错误:命令失败:位于 "x.x.x.x" 的密钥服务器包含当前正在使用且不可用的卷加密密钥
适用场景
- ONTAP 9
- 外部密钥管理器(EKM)
- NetApp 卷加密 (NetApp Volume Encryption, NVE)
问题描述
- 在尝试将外部密钥管理器服务器迁移到新服务器时、无法删除最后一个密钥服务器。
Cluster-01::*> security key-manager external remove-servers -vserver cluster-1 -key-servers 10.28.XX.XX
Error: command failed: The key server at "10.28.XX.XX" contains volume encryption keys that are currently in use
and not available from any other configured key server.
- 证书和密钥已复制到新的KMIP服务器、但集群 不会从这些服务器中提取密钥。
- 在以下示例中、10.28.XX.XX是最后一个旧密钥服务器。新密钥服务器显示为可用、但不在密钥查询中:
Cluster-01::> security key-manager key query
Node: Cluster-01-01
Vserver: Cluster-01
Key Manager: 10.28.XX.XX:5696
Key Manager Type: KMIP
Key Tag Key Type Restored
------------------------------------ -------- --------
2170bf6c-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500d3a552b209a7265eb531e4cf5adb21c50000000000000000
38bc9422-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500e32ca6a0c308f850c51120b47334869f0000000000000000
27696c31-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500fefbd8470e63a8877d53509b9cd708e40000000000000000
Node: Cluster-01-02
Vserver: Cluster-01
Key Manager: 10.28.XX.XX:5696
Key Manager Type: KMIP
Key Tag Key Type Restored
------------------------------------ -------- --------
2170bf6c-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500d3a552b209a7265eb531e4cf5adb21c50000000000000000
38bc9422-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500e32ca6a0c308f850c51120b47334869f0000000000000000
27696c31-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500fefbd8470e63a8877d53509b9cd708e40000000000000000
6 entries were displayed.
- 密钥服务器可用:
Cluster-01::*> key-manager show -status
security key-manager show)
Node Port Registered Key Manager Status
---------------------- ------ --------------------------- ---------------
Cluster-01-01 5696 10.28.XX.XX available
Cluster-01-01 5696 10.36.XX.XX available
Cluster-01-02 5696 10.28.XX.XX available
Cluster-01-02 5696 10.36.XX.XX available