ZFSSA Replication of Encrypted Share Failing Due to Replication Target Not Granting Encryption Key "Key usage policy check failed"
(Doc ID 2886412.1)
Last updated on AUGUST 01, 2022
Applies to:
Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]Oracle ZFS Storage Appliance Racked System ZS4-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS4-4 - Version All Versions to All Versions [Release All Releases]
Integrated Software for ZFS Racked System ZS4-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-4 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)
This configuration is two ZFSSA Clusters ( equal to four ZFSSA heads ) using a Third Party KMIP Keyserver for Bi-directional Replication . It had been working for months and suddenly stopped one day
for three of the four ZFSSA heads. Only one of the ZFSSA heads was still able to receive replication packages . Further testing by attempting to create new shares in the encrypted project also failed
on The same Three of four Server . In this situation , if the problem heads are rebooted and the keyserver was still denying keys, the currently working shares would not be available after the reboot.
Symptoms
At one point the key server stopped serving encryption keys to several ZFS Storage Appliance (ZFSSA) which then caused replication to fail because the target machines could not obtain the encryption key for the incoming data stream.
Third-party Key Management Interoperability Protocol (KMIP) key server in use for encryption keys .
The source machine replication failure messages:
errmsg = stage 'wait' failed: failed on remote side (code -1)
errmsg = ak_stream_transfer() failed: SSL write i/o system call error (Broken pipe)
The target Machine replication failure message:
error = stage 'stream_recv' failed: zfs_receive failed: crypto error, cannot receive 'Pool1/nas-rr-xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/'<Share-Name>': Key usage policy check failed. Keysource: raw,pkcs11:token=Default KMIP token;object=<key_name>
Changes
When a key server stops serving encryption keys to a ZFSSA, replication can fail because the replication target ZFSSA can not obtain the encryption key for the incoming data stream.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |