Whenever any security-enabled drives are present that cannot be unlocked using the array-specific lock key, the drives are locked out and the array enters the Need Attention state. This state is cleared by importing the appropriate lock key from the array where the drives originally resided.
What Caused the Problem?
A failure occurred in a drive security feature and operation of a storage array. This problem can occur for the following reasons:
Scenario 1
- An FDE drive that is a part of a security-enabled volume group was removed from a source storage array and inserted into the target storage array. The FDE drive is locked to protect the drive data from unauthorized access.
Scenario 2
- An FDE drive that is a part of a security-enabled volume group was removed from the source storage array and inserted into the target storage array. Although Drive Security was enabled, no security key was created for the target storage array.
Scenario 3
- The only controller in a one-controller storage array or both controllers in a two-controller storage array were replaced. When the new controllers were powered on, all drives in the storage array were FDE drives that belong to a security-enabled disk pool or volume group; therefore, all drives in the storage array are locked to protect the drive data from unauthorized access.
Scenario 4
- The only controller in a one-controller storage array or both controllers in a two-controller storage array were replaced. When the new controllers were powered on, at least one drive was not a member of a security enabled disk pool or volume group; therefore, the controllers adopted the database of the non-security enabled drive. The non-security enabled drive could be either an FDE or a non-FDE drive type. The FDE drives that belong to a security-enabled disk pool or volume group are locked to protect the drive data from unauthorized access.
Scenario 5
- The storage array expected a security key to be returned to validate an operation, but the Enterprise Security Key Manager did not return the security key. Either the Enterprise Security Key Manager did not have a security key, or the request timed out.
The Recovery Guru Details area provides specific information you will need as you follow the recovery steps.
Important Notes
All Scenarios
All locked drives that have the same security key identifier will be unlocked at the same time after the unlock procedure is complete.
The storage array will remain in a Needs Attention state until the problem is resolved.
Alerts will be sent if they have been configured.
Scenario 1
After the security key is imported, the security information from the controllers replaces the security information for the FDE drive. The security information consists of the security key, the security key identifier, and the pass phrase. You might be able to import the volume group after the unlock procedure is complete.
Scenario 2
You might be able to import the volume group after the unlock procedure is complete.
Scenario 3
After the security key is imported, the security information of the FDE drive is applied to the controller in a one-controller storage array or to both controllers in a two-controller storage array. The security information consists of the security key, the security key identifier, and the pass phrase.
Scenario 4
After the security key is imported, the security information from the controllers replaces the security information for the FDE drive. The security information consists of the security key, the security key identifier, and the pass phrase.
Recovery Steps
If... | Then... |
The problem occurred due to scenario 1, 3 or 5 | Go to Procedure for Scenario 1, 3 and 5 . |
The problem occurred due to scenario 2 | Go to Procedure for Scenario 2 . |
The problem occurred due to scenario 4 | Go to Procedure for Scenario 4 . |
Procedure for Scenario 1, 3 and 5
To fix the problem in scenarios 1, 3, and 5, import the security key file that matches the security key identifier.
1 | Review the Recovery Guru Details area to identify the security key identifier that is missing a matching security key. |
2 | On the menu bar in the Array Management Window, select the Storage Array > Security > Drive Security > Import Key menu option. |
3 | Complete the instructions in the dialog to import the security key file. NOTE: Be sure to choose the security key file that matches the security key identifier. You were prompted to record this information when the security key file was created, changed, or saved. |
4 | If the Recovery Guru Details area shows that additional security key files are required, perform steps 1 through 3 until all security key files are imported. |
5 | Click Recheck to rerun the Recovery Guru. The failure should no longer appear in the Summary area. If the failure appears again, contact your Technical Support Representative. |
Procedure for Scenario 2
To fix the problem in Scenario 2, create the security key for the target storage array, and then import the security key file that matches the security key identifier associated with the drives shown in the Recovery Guru Details Area.
1 | On the menu bar in the Array Management Window (AMW), select the Storage Array > Security > Drive Security > Create Key menu option. |
2 | Complete the instructions in the dialog to create the security key and to save it to a file. |
3 | After the drive security key has been created, review the Recovery Guru Details area to identify the security key identifier that is missing a matching security key. |
4 | On the menu bar in the AMW, select the Storage Array > Security > Drive Security > Import Key menu option. |
5 | Complete the instructions in the dialog to import the security key file. NOTE: Be sure to choose the security key file that matches the security key identifier. You were prompted to record this information when the security key file was created, changed, or saved. |
6 | If the Recovery Guru Details area shows that additional security key files are required, perform steps 1 through 5 until all security key files are imported. |
7 | Click Recheck to rerun the Recovery Guru. The failure should no longer appear in the Summary area. If the failure appears again, contact your Technical Support Representative. |
Procedure for Scenario 4
To fix the problem in Scenario 4, change the security key for the storage array, and then import the security key file that matches the security key identifier associated with the drives shown in the Recovery Guru Details Area.
1 | On the menu bar in the Array Management Window (AMW), select the Storage Array > Security > Drive Security > Change Key menu option. |
2 | Complete the instructions in the dialog to change the security key and to save it to a file. |
3 | After the drive security key has been changed, review the Recovery Guru Details area to identify the security key identifier that is missing a matching security key. |
4 | On the menu bar in the AMW, select the Storage Array > Security > Drive Security > Import Key menu option. |
5 | Complete the instructions in the dialog to import the security key file. NOTE: Be sure to choose the security key file that matches the security key identifier. You were prompted to record this information when the security key file was created, changed, or saved. |
6 | If the Recovery Guru Details area shows that additional security key files are required, perform steps 1 through 5 until all security key files are imported. |
7 | Click Recheck to rerun the Recovery Guru. The failure should no longer appear in the Summary area. If the failure appears again, contact your Technical Support Representative. |
Target | NetAppESeries.StorageArray | ||
Parent Monitor | NetAppESeries.StorageArrayAvailability | ||
Category | Custom | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | NetAppESeries.FailureUnitMonitorType | ||
Remotable | True | ||
Accessibility | Internal | ||
Alert Message |
| ||
RunAs | Default | ||
Comment | Machine generated entity |
<UnitMonitor ID="NetAppESeries.FailureID_0331_Monitor" Accessibility="Internal" Enabled="true" Target="NetAppESeries.StorageArray" ParentMonitorID="NetAppESeries.StorageArrayAvailability" Remotable="true" Priority="Normal" TypeID="NetAppESeries.FailureUnitMonitorType" ConfirmDelivery="true" Comment="Machine generated entity">
<Category>Custom</Category>
<AlertSettings AlertMessage="NetAppESeries.REC_SECURITY_GET_KEY_AlertMessageResourceID">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/Property[@Name='FailureDescription']$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="NetAppESeries.StateIdB35963F320B7771C54C734082A845085" MonitorTypeStateID="NoIssue" HealthState="Success"/>
<OperationalState ID="NetAppESeries.StateId6C7C963F0244909691772886C739C953" MonitorTypeStateID="IssueFound" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FailureID>331</FailureID>
<IntervalSeconds>59</IntervalSeconds>
<TimeoutSeconds>300</TimeoutSeconds>
<Trace>0</Trace>
</Configuration>
</UnitMonitor>