在Azure CVO中使用了采用了相同的版本的加密卷重新托管会将keymanager置于混合状态
适用场景
- ONTAP 9 14.1P6及更低版本
- Azure密钥存储(KV)
- 卷重新托管
问题描述
在未配置任何密钥管理器的情况下,将加密卷从Azure密 钥库中启用Vserver到Vserver的
volume rehost 失败后,mixed state 密钥库将结束:Cluster::*> security key-manager external azure check
Vserver: svm1
Node: node-01
Category: service_reachability
Status: OK
Category: ekmip_server
Status: OK
Category: kms_wrapped_key_status
Status: UNKNOWN
Details: The top-level internal key protection key (KEK) is
unavailable on node node-01. Reason: The
key manager is in mixed state.
加密将在Vserver级别停止工作、任何尝试
create / delete / move加密卷执行create / delete / move 的操作都会导致以下错误:Volume encryption keys (VEK) cannot be created or deleted for data Vserver "svm1". External key management has been configured for data Vserver "svm1" but VEKs for existing encrypted volumes of this data Vserver are stored in key manager configured for the admin Vserver. Either use the (privilege: advanced) "security key-manager key migrate -from-vserver <admin vserver_name> -to-vserver <data vserver_name>" command to migrate existing keys of this data Vserver from the admin Vserver's key manager to this data Vserver's key manager or unconfigure the key manager for this data Vserver.|
警告 请勿按照错误消息中的建议执行命令或尝试取消配置密钥管理器!! 请联系NetApp技术支持以获得进一步帮助。 |