Oracle ZFS Storage Appliance: Unable to Use Keys From OKM to create new shares or replications.

Asset ID:	1-72-2404597.1
Update Date:	2018-05-30
Keywords:

Solution Type Problem Resolution Sure

Solution 2404597.1 : Oracle ZFS Storage Appliance: Unable to Use Keys From OKM to create new shares or replications.

Applies to:

Oracle ZFS Storage Appliance Racked System ZS5-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS5-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-2 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS4-4 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)
Share or project is using encryption keys from an OKM (Oracle Key Management) system.

Symptoms

Unable to create new share in a project or replication is failing on the target.

Below error is returned:

"The action could not be completed because the specified encryption key is not in a useable state"

Replication target logs will report: "Ensure encryption key is available"

Cause

This can be caused by an a Key used for project/share that has the Encryption period expired, see below description.

OKM uses Key Policies to control how keys are used and provide guidance for managing data. The Oracle Key Manager
Cluster uses Key Policies to determine whether a Key can be used for encryption or decryption and to determine
whether a key is eligible for destruction. Every Key is assigned to a Key Group when it is activated by an Agent (that is,
when the Cluster first gives the Key to an Agent to use for encrypting data as the result of an Agent create key request).
Every key Group has a Key Policy. Every Key in a Key Group is associated with the Key Group's Key Policy. Multiple Key
Groups may have the same Key Policy. A Key's Key Group can thus its associated Key Policy may be changed at a later time.

Key Policies specify the Encryption Period and the Cryptoperiod for a Key. The Encryption Period is the length of time a Key
can be used for encryption. The Cryptoperiod is the length of time a Key can be used for decryption. Both of these periods
start when and Agent activates a Key and the Key is given to an Agent for the first time. The Cryptoperiod must be greater
than or equal to the Encryption Period. The Encryption Period and Cryptoperiod can not be changed once set. This limitation
is imposed to avoid unexpected changes as a result of Cluster-wide replication.

Solution

If the Encryption period has expired, you will need to perform a key change on the project/share.

This can be done at anytime while the Project/Share is in use.

First you must add a new key to the keystore.

ZFSSA:> shares encryption okm keys create

ZFSSA:shares encryption okm key-004 (uncommitted)> ls
Properties:
cipher = AES
keyname = (unset)
ZFSSA:shares encryption okm key (uncommitted)> set keyname=New-Key
keyname = New-Key (uncommitted)
ZFSSA:sares encryption okm key (uncommitted)> commit

Next change the key on the Project/Share.

ZFSSA:> shares select okm-project
ZFSSA:shares okm-project> set keyname=New-Key
keyname = New-Key (uncommitted)
ZFSSA:shares okm-project> commit

Now we can verify the project and underlying shares have the new key.

ZFSSA:shares okm-project> select TEST get keyname
keyname = New-Key (inherited)

Attachments

This solution has no attachment