NSEドライブを含むMCC:「security key-manager key delete」を実行すると、DRクラスタで使用されているキーが削除されます
- Views:
- 3
- Visibility:
- Public
- Votes:
- 0
- Category:
- metrocluster
- Specialty:
- metrocluster<a>2009322086</a>
- Last Updated:
環境
- ONTAP 9
- Metrocluster
- NetApp Storage Encryption(NSE)
- Key Management Interoperability Protocol(KMIP)
問題
security key-manager key delete
、コマンドを実行してDRクラスタで使用されるNSEキーを削除します。-
SED drives
cluster1
とには、2つの別 々 のキーが適用されcluster2
ます。
cluster1:: *> storage encryption disk show
Disk Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0 data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1 data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2 data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
cluster2:: *> storage encryption disk show
Disk Mode Data Key ID
-------- ---- ----------------------------------------------------------------
2.30.15 data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.16 data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.17 data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
- 両方のキーが 想定どおりに両方のクラスタにリストアされます。
cluster1::*> security key-manager key query
Node: cluster1n1
Vserver: cluster1
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK yes
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1 NSE-AK yes
Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
Node: cluster1n2
Vserver: cluster1
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK yes
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1 NSE-AK yes
Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
cluster2::*> security key-manager key query
Node: cluster2n1
Vserver: cluster2
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK yes
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1 NSE-AK yes
Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
Node: cluster2n2
Vserver: cluster2
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK yes
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1 NSE-AK yes
Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
- キー
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
をから削除するcluster1
と、 予期したとおりに失敗します。
cluster1::security key-manager key*> delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
Error: command failed: Authentication key with KeyID "00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000" cannot be deleted since it is in use by one or more self-encrypting drives.
- ただし、 cluster2から同じキーを削除する と成功 し、 cluster1とcluster2の両方からキーが消えます。
cluster2::*> security key-manager key delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
cluster2::*>
cluster2::*> security key-manager key query
Node: cluster2n1
Vserver: cluster2
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK true
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
Node: cluster2n2
Vserver: cluster2
Key Manager: 10.87.124.35:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK true
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1::*> security key-manager key query
Node: cluster1n1
Vserver: cluster1
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK true
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
Node: cluster1n2
Vserver: cluster1
Key Manager: 10.xx.xx.xx:5696
Key Manager Type: KMIP
Key Manager Policy: -
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2 NSE-AK true
Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
- cluster1のSEDドライブが見つからないキーを使用している間:
cluster1::*> security key-manager key storage encryption disk show
Disk Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0 data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1 data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2 data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA