ

NSEドライブを含むMCC:「security key-manager key delete」を実行すると、DRクラスタで使用されているキーが削除されます

Views:
3
Visibility:
Public
Votes:
0
Category:
metrocluster
Specialty:
metrocluster<a>2009322086</a>
Last Updated:

環境

  • ONTAP 9
  • Metrocluster
  • NetApp Storage Encryption(NSE)
  • Key Management Interoperability Protocol(KMIP)

問題

MetroCluster環境では security key-manager key delete 、コマンドを実行してDRクラスタで使用されるNSEキーを削除します。
 
  1.  SED drives  cluster1 とには、2つの別 々 のキーが適用され cluster2ます。

cluster1:: *> storage encryption disk show
Disk    Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 

cluster2:: *> storage encryption disk show
Disk    Mode Data Key ID
-------- ---- ----------------------------------------------------------------
2.30.15  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.16  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.17  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

 

  1. 両方のキーが 想定どおりに両方のクラスタにリストアされます。

cluster1::*> security key-manager key query

         Node: cluster1n1
        Vserver: cluster1
      Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
  Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000


         Node: cluster1n2
        Vserver: cluster1
      Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
  Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000


cluster2::*> security key-manager key query

        Node: cluster2n1
       Vserver: cluster2
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
        Node: cluster2n2
       Vserver: cluster2
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000

 

  1. キー AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA をから削除する cluster1 と、 予期したとおりに失敗します。

cluster1::security key-manager key*> delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
Error: command failed: Authentication key with KeyID "00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000" cannot be deleted since it is in use by one or more self-encrypting drives.

  1. ただし、 cluster2から同じキーを削除する と成功 し、 cluster1とcluster2の両方からキーが消えます。

cluster2::*> security key-manager key delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
cluster2::*>

 

cluster2::*> security key-manager key query

        Node: cluster2n1
       Vserver: cluster2
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


        Node: cluster2n2
       Vserver: cluster2
     Key Manager: 10.87.124.35:5696
  Key Manager Type: KMIP
Key Manager Policy: -

Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


cluster1::*> security key-manager key query

        Node: cluster1n1
       Vserver: cluster1
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


        Node: cluster1n2
      Vserver: cluster1
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000

 

  1. cluster1のSEDドライブが見つからないキーを使用している間:

cluster1::*> security key-manager key storage encryption disk show
Disk    Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 
 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.