使用Azure密钥存储时、卷重新托管失败
- Views:
- 5
- Visibility:
- Public
- Votes:
- 0
- Category:
- cloud-volumes-ontap-cvo
- Specialty:
- cloud<a>2009837547.</a>
- Last Updated:
适用场景
- Azure密钥存储(KV)
- Cloud Volumes ONTAP (CVO)
- 卷重新托管
问题描述
- 此
volume rehost命令在Azure密钥存储环境中失败:
Cluster::*> volume rehost -vserver svm1 -volume volume1 -destination-vserver svm2
Warning: Rehosting a volume from one Vserver to another Vserver does not change the security information about that volume.If the security domains of the Vservers are not identical, unwanted access might be permitted, and desired access might be denied. An attempt to rehost a volume will disassociate the volume from all volume policies and policy rules. The volume must be reconfigured after a successful or unsuccessful rehost operation.
Do you want to continue? {y|n}: y
[Job 5559] Job is queued: Volume rehost operation on volume "volume1" on Vserver "svm1" to destination Vserver "svm2" by administrator "admin".
Error: command failed: [Job 5559] Job failed:
Volume rehost precheck failed for reasons:
Cannot rehost the encrypted volume "volume1" from Vserver "svm1" using Azure Key Vault to Vserver
"svm2" using Azure Key Vault. Rehost between these key manager types is not supported.
- 无法迁移安全密钥:
Cluster::> security key-manager key migrate -from-vserver svm1 -to-vserver svm2
Error: This migration option is not supported in this release.
The supported migration options are: (Onboard Key Manager|KMIP External Key Manager) to/from (KMIP External Key Manager|Cloud Key Managers) IBM Key Lore Key Manager to (Onboard Key Manager|KMIP External Key Manager) Where the Cloud Key Managers are Azure Key Vault, Amazon Web Services Key Management, Google Cloud Key Management Service, IBM Key Protect Key Management Service.
- kmip2_client日志显示指示
BAD_DATA和invalid client secret的消息:
Thu Nov 09 2023 14:38:43 -08:00 [kern_kmip2_client:info:7662] [Nov 9 14:38:43]: 0x80a206000: 8003e80000129721: ERR: kmip2::kmipCmds::KmipConnection: [cryptsoftErrorCb]:94: Error: src/tables/kmip_cloud_cmd.cc: 84: error: 11: msg: KMIP_get_data
Thu Nov 09 2023 14:38:43 -08:00 [kern_kmip2_client:info:7662] [Nov 9 14:38:43]: 0x80a206000: 8003e80000129721: ERR: kmip2::tables::kmip_akv_cmd: [getSmdbError]:411: AKV operation failed: get. Cryptsoft error: BAD_DATA, Cryptsoft status: SUCCESS, Cryptsoft reason: SUCCESS, Cryptsoft message: , HTTP response code: 401, HTTP Payload:
Fri Nov 10 2023 08:07:45 -08:00 [kern_kmip2_client:info:7662] [Nov 10 08:07:45]: 0x80a207900: 0: ERR: kmip2::kmipCmds::KmipConnection: [cryptsoftErrorCb]:94: Error: src/AKV/kmip_akv_cmd.c: 852: error: 5: msg: HTTP MESSAGE={"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxxxxxxxxxxx'. Trace ID: xxxxxxxxxxxxx Correlation ID: 716c5f36-d8b7-432f-9510-908b61472b68 Timestamp: 2023-11-10 16:08:01Z","error_codes":[7000215],"timestamp":"2023-11-10 16:08:01Z","trace_id":"xxxxxxxxxxxxx","correlation_id":"xxxxxxxxxxxxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"