NetApp ONTAP andEntrust KeyControlwith nShield® HSM Integration Guide

Version: 1.0

Date: Friday, June 4, 2021

Copyright © 2021 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be

reproduced modified, adapted, published, translated in any material form (including

storage in any medium by electronic means whether or not transiently or incidentally) in

whole or in part nor disclosed to any third party without the prior written permission of

nCipher Security Limited neither shall it be used otherwise than for the purpose for

which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its

affiliates in the EU and other countries.

Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in

the United States and/or other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information,

including, but not limited to, the implied warranties of merchantability and fitness for a

particular purpose. nCipher Security Limited shall not be liable for errors contained

herein or for incidental or consequential damages concerned with the furnishing,

performance or use of this material.

Where translations have been made in this document English is the canonical language.

nCipher Security Limited

Registered Office: One Station Square

Cambridge, UK CB1 2GA

Registered in England No. 11673268

nCipher is an Entrust company.

Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or

service marks of Entrust Corporation in the U.S. and/or other countries. All other brand

or product names are the property of their respective owners. Because we are

continuously improving our products and services, Entrust Corporation reserves the right

to change specifications without prior notice. Entrust is an equal opportunity employer.

2 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

Contents1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4

1.1. Hardware and software requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4

1.2. Licensing requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4

1.3. High-availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4

1.4. Product configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4

2. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6

2.1. Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6

2.2. Install the Entrust KeyControl server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6

2.3. Configure the nShield HSM in the KeyControl server. . . . . . . . . . . . . . . . . . . . . . . . . .  7

2.4. Configure the KeyControl server as a KMIP node. . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7

2.5. Configure the KeyControl server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7

2.6. Import the KMIP certificates to ONTAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  8

3. Manage certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  14

3.1. Delete certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  14

3.2. Replace SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  14

3.3. Clean up key servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  14

3.4. Set up new key servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  15

Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  16

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 3 of 16

1. IntroductionThis document describes the configuration of NetApp ONTAP 9.8P3 (or later) data

management software for integration with the Entrust KeyControl (formerly HyTrust

KeyControl) 5.3 key management solution with an Entrust nShield hardware security

module (HSM) root of trust. NetApp Storage Encryption (NSE) and NetApp Volume

Encryption (NVE) solutions are compatible with the Entrust KeyControl solution. Entrust

KeyControl can serve as a key manager for storage encryption by using an the open

standard called the Key Management Interoperability Protocol (KMIP).

1.1. Hardware and software requirements

You must have Entrust KeyControl version 5.3 or later before you begin. ONTAP 9.8P3 or

later is also required.

The NetApp Interoperability Matrix Tool defines the product components and versions

that can be used to construct configurations that are supported by NetApp. See

https://mysupport.netapp.com/matrix/.

1.2. Licensing requirements

You must have an Entrust KeyControl license prior to installation.

1.3. High-availability considerations

The Entrust KeyControl solution uses an active-active deployment, which provides high-

availability capability to manage encryption keys. NetApp highly recommends this

deployment configuration.

In an active-active cluster, changes made to any KeyControl node in the cluster are

automatically reflected on all nodes in the cluster. For full information about the Entrust

KeyControl solution, see the HyTrust KeyControl Product Overview.

1.4. Product configuration

The integration between NetApp ONTAP, Entrust KeyControl, and nShield HSM has been

successfully tested in the following configurations:

Product Version

NetApp ONTAP 9.8P3

4 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

Product Version

Entrust KeyControl 5.3

nShield Security World software 12.60.11

nShield Connect XC 12.50.11 (12.60.10)

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 5 of 16

2. Procedures

2.1. Installation overview

1. Install the Entrust KeyControl server.

2. Configure the Entrust KeyControl server with high availability.

3. Generate a KMIP certificate for each controller/cluster.

4. Extract the signing certificates from the KeyControl server.

5. Import the KeyControl certificates in ONTAP.

6. Configure the KeyControl server as an ONTAP KMIP cluster node.

After completing these steps, see the Storage Encryption sections in the relevant

documents in the ONTAP Documentation Center, https://docs.netapp.com/ontap-9/

index.jsp:

• ONTAP System Administration Guide

• ONTAP Disk and Aggregates Power Guide

• ONTAP Command Reference

To manage storage encryption after it is set up, see the ONTAP Disk and Aggregates

Power Guide.

2.2. Install the Entrust KeyControl server

The Entrust KeyControl server is a software solution deployed from an OVA or ISO

image. NetApp recommends that you read the HyTrust KeyControl Installation Overview

to fully understand the KeyControl server deployment. To configure a KeyControl cluster

(active-active configuration is recommended), as performed in the NetApp ONTAP 9

integration validation, NetApp recommends the use of the OVA installation method for

simplicity, as described in the HyTrust KeyControl OVA Installation instructions.

The KeyControl OVA must be deployed from vCenter, and not from an ESXi host.

After the KeyControl server is deployed, configure the first KeyControl node as described

in the HyTrust Configuring the First KeyControl Node installation guide.

After completing this procedure, add the second node as described HyTrust Adding a

New KeyControl Node to an Existing Cluster (OVA Installation) to create the

recommended active-active cluster.

6 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

Although an active-active cluster is not a requirement, and a single

KeyControl node can be deployed to perform the functions of KMIP,

NetApp highly recommends deploying the solution with a minimum of

two nodes for an active-active cluster solution that instantiates a highly

available and robust architecture.

Your KeyControl license determines how many KeyControl nodes you can have in a

cluster. For full information about the KeyControl licensing, see the HyTrust Managing the

KeyControl License Admin page.

2.3. Configure the nShield HSM in the KeyControl server

See Entrust KeyControl nShield HSM Integration Guide.

2.4. Configure the KeyControl server as a KMIP node

To use external key management, NetApp encryption solutions require an external key

management server such as the Entrust KeyControl server. To configure the KeyControl

server as a KMIP node, see the HyTrust Configuring a KeyControl KMIP Server section of

the Admin Guide.

In a configuration with external key management like in this integration, the KeyControl

server is the KMIP node and ONTAP is the KMIP client.

Certificates are required to facilitate the KMIP communications from the KeyControl

server to ONTAP and from ONTAP to the KeyControl server.

Existing PKI infrastructures can be used to import certificates for use by KeyControl and

ONTAP. However, the simplest solution is to leverage the built-in capabilities in the

KeyControl server to create and publish the certificates. To perform this operation, create

the certificate bundle as described in the Creating KMIP Client Certificate Bundles

section of the Entrust KeyControl Admin Guide.

When you are creating the client certificate in KeyControl, do not use a

password in the certificates.

After you created and downloaded these certificates, you need to upload or import them

into the ONTAP cluster.

2.5. Configure the KeyControl server

After the Entrust KeyControl server is deployed and the initial installation is complete,

you can configure the network settings, e-mail server preferences, and certificate

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 7 of 16

configuration. For these procedures, see the HyTrust KeyControl System Configuration

Admin Guide.

2.6. Import the KMIP certificates to ONTAP

The certificates must be installed before running the key manager setup.

You have to import the following files:

• A <cert_name>.pem file that includes both the client certificate and the private key. You

will have to paste two sections from this the file into the corresponding prompts

from ONTAP.

◦ The client certificate section of the <cert_name>.pem file includes all the encrypted

text and the BEGIN and END lines:

"-----BEGIN CERTIFICATE-----"some text"-----END CERTIFICATE-----"

◦ The private key section of the <cert_name>.pem file includes all the encrypted text

and the BEGIN and END lines:

"-----BEGIN PRIVATE KEY-----"some text"-----END PRIVATE KEY-----".

• A cacert.pem file, which is the root certificate for the KMS cluster. It is always named

cacert.pem.

Import the previous certificates to ONTAP:

1. Run the security certificate install command as described in the ONTAP 9 NetApp

Encryption Power Guide.

2. Install the NetApp cluster’s KMIP client certificate:

security certificate install –vserver <admin_svm_name> -type client –subtype kmip-cert

<admin_svm_name> is the host name of the NetApp server.

3. Paste the public key certificate from <cert_name>.pem.

When you are installing the client KMIP certificate, you will be prompted to paste the

private key certificate from <cert_name>.pem.

Example:

mycluster::> security certificate install -vserver mycluster -type client -subtype kmip-cert

8 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

Please enter Certificate: Press <Enter> when done-----BEGIN CERTIFICATE-----MIIEkjCCA3qgAwIBAgIFAKCQaRQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5jLjExMC8GA1UEAxMoSHlUcnVzdCBLZXlDb250cm9sIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTA1MTgxNzUxMjdaFw0yMjA1MTgxNzUxMjdaMDQxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxIeVRydXN0IEluYy4xDjAMBgNVBAMTBW9udGFwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy3S1+cl+4L/2BoEIA/Y/JmQkWsShRC5wclYWNgteVLUnXMHYaoX9sl7n0m557743UhlhqAQMndgl5q/rn2YmNOfikuhCb1zWolg31Gm4Kdq/T482EGuo1N12lLjCFDN5IpcxfdLCcqClc3Bnok8yjUqzhtz+Cu6ZHbUtK+Lr4Th+8gHCE+tOLi6oc58SXr379uoJWW4Pb4WlC8K/pu0APIr/Ay9TCEzSpXXXaeBYef7RYdivktfwwqFVRTqQ7ueovW3hRApDMpVbyQe8RQuFZyGJSa4YJogjacLUCjdTD0Eb4pHn5uwcSnS4K7ynSjW11PXJ5iMvDiJLXrH+iVOnyoVtIukZITU+h/j3pbmnRIc/T/tEUotk+CHwx+NjlryyjJwJaD85NXBxVeSyTyMTTss4R1FSuc2tFEG+ztHeKZ8SlgnErKfyVhPRylD47aG2qGsdYyCkMMfgVonsLE60Am6TM8EwAVF/TFf8VtqutElV3SqkaInnfx15Q4IoNYacDRY+kPhzJRZE9vQu8LellLxvHpxQvPI7auz+ciBHg/9SITCU1hiZ/SXfSM++JmQ1l5komSb621lK/SmA/oPlRanxaWM110dsBqwesNQyeoTJrVbfzR24m+WTz7xiuyV3ICFp2rCnkdL8PccT1f+RnTiVBVRb5t8Gdxnz9orjVt0CAwEAAaOBhzCBhDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVoABxes4/Dg174yr0VfFD+kkaMgwHwYDVR0jBBgwFoAUISxRdY2sT449DGRQzNPN5DapyQ8wCQYDVR0RBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPqHTvrtw1+DogolR4w47JWoSSAXQCoeTb8eReJA4b5La8nLs3yXOIyeSSmXfA1GR0Ik3Nca43v1vpGtScg0B0k89bzIwA09UazJSNiZrwWfnDPhR3Pv0eIsHDIwT2P7ReFy/3+nCV8Y7tUG75Lbb5jcooZ0nK5qNNZ8lZmAJ8i9ZHgEQdLZz1trIBJdTMoP0AzeHN/mMS9snTQDyD2tpdjJl/G8DjXw9G1wChxSThL2flfnJub07l/TXpGvXmlghJa56MTcjcaHNi6d3kO6h/RmCFof9mG13c/iD7S3ycWG05W02a4F8kJs+G6I1P6d5zcsKLI8inzMb1J0q9aha7w==-----END CERTIFICATE-----

Please enter Private Key: Press <Enter> when done-----BEGIN PRIVATE KEY-----MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDLdLX5yX7gv/YGgQgD9j8mZCRaxKFELnByVhY2C15UtSdcwdhqhf2yXufSbnnvvjdSGWGoBAyd2CXmr+ufZiY05+KS6EJvXNaiWDfUabgp2r9PjzYQa6jU3XaUuMIUM3kilzF90sJyoKVzcGeiTzKNSrOG3P4K7pkdtS0r4uvhOH7yAcIT604uLqhznxJevfv26glZbg9vhaULwr+m7QA8iv8DL1MITNKldddp4Fh5/tFh2K+S1/DCoVVFOpDu56i9beFECkMylVvJB7xFC4VnIYlJrhgmiCNpwtQKN1MPQRvikefm7BxKdLgrvKdKNbXU9cnmIy8OIktesf6JU6fKhW0i6RkhNT6H+PeluadEhz9P+0RSi2T4IfDH42OWvLKMnAloPzk1cHFV5LJPIxNOyzhHUVK5za0UQb7O0d4pnxKWCcSsp/JWE9HKUPjtobaoax1jIKQwx+BWiewsTrQCbpMzwTABUX9MV/xW2q60SVXdKqRoied/HXlDgig1hpwNFj6Q+HMlFkT29C7wt6WUvG8enFC88jtq7P5yIEeD/1IhMJTWGJn9Jd9Iz74mZDWXmSiZJvrbWUr9KYD+g+VFqfFpYzXXR2wGrB6w1DJ6hMmtVt/NHbib5ZPPvGK7JXcgIWnasKeR0vw9xxPV/5GdOJUFVFvm3wZ3GfP2iuNW3QIDAQABAoICABplpyKkgQC6BzqqzRZugZ0CizD3qBDHkbFT+AfFC9Ujt9qyD9kqT1MwOxWzXcC8RkMxpdj9xYFJRQmcM4732ucsWtpCpjP6sKJZnczCdrF/fyjcZOBWh44uua7sFco3L3VMdpBjovTqYO0MXXXSnrV0RrytuYxDjrwrAJRcGcyb3uSZU8vv0LHvPc3airCeJ63Oia3/uKL4jQRsnR8USt6QDiwknLpL9VygYHWNNQ2HATWXvpfnyoYGFqEnyxwkFGGXew2v4y4R8NmxVj0DFKjf0gcsPlfpe+bB727v5KfrA6ou0g7E/ZqvcCHElVPsig36YdqpH/bOfkboAyVgJDnH7B7cqHvDqvB03dyAkEUQmZHFiQYaDLbKpNxN+bu/OSQndSMkoRgEqvtFy/AdWtTIrizJ5Hd9ZQL9zPeK0fPJzC47KbZzCaF/JfOloFY9woANQ0bhM3gn7TbNrmQhG2l45rAAy2NafV5iet2Aiwr75VOvO8wpDpchPevFBI89NDFfwD0/4bDd+OfUMLGHW6LCex7JqtqW7ZrGDoglh6qDrPYu/a4CRM4/KT0RoDjDh45W6tLd4sJ4mSQLfIbXhgEEDW7gXXQloEruPLSZGznIumD2EIbBP4uN6yR+/VHnVuJP3rilurlMtFf6tyW3XH121Nehui89h1kfrfUIth9FAoIBAQD+C9GWOD+vTU7hr/ddB89PBPV/PMkD9D3fqgu/FRhvXvODWP4LWHo9kAKvlM3nR4W2wv8NZz0WV576bpJ8YT1mDQk2ZE8j7AAA5WfY3TsXY2Jm45PRD+XwcL3ypDV2xcB2w5cRRbNxUwliwYx+WwvlIkJtUfirZgVpY9PRv6YJXR43LhqmQj9TlX2MA4YXVlkiFgxFYIywvYvw9NGKas+Q7uXzwDzHeVSC53fHOGZbv4uA4lkTPEDKj0xbEzMJIJXb3AlSxLj57SefMGB8rkMCuWVfE0Fke/gFgGoTw5s6Cb8Nw+hOwBWarQ10oKrRP9BXdIFCBuYg4+qdqanBtTy7AoIBAQDNBUl49BOWLctquiMLOGmpl4YEHozHRdRw8+HH0RNsZn5vBvwMT2KZ2KA6WPgG7gNSVE0M4GVylZrEeDUdWoWvjdBJAZmd6hRqytJMolcKzLscHvM20h8ViRrWSgwdOIOm8E+orYN//UStt8uc49MODlg3XILPlIcLwPxZ10GcCEV9rgMgwc9mr2uGUjPrknVQh3VeNG7x+SNeJa5P9ZJmZRoueTleDI/UVDVDfk1NfKUGNI3KxsCDAMwIyghqJ2Q0X6bC93DDcRDFd8Hhj/3x4EzFkNlYpP88dAc1f3SPjAnk689Dmvt/4mvupCt/Lkd+4Op6ggONIhPYiSRU/g1HAoIBAQCoeqARdtZNZQDGTdPH37ENn6VML7zEIYuTNIu7urrMyXTHjBJW5eOTxljxpsby9gzoiuNpOSlbEtr9DK2bTUXR0x1j9BxEH3RVI86+FOHmfeO5hn32bQu6bJqcO2i1jyo32TjrnIUHx+D2nJOXDLyTxie1pmI7EVrPbQQCG456sUWjpLDJyC+FOCPd4kxgV8SfBW436HMFl38iWspIeNOVM8pO4BOu2nlAo09dULsZZ6uV2wbl6dSyQVyLHe1/xRt9hqysNojSPwRC32tt5IfOW7Ot3PBGOqzewS4YU2YzlFkf

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 9 of 16

QOhkqaDqRpAg45jFUwPRrBM4/ahK8bwbuXQ6Yf6XAoIBAQCQrbJzkIph6F8sKb6hJGYsL6l7LrPZzAVm0DP8diZm0M1YPG2RolPKjXxEsJQXD894QdU9yPzOJ5TYIJwa4s6EXGcnneFx9sYBtq9BNS6HiIJiDdVEUnNtFxvBLO/vjvoYzGzqc8fggjH9BT7CsGM4ABdwue/13LKQMNfj7mt2WL/xOOMsMpjRtekDGO9axjfTZEQG/qlsSIwU3DJuarWtXJtlQFajb+nvxJzxzCdxDwzFnECTYD5qNB3H9gqKHtIvw3BDFaqVwSw8rY48RwjFr6t9oAJA8+7KEncj4ZW31vMEgQP6iVwBmx7fgSrQzS/W8ZGGcklfRzUKEX16HO3xAoIBAFqWi5bfy39Iqotd2TZP51QQHDL3UqJELPKLymJkyBM8vFsrquwKUfJVOrjHoEngIPGqhR3G8Mdl4sw6tZJlF24glNCWbkLCItsscNb2/CsZTpiqDDgnP60+2YbfscCB4shc8T5sNLRtxM+ccThlgdtYRzjdOy0N9R/mLH2F05F3r+MFLxUFj/cG0v33zLhL+BuXmWJiaoNEwBpS/4BThdlxgfHJO18iOTWlu5e2rTp6f9czsN+FHWKPhvu/xt6sDh0HLRHnNHMlmdzcDm1dvjcW3Csndtf4feae/Kl/5IQ0rRT2sE1GuOFllaZvSxpXpKV3soHrpF5iJDlepeW2ArY=-----END PRIVATE KEY-----

Enter certificates of certification authorities (CA) which form the certificate chain of the client certificate.This starts with the issuing CA certificate ofthe client certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: n

You should keep a copy of the private key and the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:CA: HyTrust KeyControl Certificate Authorityserial: A0906914

The certificate's generated name for reference: ontap

4. Install the KMIP server certificate certification authority (CA):

security certificate install –vserver <admin_svm_name> -type server-ca –subtype kmip-cert

Example:

10 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

mycluster::> security certificate install -vserver mycluster -type server-ca -subtype kmip-cert

Please enter Certificate: Press <Enter> when done-----BEGIN CERTIFICATE-----MIID4jCCAsqgAwIBAgIEYJBpDzANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtleUNvbnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowVzELMAkGA1UEBhMCVVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5jLjExMC8GA1UEAxMoSHlUcnVzdCBLZXlDb250cm9sIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJO9UNhVQZx89sK0od86GIuUwD/EC5pIOGUAAHIrH52k7r9kcZBCohMv/Y37k07Z4/1xgYMvmlndduEjx5mCKPIA2L8dl7WWqWGcq39uimOZeKDHw+pWN4rb5aEcl1LqYUKjrN8eCXxia9kRT1cuqU0k+RlKvK6NHzz5w8OrscTFMh0dM/jEFpZPkrmsVf0ByIxJlZ0gRJ1cUVfDQAigeRdAzhUj3qwTuyA5yDjMjrpVq4YZKRq7kugndf6j5DxH17AUTiE8o1vkbQGNWPfeZYuiaI0N4R7ew34fIsJ+eT9qKbdMpElGcfZICEYQXLbRocSo2j3T7iiWJtDeh5mONtUCAwEAAaOBtTCBsjAdBgNVHQ4EFgQUISxRdY2sT449DGRQzNPN5DapyQ8wgYIGA1UdIwR7MHmAFCEsUXWNrE+OPQxkUMzTzeQ2qckPoVukWTBXMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtleUNvbnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggRgkGkPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJKoiQ234eRmUCSdbR0kIDxRegesSpaMTYnNwmVyx0qQrieDCstYiZA48SPnz73BBANAU8zljRPk2qqGi4FHf+bJG51S1zFerDtpdxf5dDxVRjKjUQRbQKj+WjM62EmsFpsMS6NturfcEyI/f8nw1Xf99+2K/09lMKy7pooS3E8kATcvrkXkv7uaZSx72VvyGKqwuFdq2Nn3EHwQCTZjBUqyhqpu59fyuS0dvo7ccvQ0887kXmnuj1IZM+++2G18ctUxr9XtT9PPt5GT0ZNPGh9mGZvSxE87BT7wCR63EEBjz7fvAVMR3o5smprW6X7QPBbp4XnxfQ1rhxL9oXYC23I=-----END CERTIFICATE-----

You should keep a copy of the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:CA: HyTrust KeyControl Certificate Authorityserial: 6090690F

The certificate's generated name for reference: HyTrustKeyControlCertificateAuthority

2.6.1. Configure ONTAP to use the KMIP certificates

You have to configure certain boot environment variables before you can configure

ONTAP.

2.6.1.1. Configure bootarg.storageencryption.support

This bootarg is typically set during the manufacturing process. If the encrypted disks

don’t show up at boot time, verify that it is set to true:

1. Halt the ONTAP boot process to bring up the LOADER-(A,B)> prompt.

2. Run

LOADER-A> setenv bootarg.storageencryption.support true

3. Confirm that bootarg.storageencryption.support is set:

LOADER-A> printenv bootarg.storageencryption.supporttrue

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 11 of 16

2.6.1.2. Configure the NetApp Storage Encryption Solution

You can set up an external key management server so that your storage system can

securely store and retrieve authentication keys for self-encrypting disks (SEDs) in a

location separate from your data. You can link up to four key management servers.

NetApp recommends a minimum of two for redundancy and disaster recovery.

1. To set up external key management servers, run the security key-manager setup

command.

By default, the command runs on the local node hosting the cluster management LIF.

This command must be run on each node in the cluster by using encrypting hard

drives. By design, there should be an HA pair, unless the cluster has only one node.

2. Launch the key management setup wizard to configure ONTAP for storage

encryption

mycluster::> security key-manager setupWelcome to the key manager setup wizard, which will lead you throughthe steps to add boot information.

Enter the following commands at any time"help" or "?" if you want to have a question clarified,"back" if you want to change your answers to previous questions, and"exit" if you want to quit the key manager setup wizard. Any changesyou made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup". To accept a defaultor omit a question, do not enter a value.

Would you like to configure the Onboard Key Manager? {yes, no} [yes]: noWould you like to configure the KMIP server environment? {yes, no} [yes]: yes

2.6.1.3. Configure the NetApp Volume Encryption Solution

You can set up an external key management server so that your storage system can

securely store and retrieve authentication keys for the NetApp Volume Encryption (NVE)

solution. NetApp recommends a minimum of two for redundancy and disaster recovery.

For NVE configuration details, see the ONTAP 9 NetApp Encryption Power Guide.

1. Add the KeyControl node(s).

Example:

mycluster::> security key-manager external add-servers -vserver mycluster -key-servers xxx.xxx.xxx.xxx:5696

Successfully queued job "31" to sync key cache for the given key management server.

Repeat the add-servers command for every node in the KeyControl cluster.

12 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

2. Verify the communication between the external Key Manager and the cluster

(ONTAP).

mycluster::security> security key-manager queryNo matching keys found.

If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.

mycluster::security> security key-manager show -statusNode Port Registered Key Manager Status---------------------- ------ --------------------------- ---------------mycluster-01 5696 xxx.xxx.xxx.xxx availablemycluster-01 5696 xxx.xxx.xxx.xxx available2 entries were displayed.

2.6.1.4. Verify the communication with the external Key Manager on the EntrustKeyControl server

To verify that ONTAP is communicating and requesting keys from the KeyControl server,

use the Objects tab in the KeyControl user interface. See Managing KMIP Objects in the

HyTrust KeyControl Admin Guide.

You might have to refresh the tab or page by refreshing the list in the KeyControl user

interface to view the updated requests.

If the certificates or the KMIP configuration have been changed, you may need to restart

the KMIP server. See section Restarting a KMIP Server in the HyTrust KeyControl admin

guide.

Restarting the KMIP server does not restart the KeyControl server. It only restarts the

KMIP service.

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 13 of 16

3. Manage certificates

3.1. Delete certificates

Before installing new certificates, old certificates must be removed to make sure that the

updated certificates are used.

1. Disable the connection to the key management (KMIP) server:

Security key-manager delete -address <IP_Address_of_KMIP_Server>

2. Remove all certificates for the cluster:

security certificate delete –vserver <admin_svm_name> -common-name <fqdn_or_custom_common_name> –ca <certificateauthority> -type client –subtype kmip-certsecurity certificate delete –vserver <admin_svm_name> -common-name <fqdn_or_custom_common_name> –ca<certificate_authority> -type server-ca –subtype kmip-cert

The old certificates were deleted. You can install the new ones.

3.2. Replace SSL certificates

All SSL certificates have an expiration period after initial creation. After a predetermined

time, the certificates are no longer valid. They should be replaced before the expiration

date.

To replace the certificates, follow the steps in Import the KMIP certificates into ONTAP.

3.3. Clean up key servers

1. Ensure that any encrypted volumes are properly deleted:

volume delete -vserver <vserver> -volume <env_vol> -force true -disable-offline-check true

2. Disable external key management on vserver:

set advancedsecurity key-manager external disable -vserver <vserver>set admin

14 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

3.4. Set up new key servers

1. Install the new certificates:

security certificate install -vserver <vserver> -type server-casecurity certificate install -vserver <vserver> -type client

2. Enable a new external key management on the vserver:

security key-manager external enable -key-servers <new_key_server> -client-cert <client-cert-name> -server-ca-certs<server-ca-cert-name> -vserver <vserver>

3. Verify that external key management is enabled and that its status is available:

security key-manager external show-status

NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide 15 of 16

Contact Us

Web site https://www.entrust.com

Support https://nshieldsupport.entrust.com

Email Support nShield.support@entrust.com

Online documentation: Available from the Support site listed

above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444

One Station Square

Cambridge, UK CB1 2GA

Americas

Toll Free: +1 833 425 1990

Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – A

Suite 130

13800 NW 14 Street

Sunrise, FL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070

World Trade Centre Northbank Wharf

Siddeley St

Melbourne VIC 3005 Australia

Japan: +81 50 3196 4994

Hong Kong: +852 3008 3188

31/F, Hysan Place,

500 Hennessy Road,

Causeway Bay

16 of 16 NetApp ONTAP - Entrust KeyControl - nShield® HSM Integration Guide

ABOUT ENTRUST CORPORATION

Entrust keeps the world moving safely by enabling trustedidentities, payments, and data protection. Today more than ever,people demand seamless, secure experiences, whether they’recrossing borders, making a purchase, accessing e-governmentservices, or logging into corporate networks. Entrust offers anunmatched breadth of digital security and credential issuancesolutions at the very heart of all these interactions.Withmorethan 2,500 colleagues, a network of global partners, andcustomers in over 150 countries, it’s no wonder the world’s mostentrusted organizations trust us.

To get help withEntrust nShield HSMs

nShield.support@entrust.com

nshieldsupport.entrust.com