NetApp ONTAP and Entrust KeyControl Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

This document describes the integration of the NetApp ONTAP data management software with the Entrust KeyControl Key Management Solution (KMS). Entrust KeyControl can serve as a KMS in NetApp ONTAP using the open standard Key Management Interoperability Protocol (KMIP).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in the NetApp ONTAP data management software.

To install and configure the Entrust KeyControl server as a KMIP server, see the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Also refer to the NetApp ONTAP online documentation.

Hardware and software requirements

You must have Entrust KeyControl v5.3 or later before you begin. ONTAP v9.8P3 or later is also required.

The NetApp Interoperability Matrix Tool defines the product components and versions that can be used to construct configurations that are supported by NetApp. See https://mysupport.netapp.com/matrix/ .

Licensing requirements

You must have an Entrust KeyControl license prior to installation.

High-availability considerations

The Entrust KeyControl solution uses an active-active deployment, which provides high-availability capability to manage encryption keys. NetApp highly recommends this deployment configuration.

In an active-active cluster, changes made to any KeyControl node in the cluster are automatically reflected on all nodes in the cluster. For full information about the Entrust KeyControl solution, see the HyTrust KeyControl Product Overview .

Product configuration

The integration between NetApp ONTAP, Entrust KeyControl, and nshield HSM has been successfully tested in the following configurations:

Product	Version
NetApp ONTAP	9.8P3, 9.9.1, 9.10.1
Entrust KeyControl	5.3, 5.4, 5.5.1
nshield Security World software	12.60.11
nshield Connect XC	12.50.11 (12.60.10)

Procedures

Installation overview

Install and configure Entrust KeyControl .
Import the KMIP certificates to ONTAP .
Configure ONTAP to use the KMIP certificates .

For additional information about NetApp ONTAP, see the ONTAP 9 Online Documentation .

Install and configure Entrust KeyControl

Follow the installation and set-up instructions in the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Make sure the Entrust KeyControl tenant gets created and KMIP certificates are generated for NetApp ONTAP. These certificates are used in the configuration of the KMS described below.

Import the KMIP certificates to ONTAP

The certificates must be installed before running the key manager set-up.

You have to import the following files:

A <cert_name>.pem file that includes both the client certificate and the private key. You will have to paste two sections from this the file into the corresponding prompts from ONTAP.
- The client certificate section of the <cert_name>.pem file includes all the encrypted text and the BEGIN and END lines:
  "-----BEGIN CERTIFICATE-----" some text "-----END CERTIFICATE-----"
- The private key section of the <cert_name>.pem file includes all the encrypted text and the BEGIN and END lines:
  "-----BEGIN PRIVATE KEY-----" some text "-----END PRIVATE KEY-----".
A cacert.pem file, which is the root certificate for the KMS cluster. It is always named cacert.pem .

Import the previous certificates to ONTAP:

Run the security certificate install command as described in the ONTAP 9 NetApp Encryption Power Guide .
Install the NetApp cluster’s KMIP client certificate:
```
security certificate install -vserver <admin_svm_name> -type client -subtype kmip-cert
```
<admin_svm_name> is the host name of the NetApp server.

Paste the public key certificate from <cert_name>.pem .

When you are installing the client KMIP certificate, you will be prompted to paste the private key certificate from <cert_name>.pem . For example:

mycluster::> security certificate install -vserver mycluster -type client -subtype kmip-cert

Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIFAKCQaRQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMC
VVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5jLjExMC8GA1UEAxMoSHlUcnVzdCBLZXlD
b250cm9sIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTA1MTgxNzUxMjdaFw0y
MjA1MTgxNzUxMjdaMDQxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxIeVRydXN0IElu
.
.
.
DIwT2P7ReFy/3+nCV8Y7tUG75Lbb5jcooZ0nK5qNNZ8lZmAJ8i9ZHgEQdLZz1trI
BJdTMoP0AzeHN/mMS9snTQDyD2tpdjJl/G8DjXw9G1wChxSThL2flfnJub07l/TX
pGvXmlghJa56MTcjcaHNi6d3kO6h/RmCFof9mG13c/iD7S3ycWG05W02a4F8kJs+
G6I1P6d5zcsKLI8inzMb1J0q9aha7w==
-----END CERTIFICATE-----


Please enter Private Key: Press <Enter> when done
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDLdLX5yX7gv/YG
gQgD9j8mZCRaxKFELnByVhY2C15UtSdcwdhqhf2yXufSbnnvvjdSGWGoBAyd2CXm
r+ufZiY05+KS6EJvXNaiWDfUabgp2r9PjzYQa6jU3XaUuMIUM3kilzF90sJyoKVz
.
.
.
0v33zLhL+BuXmWJiaoNEwBpS/4BThdlxgfHJO18iOTWlu5e2rTp6f9czsN+FHWKP
hvu/xt6sDh0HLRHnNHMlmdzcDm1dvjcW3Csndtf4feae/Kl/5IQ0rRT2sE1GuOFl
laZvSxpXpKV3soHrpF5iJDlepeW2ArY=
-----END PRIVATE KEY-----

Enter certificates of certification authorities (CA) which form the certificate chain of the client certificate. This starts with the issuing CA certificate of
the client certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: n

You should keep a copy of the private key and the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: HyTrust KeyControl Certificate Authority
serial: A0906914

The certificate's generated name for reference: ontap

Install the KMIP server certificate certification authority (CA):

security certificate install -vserver <admin_svm_name> -type server-ca -subtype kmip-cert

For example:

mycluster::> security certificate install -vserver mycluster -type server-ca -subtype kmip-cert

Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIID4jCCAsqgAwIBAgIEYJBpDzANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJV
UzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtleUNv
bnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYwMTAwMDAwMFoXDTQ5
.
.
.
pooS3E8kATcvrkXkv7uaZSx72VvyGKqwuFdq2Nn3EHwQCTZjBUqyhqpu59fyuS0d
vo7ccvQ0887kXmnuj1IZM+++2G18ctUxr9XtT9PPt5GT0ZNPGh9mGZvSxE87BT7w
CR63EEBjz7fvAVMR3o5smprW6X7QPBbp4XnxfQ1rhxL9oXYC23I=
-----END CERTIFICATE-----


You should keep a copy of the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: HyTrust KeyControl Certificate Authority
serial: 6090690F

The certificate's generated name for reference: HyTrustKeyControlCertificateAuthority

Configure ONTAP to use the KMIP certificates

You have to configure certain boot environment variables before you can configure ONTAP.

Configure bootarg.storageencryption.support

This bootarg is typically set during the manufacturing process. If the encrypted disks don’t show up at boot time, verify that it is set to true :

Halt the ONTAP boot process to bring up the LOADER-(A,B)> prompt.

Run

LOADER-A> setenv bootarg.storageencryption.support true

Confirm that bootarg.storageencryption.support is set:

LOADER-A> printenv bootarg.storageencryption.support
true

Configure the NetApp Storage Encryption Solution

You can set up an external key management server so that your storage system can securely store and retrieve authentication keys for self-encrypting disks (SEDs) in a location separate from your data. You can link up to four key management servers. NetApp recommends a minimum of two for redundancy and disaster recovery.

To set up external key management servers, run the security key-manager setup command.

By default, the command runs on the local node hosting the cluster management LIF. This command must be run on each node in the cluster by using encrypting hard drives. By design, there should be an HA pair, unless the cluster has only one node.

Launch the key management setup wizard to configure ONTAP for storage encryption

mycluster::> security key-manager setup
Welcome to the key manager setup wizard, which will lead you through
the steps to add boot information.

Enter the following commands at any time
"help" or "?" if you want to have a question clarified,
"back" if you want to change your answers to previous questions, and
"exit" if you want to quit the key manager setup wizard. Any changes
you made before typing "exit" will be applied.

Restart the key manager setup wizard with "security key-manager setup". To accept a default
or omit a question, do not enter a value.

Would you like to configure the Onboard Key Manager? {yes, no} [yes]: no
Would you like to configure the KMIP server environment? {yes, no} [yes]: yes

Configure the NetApp Volume Encryption Solution

You can set up an external key management server so that your storage system can securely store and retrieve authentication keys for the NetApp Volume Encryption (NVE) solution. NetApp recommends a minimum of two for redundancy and disaster recovery.

For NVE configuration details, see the ONTAP 9 NetApp Encryption Power Guide .

Add the KeyControl node(s). For example:

mycluster::> security key-manager external add-servers -vserver mycluster -key-servers xxx.xxx.xxx.xxx:5696

Successfully queued job "31" to sync key cache for the given key management server.

Repeat the add-servers command for every node in the KeyControl cluster.

Verify the communication between the external Key Manager and the cluster (ONTAP).

mycluster::security> security key-manager query
No matching keys found.

If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.

mycluster::security> security key-manager show -status
Node                    Port    Registered Key Manager       Status
----------------------  ------  ---------------------------  ---------------
mycluster-01            5696    xxx.xxx.xxx.xxx               available
mycluster-01            5696    xxx.xxx.xxx.xxx               available
2 entries were displayed.

Verify the communication with the external Key Manager on the Entrust KeyControl server

To verify that ONTAP is communicating and requesting keys from the KeyControl server, use the Objects tab in the KeyControl user interface. See Managing KMIP Objects in the HyTrust KeyControl Admin Guide .

You might have to refresh the tab or page by refreshing the list in the KeyControl user interface to view the updated requests.

If the certificates or the KMIP configuration have been changed, you may need to restart the KMIP server. See section Restarting a KMIP Server in the HyTrust KeyControl admin guide .

Restarting the KMIP server does not restart the KeyControl server. It only restarts the KMIP service.

Manage certificates

Delete certificates

Before installing new certificates, old certificates must be removed to make sure that the updated certificates are used.

Disable the connection to the key management (KMIP) server:

Security key-manager delete -address <IP_Address_of_KMIP_Server>

Remove all certificates for the cluster:

security certificate delete -vserver <admin_svm_name> -common-name <fqdn_or_custom_common_name> -ca <certificate authority> -type client -subtype kmip-cert
security certificate delete -vserver <admin_svm_name> -common-name <fqdn_or_custom_common_name> -ca <certificate_authority> -type server-ca -subtype kmip-cert

The old certificates are deleted. You can install the new ones.

Replace SSL certificates

All SSL certificates have an expiration period after initial creation. After a predetermined time, the certificates are no longer valid. They should be replaced before the expiration date.

To replace the certificates, follow the steps in Import the KMIP certificates into ONTAP .

Clean up key servers

Ensure that any encrypted volumes are properly deleted:

volume delete -vserver <vserver> -volume <env_vol> -force true -disable-offline-check true

Disable external key management on vserver :

set advanced
security key-manager external disable -vserver <vserver>
set admin

Set up new key servers

Install the new certificates:

security certificate install -vserver <vserver> -type server-ca
security certificate install -vserver <vserver> -type client

Enable a new external key management on the vserver :

security key-manager external enable -key-servers <new_key_server> -client-cert <client-cert-name> -server-ca-certs <server-ca-cert-name> -vserver <vserver>

Verify that external key management is enabled and that its status is available :
```
security key-manager external show-status
```

Table of Contents
Introduction
Procedures
Manage certificates

RESOURCES

Integration Guide
NetApp ONTAP and Entrust KeyControl Integration Guide
Web Page
Entrust KeyControl Integration with NetApp OnTap

Table of Contents