错误:命令失败:位于 "x.x.x.x" 的密钥服务器包含当前正在使用且不可用的卷加密密钥
适用场景
- ONTAP 9
- 外部密钥管理器(EKM)
- NetApp 卷加密 (NetApp Volume Encryption, NVE)
问题描述
- 在尝试将外部密钥管理器服务器迁移到新服务器时、无法删除最后一个密钥服务器。
Cluster-01::*> security key-manager external remove-servers -vserver cluster-1 -key-servers 10.28.XX.XXError: command failed: The key server at "10.28.XX.XX" contains volume encryption keys that are currently in useand not available from any other configured key server.- 证书和密钥已复制到新的KMIP服务器、但集群 不会从这些服务器中提取密钥。
- 在以下示例中、10.28.XX.XX是最后一个旧密钥服务器。新密钥服务器显示为可用、但不在密钥查询中:
Cluster-01::> security key-manager key queryNode: Cluster-01-01Vserver: Cluster-01Key Manager: 10.28.XX.XX:5696Key Manager Type: KMIPKey Tag Key Type Restored------------------------------------ -------- --------2170bf6c-998b-11eb-b2a8-d039ea061535 VEK trueKey ID: 00000000000000000200000000000500d3a552b209a7265eb531e4cf5adb21c5000000000000000038bc9422-998b-11eb-b2a8-d039ea061535 VEK trueKey ID: 00000000000000000200000000000500e32ca6a0c308f850c51120b47334869f000000000000000027696c31-998b-11eb-b2a8-d039ea061535 VEK trueKey ID: 00000000000000000200000000000500fefbd8470e63a8877d53509b9cd708e40000000000000000Node: Cluster-01-02Vserver: Cluster-01Key Manager: 10.28.XX.XX:5696Key Manager Type: KMIPKey Tag Key Type Restored------------------------------------ -------- --------2170bf6c-998b-11eb-b2a8-d039ea061535 VEK trueKey ID: 00000000000000000200000000000500d3a552b209a7265eb531e4cf5adb21c5000000000000000038bc9422-998b-11eb-b2a8-d039ea061535 VEK trueKey ID: 00000000000000000200000000000500e32ca6a0c308f850c51120b47334869f000000000000000027696c31-998b-11eb-b2a8-d039ea061535 VEK trueKey ID: 00000000000000000200000000000500fefbd8470e63a8877d53509b9cd708e400000000000000006 entries were displayed.- 密钥服务器可用:
Cluster-01::*> key-manager show -statussecurity key-manager show)Node Port Registered Key Manager Status---------------------- ------ --------------------------- ---------------Cluster-01-01 5696 10.28.XX.XX available Cluster-01-01 5696 10.36.XX.XX availableCluster-01-02 5696 10.28.XX.XX availableCluster-01-02 5696 10.36.XX.XX available