Appendix
Troubleshooting
This section describes the how to troubleshoot the issue that you may encounter while integrating CipherTrust Manager with ONTAP.
| Issue | Error Message | Remediation |
|---|---|---|
| KMIP registration is not enabled | The following error message is displayed in CipherTrust Records: "errorMessage": "Unregistered client, please register a new client from CLI or API or UI." | Check whether the KMIP registration is completed or not in Admin Settings > System > Interfaces > kmip. If it is not completed, complete it by using the steps mentioned in Appendix. |
| User corresponding to username location in certificate (example: CN) has not been created CN = Common Name | The following error messages are displayed in CipherTrust Records: *"errorMessage": "username not found: "errorMessage": "Could not authenticate certificate user, * | Check whether the user corresponding to CN of the client certificates has been created in Keys & Access Management > Users. If the user is not created, create a new user with the same name as the CN field of the client certificates. After creating the user, add this user to the Key Admins and Key Groups. Refer to steps mentioned in |
| User has not been added to Key Admin group | The following error message is displayed in CipherTrust Records: "errorMessage": "authorization denied: verdict was deny: CreateKey" | Check whether the user corresponding to CN of the client certificates has been created under Keys & Access Management > Users. If the user is not added, add the user to the Key Admins group. |
| The Username location in Certificate has been set incorrectly | The following error messages are displayed in CipherTrust Records: "errorMessage": "username not found: "errorMessage": "Could not authenticate certificate user, | Check whether the Username Location in the Certificate option is set correctly to CN in Admin Settings > System > Interfaces > kmip. If it is not set correctly, set the correct value for the Username Location in the Certificate. |
KMIP client Registration
Registering a KMIP Client
You need to switch the domain before performing this operation.
You can register a KMIP client on the CipherTrust Manager using:
Using Auto-Registration
Create a registration token using the following steps:
Log on to the CipherTrust Manager.
Go to Access Management > Registration Tokens in the sidebar.
Click Create New Registration Token.
Copy the
Registration Tokenonce it is created.Turn ON Auto Registration using the following steps:
Go to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the KMIP interface.
Click Edit.
Under the Configure KMIP window, select Auto Registration.
Paste the
Registration Token.Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Using Manual Registration
Log on to the CipherTrust Manager.
Go to Products > KMIP.
Create a Client Profile using the following steps:
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
For Domain, the CN will be domain||username.
Click Certificate Details.
Paste the content of the generated
client.csr.Click Save.
Create a Registration Token using the following steps:
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Click Select CA.
Select the CA type as Local if you are using Local CA or select external if you are using External CA.
Select appropriate CA from the dropdown menu and click Select Profile.
Select the Client Profile from the dropdown which you have created.
Click Create Token.
Copy the Token value and click Done.
If you are using an external CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.
Go to Registered Clients and click Add Client. Specify the client's name and paste the generated Registration Token.
If you are using an external CA then you need to paste the signed client certificate in the Client Certificate field.
Click Save > Save Certificate to save the Client Certificate.