Operational Defect Database
BugZero found this defect 136 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00127934en_us
Advisory: (Revision) HPE ProLiant Gen10 Plus Servers - Unable to Switch From LKM to EKM With MR Controllers When Boot Time Password is Set
Last update date:
1/10/2024
Affected products:
HPE MR Gen10 Plus Controllers
HPE ProLiant DL20 Gen10 Plus server
HPE ProLiant DL325 Gen10 Plus v2 server
HPE ProLiant DL345 Gen10 Plus server
HPE ProLiant DL360 Gen10 Plus server
HPE ProLiant DL365 Gen10 Plus server
HPE ProLiant DL380 Gen10 Plus server
HPE ProLiant DL385 Gen10 Plus v2 server
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document Version Release Date Details 2 January 5, 2024 Updated the Resolution with the version of firmware that resolves this issue. 1 November 2, 2022 Original Document Release. On HPE Gen10 Plus systems configured with HPE Gen10 Plus controllers, when drive security is enabled and configured as "local key management (LKM)" with the boot time password set, drive security cannot be switched to external key management (EKM) directly. The menu reports success and requests rebooting the system when changing the configuration to switch from LKM to EKM. However, the setting remains as LKM, and the configuration cannot be changed until the drive security is disabled. Image 1 - Success message received Image No. 2 - System Configuration stays as LKM. NOTE : If the drive security is already enabled and configured as EKM from the beginning, the function works correctly.
Scope
Any HPE Gen10 Plus servers configured with the HPE MR Gen10 Plus Controllers below: HPE MR216i-a Gen10 Plus x16 Lanes without Cache NVMe/SAS 12G Controller (P26325-B21) HPE MR216i-p Gen10 Plus x16 Lanes without Cache NVMe/SAS 12G Controller (P26324-B21) HPE MR416i-a Gen10 Plus x16 Lanes 4GB Cache NVMe/SAS 12G Controller (P26279-B21) HPE MR416i-p Gen10 Plus x16 Lanes 4GB Cache NVMe/SAS 12G Controller (P06367-B21)
Resolution
This issue is resolved in HPE MR Gen10 Plus Controllers firmware version 52.24.3-4948 (or later): HPE MR216i-a Gen10 Plus Tri Mode Controller HPE MR216i-p Gen10 Plus Tri Mode Controller with Gen10 and Gen10 Plus servers HPE MR416i-a Gen10 Plus Tri Mode Controller (v52.24.3-4948) HPE MR416i-p Gen10 Plus Tri Mode Controller with Gen10 and Gen10 Plus servers Workaround Complete the steps below to resolve this issue: Remove the boot time password: In the System Utilities menu, click System Configuration > (Target MR Controller) > Main Menu > Controller Management > Advanced Controller Management > Change Security Settings . Check " Change Current Security Settings " and click OK . Input the current LKM security key in the Enter Existing Security Key field. Check Use the Existing Passphrase. Uncheck Pause for Password at boot time . Check I Recorded the Security Settings for Future Reference. Click Save Security Settings to apply the changes. Check Confirm and click Yes in the warning page. Once it reports Success, click OK and return to the management menu. Note that this change does not require a system reboot. Switch to EKM: Click Change Security Settings again. Uncheck Change Current Security Settings. Check Switch to External Key Management (EKM) Mode and click OK . Input the current LKM security key in the Current Security Key field and click OK to apply. 5. In the Success page, click OK to return to the menu, and then reboot the system. Key management mode will be switched to EKM after the system is rebooted. If one or more secured logical drives fail to re-encrypt by new keys from EKM, the status of the physical drives in the logical drives will become foreign after another reboot. When logical drives have physical drives in a foreign status, import the physical drives, and provide the LKM security key so that the logical drives can be re-assembled and secured by EKM keys. Refer to the section "Importing secured foreign drive" in the HPE MR Gen10 Plus Controller User Guide RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: HPE Email Preference Center NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document.
