IBM Support

Data ONTAP upgrade from 8.0.x to 8.1RC3 or later requires N series Storage Encryption (NSE) System ID updates

Flashes (Alerts)


Abstract

N series Storage Encryption (NSE) enabled Storage Controllers that are running Data ONTAP 8.1RC2 or earlier that plan to upgrade to 8.1RC3 or later must use the following upgrade procedures. This is due to a defect found on storage controllers with 10-character System IDs where one character is dropped from the NSE System ID. The effect is improper key fetching from the key manager. This defect is fixed in 8.1RC3 or later. After the upgrade is completed, a rekey must be performed to update the System IDs on each storage controller.

Content

  • Upgrade procedure:
    1. Validate communications with all Key Managers are reachable.
      • key_manager query 
        If the key_manager query fails, open a support call to resolve all key manager issues prior to Data ONTAP upgrade.

    2. Upgrade Data ONTAP
    • i. Copy the upgrade image to the storage controller
        • For NFS, copy the upgrade package to /vol/vol0/etc/software.
        • For CIFS, copy the upgrade package to c$\etc\software.
      ii. software list
      iii. software update xxx_image.tgz -r
      iv. download
      v. For single controller or HA pair:
      • a. Single controller: reboot
        b. HA pair: go to the partner controller and run:
        cf takeover (this will cause the controller being upgraded to reboot)
        c. After the controller comes back online, go to the partner controller and run:
        cf giveback
    3. Verify the storage controller version after reboot completes.
    • version

    4. Validate communications with all Key Managers are searchable after upgrade.
      • key_manager query
        If key_manager query fails on any of the Key Servers, open a support call to resolve all key manager issues before Data ONTAP upgrade.

    5. Update System IDs
      • key_manager setup
        Follow the wizard onscreen prompts to re-add all key managers. When creating a new passphrase, a manual passphrase is strongly recommended. Select yes to lock all the drives. An example is provided at the end of this technote.

    6. Verify all key managers are restored and communicating properly.
      • key_manager query
        Verify new Key ID created during 'key_manager setup' is stored on all key managers. Note that the previous Key IDs will not be displayed because the system ID values have been updated from 9 characters to 10 characters.

    7. Verify all the drives have been rekeyed and locked.
      • disk encrypt show
        Verify all the drives are using the new Key ID created during 'key_manager setup'. The disk encrypt show Key ID will match the output of the key_manager query Key ID.

    8. Repeat the above steps for the second controller.


    Example of 'key_manager setup':

    NSE_FilerA> key_manager setup
    Enter the IP address for a key server, 'q' to quit, or
    'enter' for the default selection [xxx.xxx.xxx.xxx]:     (press enter)
    Enter the IP address for a key server, 'q' to quit: q
    Enter the TCP port number for kmip server [5696] :     (press enter)

    You will now be prompted to enter a key tag name. The key tag name is used to identify all keys belonging to this Data ONTAP system. The default key tag name is based on the system's hostname.

    Would you like to use <NSE_FilerA> as the default key tag name? [yes]: (press enter)

    Registering 1 key servers...
    Registration complete.

    Do you wish to enter or generate a passphrase for the system's encrypting drives at this time? [yes]:
    (press enter)

    Would you like the system to autogenerate a passphrase? [yes]: no <----If "yes", autogenerated passphrase will not be shown.

    Please enter a passphrase (20 characters or longer): (press enter after inputting passphrase)
    Please reenter the passphrase: (press enter after reentering passphrase)

    Key ID: 5DCD939A5DCD93040100000000000000F1B363E5F33B69D4C1D52BCC5D015CF6 <----This is the new auto generated Key ID

    Make sure that you keep a copy of your passphrase, Key ID, and key tag name in a secure location in case it is ever needed for recovery purposes.

    Should the system lock all encrypting drives at this time? yes
    0a.01.5 successful rekey.
    0a.01.1 successful rekey.
    0b.02.6 successful rekey.
    0a.01.5 successful lock.
    0a.01.1 successful lock.
    0b.02.6 successful lock.
    NSE_FilerA>

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"nseries","label":"IBM System Storage N series"},"Component":"Not Applicable","Platform":[{"code":"","label":"Data ONTAP"}],"Version":"8.1RC3","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"ST3VEL","label":"Network Attached Storage (NAS)-\u003EEXN3000 Storage Expansion unit (2857-003)"},"Component":"Hard Disk Drives (HDD)","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"STFUJD","label":"Network Attached Storage (NAS)-\u003EN6240 (2858-E11, C21, E21)"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSBZ78C","label":"IBM System Storage N3220 (2857-A12)"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSUSVS","label":"IBM System Storage N3240 (2857-A14)"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
25 September 2022

UID

ssg1S1003949

Page Feedback