跳转到主内容

无法启用板载密钥管理器

  1. 最后更新
  2. 另存为PDF
Views:
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

适用于

  • ONTAP 9
  • FAS/AFF 系统
  • 内置密钥管理器

问题描述

  • OKM 创建失败,出现以下错误:

Cluster::*> security key-manager onboard enable

Enter the SVM1-wide passphrase for the Onboard Key Manager:


Re-enter the SVM1-wide passphrase:Error: command failed: Internal error. Failed to generate SVM1 key encryption key in kernel. Key manager returned: 18. Crypto return code: 10.

  • 从事件日志中,我们可以看到 CPKEK 创建失败。

Thu Oct 30 09:22:47 -0400 [Cluster-01: sshd-session: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for admin from 10.116.69.235 port 52706 ssh2  '}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000', 'key_digest': 'c8579c2b9878d09c9de93b70c3b5967ad92dbba201a62b1e1cec49912e38a2f1'}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '000000000000000002000000000008006491085af75e1ebe51080bc719c968fb0000000000000000', 'key_digest': '1c40520de3a7f16a7d0ac44cda4fc45af5084e8ce4bb8bfac99ac553238c5034'}Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '000000000000000002000000000009006af7b4903f2d1cd44111f0bfed5a5af00000000000000000', 'key_digest': '6818cc94a6d2dede43771b75755af3bb5aa24420565cf3081957c12baa62b4c4'}Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto_key_stored_1:notice]: params: {'key_id': '00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000', 'key_digest': 'c8579c2b9878d09c9de93b70c3b5967ad92dbba201a62b1e1cec49912e38a2f1'}Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.debug:info]: Onboard key hierarchy creation failed: CPKEK creation failed: 10.

  • 表 cryptomod_create_okm_base_hierarchy 需要超过 25 秒。

Thu Oct 30 09:25:52 -0400 [Cluster-01: ksmf_timeout_thread: ksmf.svc.watchdog:debug]: "kSMF service thread held > 25 (sec) by application for table cryptomod_create_okm_base_hierarchy"Thu Oct 30 09:26:10 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:29:00 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:35:22 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:37:56 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.Thu Oct 30 09:52:22 -0400 [Cluster-01: svc_queue_thread: crypto.key.deleted:notice]: Deleted key with key ID 00000000000000000200000000000c00b47625503aa4784b1ce92625ab6beb2a0000000000000000. Reason src/crypto_okm.c:crypto_onboard_key_hierarchy_helper.

  • 从 MGWD 日志中,观察到无法打开文件 /cfcard/kmip/km_onboard.wkeydb 进行输入。

Thu Oct 30 2025 09:25:01 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_mgwd::tables::setup_wizard: [setupOKM]:1484: ENTER: First-time configuration of onboard key manager
Thu Oct 30 2025 09:25:26 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::KeymanagerFeatures: [isEKMSwitchingEnabled]:609: Not ONTAPX.
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_shared::KeymanagerConfigFile: [read]:259: File stream error -- unable to open /cfcard/kmip/km_onboard.wkeydb for input
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_shared::OkmKeyDatabase: [getWriter]:385: WKEYDB: Writer is ready to update wkeydb
Thu Oct 30 2025 09:25:27 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: DEBUG: keymanager_mgwd::tables::SVM1_kdb: [create_onboard_key_hier_imp]:958: Creating OKM base key hierarchy
Thu Oct 30 2025 09:25:52 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::SVM1_kdb: [create_onboard_key_hier_imp]:979: cryptomod_create_okm_base_hierarchy_iterator failed. Internal error: Timeout: Operation "cryptomod_create_okm_base_hierarchy_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "Cluster-01" (VSID: -1) to kernel at 127.0.0.1]
Thu Oct 30 2025 09:25:52 -04:00 [kern_mgwd:info:3724] 0x84fdf9d00: 8003e80000fa5458: ERR: keymanager_mgwd::tables::setup_wizard: [first_time_setup_km_onboard]:622: Failed to create onboard key hierarchy, err = Timeout: Operation "cryptomod_create_okm_base_hierarchy_iterator::create_imp()" took longer than 25 seconds to complete [from mgwd on node "Cluster-01" (VSID: -1) to kernel at 127.0.0.1]

  • 从 sktrace 中,我们看到 TPM 正在解封。

2025-10-30T13:25:28Z 10346238237101035   [0:0] SSAL_Log:  tss_tpm_seal:4672025-10-30T13:28:45Z 10346573549617619   [15:0] SSAL_Log:  tss_tpm_unseal:250

  • 此外,处理表 cryptomod_create_okm_base_hierarchy 需要超过 25 秒。

2025-10-30T13:24:19Z 10346122503639135   [12:0] KSMF_SMF_SVC_NORM:  update_quarantine: Table crypto_tpm_status is quarantined. Active thread count:0
2025-10-30T13:26:10Z 10346310244488666   [0:0] KSMF_SMF_SVC_NORM:  process_request: Processing for table cryptomod_create_okm_base_hierarchy took 43533 msec which is longer than the client's timeout of 25000
2025-10-30T13:26:10Z 10346310244490786   [0:0] KSMF_SMF_SVC_NORM:  update_quarantine: Table cryptomod_create_okm_base_hierarchy is quarantined. 

  • 将超时值从 25 秒增加到 60 秒,仍然是同一个问题。

cluster::*> debug smdb table dsmdb_config modify -dist-timeout 60

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.