NetApp ONTAP and Entrust KeyControl
Transcript of NetApp ONTAP and Entrust KeyControl
NetApp ONTAP andEntrust KeyControlwith nShield® HSM Integration Guide
Version: 1.0
Date: Friday, June 4, 2021
Copyright © 2021 nCipher Security Limited. All rights reserved.
Copyright in this document is the property of nCipher Security Limited. It is not to be
reproduced modified, adapted, published, translated in any material form (including
storage in any medium by electronic means whether or not transiently or incidentally) in
whole or in part nor disclosed to any third party without the prior written permission of
nCipher Security Limited neither shall it be used otherwise than for the purpose for
which it is supplied.
Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its
affiliates in the EU and other countries.
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in
the United States and/or other countries.
Information in this document is subject to change without notice.
nCipher Security Limited makes no warranty of any kind with regard to this information,
including, but not limited to, the implied warranties of merchantability and fitness for a
particular purpose. nCipher Security Limited shall not be liable for errors contained
herein or for incidental or consequential damages concerned with the furnishing,
performance or use of this material.
Where translations have been made in this document English is the canonical language.
nCipher Security Limited
Registered Office: One Station Square
Cambridge, UK CB1 2GA
Registered in England No. 11673268
nCipher is an Entrust company.
Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or
service marks of Entrust Corporation in the U.S. and/or other countries. All other brand
or product names are the property of their respective owners. Because we are
continuously improving our products and services, Entrust Corporation reserves the right
to change specifications without prior notice. Entrust is an equal opportunity employer.
2 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
Contents1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Hardware and software requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Licensing requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. High-availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Product configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Install the Entrust KeyControl server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. Configure the nShield HSM in the KeyControl server. . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Configure the KeyControl server as a KMIP node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.5. Configure the KeyControl server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.6. Import the KMIP certificates to ONTAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3. Manage certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1. Delete certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2. Replace SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3. Clean up key servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.4. Set up new key servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 3 of 16
1. IntroductionThis document describes the configuration of NetApp ONTAP 9.8P3 (or later) data
management software for integration with the Entrust KeyControl (formerly HyTrust
KeyControl) 5.3 key management solution with an Entrust nShield hardware security
module (HSM) root of trust. NetApp Storage Encryption (NSE) and NetApp Volume
Encryption (NVE) solutions are compatible with the Entrust KeyControl solution. Entrust
KeyControl can serve as a key manager for storage encryption by using an the open
standard called the Key Management Interoperability Protocol (KMIP).
1.1. Hardware and software requirements
You must have Entrust KeyControl version 5.3 or later before you begin. ONTAP 9.8P3 or
later is also required.
The NetApp Interoperability Matrix Tool defines the product components and versions
that can be used to construct configurations that are supported by NetApp. See
https://mysupport.netapp.com/matrix/.
1.2. Licensing requirements
You must have an Entrust KeyControl license prior to installation.
1.3. High-availability considerations
The Entrust KeyControl solution uses an active-active deployment, which provides high-
availability capability to manage encryption keys. NetApp highly recommends this
deployment configuration.
In an active-active cluster, changes made to any KeyControl node in the cluster are
automatically reflected on all nodes in the cluster. For full information about the Entrust
KeyControl solution, see the HyTrust KeyControl Product Overview.
1.4. Product configuration
The integration between NetApp ONTAP, Entrust KeyControl, and nShield HSM has been
successfully tested in the following configurations:
Product Version
NetApp ONTAP 9.8P3
4 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
Product Version
Entrust KeyControl 5.3
nShield Security World software 12.60.11
nShield Connect XC 12.50.11 (12.60.10)
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 5 of 16
2. Procedures
2.1. Installation overview
1. Install the Entrust KeyControl server.
2. Configure the Entrust KeyControl server with high availability.
3. Generate a KMIP certificate for each controller/cluster.
4. Extract the signing certificates from the KeyControl server.
5. Import the KeyControl certificates in ONTAP.
6. Configure the KeyControl server as an ONTAP KMIP cluster node.
After completing these steps, see the Storage Encryption sections in the relevant
documents in the ONTAP Documentation Center, https://docs.netapp.com/ontap-9/
index.jsp:
• ONTAP System Administration Guide
• ONTAP Disk and Aggregates Power Guide
• ONTAP Command Reference
To manage storage encryption after it is set up, see the ONTAP Disk and Aggregates
Power Guide.
2.2. Install the Entrust KeyControl server
The Entrust KeyControl server is a software solution deployed from an OVA or ISO
image. NetApp recommends that you read the HyTrust KeyControl Installation Overview
to fully understand the KeyControl server deployment. To configure a KeyControl cluster
(active-active configuration is recommended), as performed in the NetApp ONTAP 9
integration validation, NetApp recommends the use of the OVA installation method for
simplicity, as described in the HyTrust KeyControl OVA Installation instructions.
The KeyControl OVA must be deployed from vCenter, and not from an ESXi host.
After the KeyControl server is deployed, configure the first KeyControl node as described
in the HyTrust Configuring the First KeyControl Node installation guide.
After completing this procedure, add the second node as described HyTrust Adding a
New KeyControl Node to an Existing Cluster (OVA Installation) to create the
recommended active-active cluster.
6 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
Although an active-active cluster is not a requirement, and a single
KeyControl node can be deployed to perform the functions of KMIP,
NetApp highly recommends deploying the solution with a minimum of
two nodes for an active-active cluster solution that instantiates a highly
available and robust architecture.
Your KeyControl license determines how many KeyControl nodes you can have in a
cluster. For full information about the KeyControl licensing, see the HyTrust Managing the
KeyControl License Admin page.
2.3. Configure the nShield HSM in the KeyControl server
See Entrust KeyControl nShield HSM Integration Guide.
2.4. Configure the KeyControl server as a KMIP node
To use external key management, NetApp encryption solutions require an external key
management server such as the Entrust KeyControl server. To configure the KeyControl
server as a KMIP node, see the HyTrust Configuring a KeyControl KMIP Server section of
the Admin Guide.
In a configuration with external key management like in this integration, the KeyControl
server is the KMIP node and ONTAP is the KMIP client.
Certificates are required to facilitate the KMIP communications from the KeyControl
server to ONTAP and from ONTAP to the KeyControl server.
Existing PKI infrastructures can be used to import certificates for use by KeyControl and
ONTAP. However, the simplest solution is to leverage the built-in capabilities in the
KeyControl server to create and publish the certificates. To perform this operation, create
the certificate bundle as described in the Creating KMIP Client Certificate Bundles
section of the Entrust KeyControl Admin Guide.
When you are creating the client certificate in KeyControl, do not use a
password in the certificates.
After you created and downloaded these certificates, you need to upload or import them
into the ONTAP cluster.
2.5. Configure the KeyControl server
After the Entrust KeyControl server is deployed and the initial installation is complete,
you can configure the network settings, e-mail server preferences, and certificate
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 7 of 16
configuration. For these procedures, see the HyTrust KeyControl System Configuration
Admin Guide.
2.6. Import the KMIP certificates to ONTAP
The certificates must be installed before running the key manager setup.
You have to import the following files:
• A <cert_name>.pem file that includes both the client certificate and the private key. You
will have to paste two sections from this the file into the corresponding prompts
from ONTAP.
◦ The client certificate section of the <cert_name>.pem file includes all the encrypted
text and the BEGIN and END lines:
"-----BEGIN CERTIFICATE-----"some text"-----END CERTIFICATE-----"
◦ The private key section of the <cert_name>.pem file includes all the encrypted text
and the BEGIN and END lines:
"-----BEGIN PRIVATE KEY-----"some text"-----END PRIVATE KEY-----".
• A cacert.pem file, which is the root certificate for the KMS cluster. It is always named
cacert.pem.
Import the previous certificates to ONTAP:
1. Run the security certificate install command as described in the ONTAP 9 NetApp
Encryption Power Guide.
2. Install the NetApp cluster’s KMIP client certificate:
security certificate install –vserver <admin_svm_name> -type client –subtype kmip-cert
<admin_svm_name> is the host name of the NetApp server.
3. Paste the public key certificate from <cert_name>.pem.
When you are installing the client KMIP certificate, you will be prompted to paste the
private key certificate from <cert_name>.pem.
Example:
mycluster::> security certificate install -vserver mycluster -type client -subtype kmip-cert
8 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
Please enter Certificate: Press <Enter> when done-----BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgIFAKCQaRQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5jLjExMC8GA1UEAxMoSHlUcnVzdCBLZXlDb250cm9sIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTA1MTgxNzUxMjdaFw0yMjA1MTgxNzUxMjdaMDQxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxIeVRydXN0IEluYy4xDjAMBgNVBAMTBW9udGFwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy3S1+cl+4L/2BoEIA/Y/JmQkWsShRC5wclYWNgteVLUnXMHYaoX9sl7n0m557743UhlhqAQMndgl5q/rn2YmNOfikuhCb1zWolg31Gm4Kdq/T482EGuo1N12lLjCFDN5IpcxfdLCcqClc3Bnok8yjUqzhtz+Cu6ZHbUtK+Lr4Th+8gHCE+tOLi6oc58SXr379uoJWW4Pb4WlC8K/pu0APIr/Ay9TCEzSpXXXaeBYef7RYdivktfwwqFVRTqQ7ueovW3hRApDMpVbyQe8RQuFZyGJSa4YJogjacLUCjdTD0Eb4pHn5uwcSnS4K7ynSjW11PXJ5iMvDiJLXrH+iVOnyoVtIukZITU+h/j3pbmnRIc/T/tEUotk+CHwx+NjlryyjJwJaD85NXBxVeSyTyMTTss4R1FSuc2tFEG+ztHeKZ8SlgnErKfyVhPRylD47aG2qGsdYyCkMMfgVonsLE60Am6TM8EwAVF/TFf8VtqutElV3SqkaInnfx15Q4IoNYacDRY+kPhzJRZE9vQu8LellLxvHpxQvPI7auz+ciBHg/9SITCU1hiZ/SXfSM++JmQ1l5komSb621lK/SmA/oPlRanxaWM110dsBqwesNQyeoTJrVbfzR24m+WTz7xiuyV3ICFp2rCnkdL8PccT1f+RnTiVBVRb5t8Gdxnz9orjVt0CAwEAAaOBhzCBhDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVoABxes4/Dg174yr0VfFD+kkaMgwHwYDVR0jBBgwFoAUISxRdY2sT449DGRQzNPN5DapyQ8wCQYDVR0RBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPqHTvrtw1+DogolR4w47JWoSSAXQCoeTb8eReJA4b5La8nLs3yXOIyeSSmXfA1GR0Ik3Nca43v1vpGtScg0B0k89bzIwA09UazJSNiZrwWfnDPhR3Pv0eIsHDIwT2P7ReFy/3+nCV8Y7tUG75Lbb5jcooZ0nK5qNNZ8lZmAJ8i9ZHgEQdLZz1trIBJdTMoP0AzeHN/mMS9snTQDyD2tpdjJl/G8DjXw9G1wChxSThL2flfnJub07l/TXpGvXmlghJa56MTcjcaHNi6d3kO6h/RmCFof9mG13c/iD7S3ycWG05W02a4F8kJs+G6I1P6d5zcsKLI8inzMb1J0q9aha7w==-----END CERTIFICATE-----
Please enter Private Key: Press <Enter> when done-----BEGIN PRIVATE KEY-----MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDLdLX5yX7gv/YGgQgD9j8mZCRaxKFELnByVhY2C15UtSdcwdhqhf2yXufSbnnvvjdSGWGoBAyd2CXmr+ufZiY05+KS6EJvXNaiWDfUabgp2r9PjzYQa6jU3XaUuMIUM3kilzF90sJyoKVzcGeiTzKNSrOG3P4K7pkdtS0r4uvhOH7yAcIT604uLqhznxJevfv26glZbg9vhaULwr+m7QA8iv8DL1MITNKldddp4Fh5/tFh2K+S1/DCoVVFOpDu56i9beFECkMylVvJB7xFC4VnIYlJrhgmiCNpwtQKN1MPQRvikefm7BxKdLgrvKdKNbXU9cnmIy8OIktesf6JU6fKhW0i6RkhNT6H+PeluadEhz9P+0RSi2T4IfDH42OWvLKMnAloPzk1cHFV5LJPIxNOyzhHUVK5za0UQb7O0d4pnxKWCcSsp/JWE9HKUPjtobaoax1jIKQwx+BWiewsTrQCbpMzwTABUX9MV/xW2q60SVXdKqRoied/HXlDgig1hpwNFj6Q+HMlFkT29C7wt6WUvG8enFC88jtq7P5yIEeD/1IhMJTWGJn9Jd9Iz74mZDWXmSiZJvrbWUr9KYD+g+VFqfFpYzXXR2wGrB6w1DJ6hMmtVt/NHbib5ZPPvGK7JXcgIWnasKeR0vw9xxPV/5GdOJUFVFvm3wZ3GfP2iuNW3QIDAQABAoICABplpyKkgQC6BzqqzRZugZ0CizD3qBDHkbFT+AfFC9Ujt9qyD9kqT1MwOxWzXcC8RkMxpdj9xYFJRQmcM4732ucsWtpCpjP6sKJZnczCdrF/fyjcZOBWh44uua7sFco3L3VMdpBjovTqYO0MXXXSnrV0RrytuYxDjrwrAJRcGcyb3uSZU8vv0LHvPc3airCeJ63Oia3/uKL4jQRsnR8USt6QDiwknLpL9VygYHWNNQ2HATWXvpfnyoYGFqEnyxwkFGGXew2v4y4R8NmxVj0DFKjf0gcsPlfpe+bB727v5KfrA6ou0g7E/ZqvcCHElVPsig36YdqpH/bOfkboAyVgJDnH7B7cqHvDqvB03dyAkEUQmZHFiQYaDLbKpNxN+bu/OSQndSMkoRgEqvtFy/AdWtTIrizJ5Hd9ZQL9zPeK0fPJzC47KbZzCaF/JfOloFY9woANQ0bhM3gn7TbNrmQhG2l45rAAy2NafV5iet2Aiwr75VOvO8wpDpchPevFBI89NDFfwD0/4bDd+OfUMLGHW6LCex7JqtqW7ZrGDoglh6qDrPYu/a4CRM4/KT0RoDjDh45W6tLd4sJ4mSQLfIbXhgEEDW7gXXQloEruPLSZGznIumD2EIbBP4uN6yR+/VHnVuJP3rilurlMtFf6tyW3XH121Nehui89h1kfrfUIth9FAoIBAQD+C9GWOD+vTU7hr/ddB89PBPV/PMkD9D3fqgu/FRhvXvODWP4LWHo9kAKvlM3nR4W2wv8NZz0WV576bpJ8YT1mDQk2ZE8j7AAA5WfY3TsXY2Jm45PRD+XwcL3ypDV2xcB2w5cRRbNxUwliwYx+WwvlIkJtUfirZgVpY9PRv6YJXR43LhqmQj9TlX2MA4YXVlkiFgxFYIywvYvw9NGKas+Q7uXzwDzHeVSC53fHOGZbv4uA4lkTPEDKj0xbEzMJIJXb3AlSxLj57SefMGB8rkMCuWVfE0Fke/gFgGoTw5s6Cb8Nw+hOwBWarQ10oKrRP9BXdIFCBuYg4+qdqanBtTy7AoIBAQDNBUl49BOWLctquiMLOGmpl4YEHozHRdRw8+HH0RNsZn5vBvwMT2KZ2KA6WPgG7gNSVE0M4GVylZrEeDUdWoWvjdBJAZmd6hRqytJMolcKzLscHvM20h8ViRrWSgwdOIOm8E+orYN//UStt8uc49MODlg3XILPlIcLwPxZ10GcCEV9rgMgwc9mr2uGUjPrknVQh3VeNG7x+SNeJa5P9ZJmZRoueTleDI/UVDVDfk1NfKUGNI3KxsCDAMwIyghqJ2Q0X6bC93DDcRDFd8Hhj/3x4EzFkNlYpP88dAc1f3SPjAnk689Dmvt/4mvupCt/Lkd+4Op6ggONIhPYiSRU/g1HAoIBAQCoeqARdtZNZQDGTdPH37ENn6VML7zEIYuTNIu7urrMyXTHjBJW5eOTxljxpsby9gzoiuNpOSlbEtr9DK2bTUXR0x1j9BxEH3RVI86+FOHmfeO5hn32bQu6bJqcO2i1jyo32TjrnIUHx+D2nJOXDLyTxie1pmI7EVrPbQQCG456sUWjpLDJyC+FOCPd4kxgV8SfBW436HMFl38iWspIeNOVM8pO4BOu2nlAo09dULsZZ6uV2wbl6dSyQVyLHe1/xRt9hqysNojSPwRC32tt5IfOW7Ot3PBGOqzewS4YU2YzlFkf
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 9 of 16
QOhkqaDqRpAg45jFUwPRrBM4/ahK8bwbuXQ6Yf6XAoIBAQCQrbJzkIph6F8sKb6hJGYsL6l7LrPZzAVm0DP8diZm0M1YPG2RolPKjXxEsJQXD894QdU9yPzOJ5TYIJwa4s6EXGcnneFx9sYBtq9BNS6HiIJiDdVEUnNtFxvBLO/vjvoYzGzqc8fggjH9BT7CsGM4ABdwue/13LKQMNfj7mt2WL/xOOMsMpjRtekDGO9axjfTZEQG/qlsSIwU3DJuarWtXJtlQFajb+nvxJzxzCdxDwzFnECTYD5qNB3H9gqKHtIvw3BDFaqVwSw8rY48RwjFr6t9oAJA8+7KEncj4ZW31vMEgQP6iVwBmx7fgSrQzS/W8ZGGcklfRzUKEX16HO3xAoIBAFqWi5bfy39Iqotd2TZP51QQHDL3UqJELPKLymJkyBM8vFsrquwKUfJVOrjHoEngIPGqhR3G8Mdl4sw6tZJlF24glNCWbkLCItsscNb2/CsZTpiqDDgnP60+2YbfscCB4shc8T5sNLRtxM+ccThlgdtYRzjdOy0N9R/mLH2F05F3r+MFLxUFj/cG0v33zLhL+BuXmWJiaoNEwBpS/4BThdlxgfHJO18iOTWlu5e2rTp6f9czsN+FHWKPhvu/xt6sDh0HLRHnNHMlmdzcDm1dvjcW3Csndtf4feae/Kl/5IQ0rRT2sE1GuOFllaZvSxpXpKV3soHrpF5iJDlepeW2ArY=-----END PRIVATE KEY-----
Enter certificates of certification authorities (CA) which form the certificate chain of the client certificate.This starts with the issuing CA certificate ofthe client certificate and can range up to the root CA certificate.
Do you want to continue entering root and/or intermediate certificates {y|n}: n
You should keep a copy of the private key and the CA-signed digital certificate for future reference.
The installed certificate's CA and serial number for reference:CA: HyTrust KeyControl Certificate Authorityserial: A0906914
The certificate's generated name for reference: ontap
4. Install the KMIP server certificate certification authority (CA):
security certificate install –vserver <admin_svm_name> -type server-ca –subtype kmip-cert
Example:
10 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
mycluster::> security certificate install -vserver mycluster -type server-ca -subtype kmip-cert
Please enter Certificate: Press <Enter> when done-----BEGIN CERTIFICATE-----MIID4jCCAsqgAwIBAgIEYJBpDzANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtleUNvbnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowVzELMAkGA1UEBhMCVVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5jLjExMC8GA1UEAxMoSHlUcnVzdCBLZXlDb250cm9sIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJO9UNhVQZx89sK0od86GIuUwD/EC5pIOGUAAHIrH52k7r9kcZBCohMv/Y37k07Z4/1xgYMvmlndduEjx5mCKPIA2L8dl7WWqWGcq39uimOZeKDHw+pWN4rb5aEcl1LqYUKjrN8eCXxia9kRT1cuqU0k+RlKvK6NHzz5w8OrscTFMh0dM/jEFpZPkrmsVf0ByIxJlZ0gRJ1cUVfDQAigeRdAzhUj3qwTuyA5yDjMjrpVq4YZKRq7kugndf6j5DxH17AUTiE8o1vkbQGNWPfeZYuiaI0N4R7ew34fIsJ+eT9qKbdMpElGcfZICEYQXLbRocSo2j3T7iiWJtDeh5mONtUCAwEAAaOBtTCBsjAdBgNVHQ4EFgQUISxRdY2sT449DGRQzNPN5DapyQ8wgYIGA1UdIwR7MHmAFCEsUXWNrE+OPQxkUMzTzeQ2qckPoVukWTBXMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtleUNvbnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggRgkGkPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJKoiQ234eRmUCSdbR0kIDxRegesSpaMTYnNwmVyx0qQrieDCstYiZA48SPnz73BBANAU8zljRPk2qqGi4FHf+bJG51S1zFerDtpdxf5dDxVRjKjUQRbQKj+WjM62EmsFpsMS6NturfcEyI/f8nw1Xf99+2K/09lMKy7pooS3E8kATcvrkXkv7uaZSx72VvyGKqwuFdq2Nn3EHwQCTZjBUqyhqpu59fyuS0dvo7ccvQ0887kXmnuj1IZM+++2G18ctUxr9XtT9PPt5GT0ZNPGh9mGZvSxE87BT7wCR63EEBjz7fvAVMR3o5smprW6X7QPBbp4XnxfQ1rhxL9oXYC23I=-----END CERTIFICATE-----
You should keep a copy of the CA-signed digital certificate for future reference.
The installed certificate's CA and serial number for reference:CA: HyTrust KeyControl Certificate Authorityserial: 6090690F
The certificate's generated name for reference: HyTrustKeyControlCertificateAuthority
2.6.1. Configure ONTAP to use the KMIP certificates
You have to configure certain boot environment variables before you can configure
ONTAP.
2.6.1.1. Configure bootarg.storageencryption.support
This bootarg is typically set during the manufacturing process. If the encrypted disks
don’t show up at boot time, verify that it is set to true:
1. Halt the ONTAP boot process to bring up the LOADER-(A,B)> prompt.
2. Run
LOADER-A> setenv bootarg.storageencryption.support true
3. Confirm that bootarg.storageencryption.support is set:
LOADER-A> printenv bootarg.storageencryption.supporttrue
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 11 of 16
2.6.1.2. Configure the NetApp Storage Encryption Solution
You can set up an external key management server so that your storage system can
securely store and retrieve authentication keys for self-encrypting disks (SEDs) in a
location separate from your data. You can link up to four key management servers.
NetApp recommends a minimum of two for redundancy and disaster recovery.
1. To set up external key management servers, run the security key-manager setup
command.
By default, the command runs on the local node hosting the cluster management LIF.
This command must be run on each node in the cluster by using encrypting hard
drives. By design, there should be an HA pair, unless the cluster has only one node.
2. Launch the key management setup wizard to configure ONTAP for storage
encryption
mycluster::> security key-manager setupWelcome to the key manager setup wizard, which will lead you throughthe steps to add boot information.
Enter the following commands at any time"help" or "?" if you want to have a question clarified,"back" if you want to change your answers to previous questions, and"exit" if you want to quit the key manager setup wizard. Any changesyou made before typing "exit" will be applied.
Restart the key manager setup wizard with "security key-manager setup". To accept a defaultor omit a question, do not enter a value.
Would you like to configure the Onboard Key Manager? {yes, no} [yes]: noWould you like to configure the KMIP server environment? {yes, no} [yes]: yes
2.6.1.3. Configure the NetApp Volume Encryption Solution
You can set up an external key management server so that your storage system can
securely store and retrieve authentication keys for the NetApp Volume Encryption (NVE)
solution. NetApp recommends a minimum of two for redundancy and disaster recovery.
For NVE configuration details, see the ONTAP 9 NetApp Encryption Power Guide.
1. Add the KeyControl node(s).
Example:
mycluster::> security key-manager external add-servers -vserver mycluster -key-servers xxx.xxx.xxx.xxx:5696
Successfully queued job "31" to sync key cache for the given key management server.
Repeat the add-servers command for every node in the KeyControl cluster.
12 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
2. Verify the communication between the external Key Manager and the cluster
(ONTAP).
mycluster::security> security key-manager queryNo matching keys found.
If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.
mycluster::security> security key-manager show -statusNode Port Registered Key Manager Status---------------------- ------ --------------------------- ---------------mycluster-01 5696 xxx.xxx.xxx.xxx availablemycluster-01 5696 xxx.xxx.xxx.xxx available2 entries were displayed.
2.6.1.4. Verify the communication with the external Key Manager on the EntrustKeyControl server
To verify that ONTAP is communicating and requesting keys from the KeyControl server,
use the Objects tab in the KeyControl user interface. See Managing KMIP Objects in the
HyTrust KeyControl Admin Guide.
You might have to refresh the tab or page by refreshing the list in the KeyControl user
interface to view the updated requests.
If the certificates or the KMIP configuration have been changed, you may need to restart
the KMIP server. See section Restarting a KMIP Server in the HyTrust KeyControl admin
guide.
Restarting the KMIP server does not restart the KeyControl server. It only restarts the
KMIP service.
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 13 of 16
3. Manage certificates
3.1. Delete certificates
Before installing new certificates, old certificates must be removed to make sure that the
updated certificates are used.
1. Disable the connection to the key management (KMIP) server:
Security key-manager delete -address <IP_Address_of_KMIP_Server>
2. Remove all certificates for the cluster:
security certificate delete –vserver <admin_svm_name> -common-name <fqdn_or_custom_common_name> –ca <certificateauthority> -type client –subtype kmip-certsecurity certificate delete –vserver <admin_svm_name> -common-name <fqdn_or_custom_common_name> –ca<certificate_authority> -type server-ca –subtype kmip-cert
The old certificates were deleted. You can install the new ones.
3.2. Replace SSL certificates
All SSL certificates have an expiration period after initial creation. After a predetermined
time, the certificates are no longer valid. They should be replaced before the expiration
date.
To replace the certificates, follow the steps in Import the KMIP certificates into ONTAP.
3.3. Clean up key servers
1. Ensure that any encrypted volumes are properly deleted:
volume delete -vserver <vserver> -volume <env_vol> -force true -disable-offline-check true
2. Disable external key management on vserver:
set advancedsecurity key-manager external disable -vserver <vserver>set admin
14 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
3.4. Set up new key servers
1. Install the new certificates:
security certificate install -vserver <vserver> -type server-casecurity certificate install -vserver <vserver> -type client
2. Enable a new external key management on the vserver:
security key-manager external enable -key-servers <new_key_server> -client-cert <client-cert-name> -server-ca-certs<server-ca-cert-name> -vserver <vserver>
3. Verify that external key management is enabled and that its status is available:
security key-manager external show-status
NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 15 of 16
Contact Us
Web site https://www.entrust.com
Support https://nshieldsupport.entrust.com
Email Support [email protected]
Online documentation: Available from the Support site listed
above.
You can also contact our Support teams by telephone, using the following numbers:
Europe, Middle East, and Africa
United Kingdom: +44 1223 622444
One Station Square
Cambridge, UK CB1 2GA
Americas
Toll Free: +1 833 425 1990
Fort Lauderdale: +1 954 953 5229
Sawgrass Commerce Center – A
Suite 130
13800 NW 14 Street
Sunrise, FL 33323 USA
Asia Pacific
Australia: +61 8 9126 9070
World Trade Centre Northbank Wharf
Siddeley St
Melbourne VIC 3005 Australia
Japan: +81 50 3196 4994
Hong Kong: +852 3008 3188
31/F, Hysan Place,
500 Hennessy Road,
Causeway Bay
16 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide
ABOUT ENTRUST CORPORATION
Entrust keeps the world moving safely by enabling trustedidentities, payments, and data protection. Today more than ever,people demand seamless, secure experiences, whether they’recrossing borders, making a purchase, accessing e-governmentservices, or logging into corporate networks. Entrust offers anunmatched breadth of digital security and credential issuancesolutions at the very heart of all these interactions.Withmorethan 2,500 colleagues, a network of global partners, andcustomers in over 150 countries, it’s no wonder the world’s mostentrusted organizations trust us.
To get help withEntrust nShield HSMs
nshieldsupport.entrust.com