Hi... I have been following the MCC documentation and I am close to the end now...
I have created new data aggregates with encryption enabled...
I then have to run the "metrocluster configure" which instructs me to disable one of the keymanagers on either cluster... but when tryting this, it tells me that it will delete the existing keys...
Will this have an impact on the encrypted aggregates I created already? Or are the keystores already mirrored between the clusters at this point ?
#MCCIP configure question...
gentle plaza
wicked hedge
In regular ONTAP you cannot just delete the key manager. You need to remove any encryption that is using that key manager first.
I’m not sure of all the interactions with mcc personally
Straight up ONTAP though, deleting the key manager with keys in play will fail out. Only after removing encryption can you delete the key manager
If there are any volume on an NAE aggregate you must
(Convert any volumes to NVE)
vol move start -vserver xx -volume yy -encrypt-with-aggr-key false -encrypt-destination true
After all volumes are NVE
Aggr modify -aggregate zzz -encrypt-with-aggr-key false
Finally unencrypt volumes
vol move start -vserver xx -volume yy -encrypt-with-aggr-key false -encrypt-destination false
Then you can
Security key-manager onboard disable
gentle plaza
We have no data on the aggregates yet, so no biggy.. but would have been nice they they mentions it on the MCCIP documentation 😉
gentle plaza
Well... I might have ended up in a pickle... I ended up just disabling the keymanager on one of the clusters... then did the metrocluster configure... and it did it's thing... I then tried to run the "security key-manager onboard sync" that it requests on the "security key-manager onboard sync"... but this asks for the cluster-wide passthrase which I didn't supply... and I'm not that good a guessing... so what to do now?