跳转到主内容

使用NSE驱动器的MCC:"security key-manager key delete"删除DR集群使用的密钥

Views:
1
Visibility:
Public
Votes:
0
Category:
metrocluster
Specialty:
metrocluster<a>2009-322086</a>
Last Updated:

适用场景

  • ONTAP 9
  • MetroCluster
  • NetApp存储加密(NSE)
  • 密钥管理互操作性协议(KMIP)

问题描述

在MetroCluster环境中、 security key-manager key delete 命令会删除灾难恢复集群使用的NSE密钥:
 
  1.  SED drives  cluster1 和的应用了两个单独的键 cluster2

cluster1:: *> storage encryption disk show
Disk    Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 

cluster2:: *> storage encryption disk show
Disk    Mode Data Key ID
-------- ---- ----------------------------------------------------------------
2.30.15  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.16  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.17  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

 

  1. 两个密钥都会按 预期在两个集群上还原:

cluster1::*> security key-manager key query

         Node: cluster1n1
        Vserver: cluster1
      Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
  Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000


         Node: cluster1n2
        Vserver: cluster1
      Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
  Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000


cluster2::*> security key-manager key query

        Node: cluster2n1
       Vserver: cluster2
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
        Node: cluster2n2
       Vserver: cluster2
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   yes
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1              NSE-AK   yes
   Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000

 

  1.  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 从中删除密钥 cluster1 将 按预期失败:

cluster1::security key-manager key*> delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
Error: command failed: Authentication key with KeyID "00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000" cannot be deleted since it is in use by one or more self-encrypting drives.

  1. 但是、 从cluster-2中删除同一密钥 会成功 、并且该密钥会 从cluster-1和cluster-2中消失:

cluster2::*> security key-manager key delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
cluster2::*>

 

cluster2::*> security key-manager key query

        Node: cluster2n1
       Vserver: cluster2
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


        Node: cluster2n2
       Vserver: cluster2
     Key Manager: 10.87.124.35:5696
  Key Manager Type: KMIP
Key Manager Policy: -

Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


cluster1::*> security key-manager key query

        Node: cluster1n1
       Vserver: cluster1
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


        Node: cluster1n2
      Vserver: cluster1
     Key Manager: 10.xx.xx.xx:5696
  Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                 Key Type  Restored
------------------------------------  --------  --------
cluster2              NSE-AK   true
   Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000

 

  1. 而在 1的SED驱动器仍在使用缺少的密钥时:

cluster1::*> security key-manager key storage encryption disk show
Disk    Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 
 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.