Setup Guide
Troubleshoot issues while setting up SEKM on iDRAC
53 Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers
5.5 I checked the SEKM status on iDRAC and it shows “Unverified
Changes Pending”. What does that mean?
This means that changes were made to the SEKM settings on iDRAC, but these changes were never
validated. Use the racadm command “racadm sekm enable” to enable SEKM to ensure that iDRAC can
validate the changes made and set the SEKM status back to either Enabled or Failed.
5.6 I changed the KMIP authentication settings on the KMS and now
iDRAC SEKM status has changed to “Failed”?
• If you changed the user name or password of the iDRAC account on the KMS then make sure you
change the corresponding properties on the iDRAC as well and enable SEKM.
• If you changed the value of the “Username field in the Client Certificate” option on the KMS, then you
need to generate a new CSR from iDRAC by setting the appropriate CSR property to the username, get
the CSR signed by the KMS CA and then upload it to iDRAC. For example, if you change the value of the
“Username field in the Client Certificate” option on the KMS from “Common Name” to “Organizational
Unit” then generate a new CSR by setting the OU property to the iDRAC KMS username, sign it using the
KMS CA and then upload it to iDRAC.
• If you enabled the “Require Client Certificate to contain Source IP” property on the KMS then generate a
new CSR by selecting the “Include iDRAC IP Address in CSR”, sign it using the KMS CA and then upload
it to iDRAC.
5.7 I moved a SED from one SEKM enabled PERC to another SEKM
enabled PERC on another server and now my drive shows up as
Locked and Foreign. How do I unlock the drive?
Because each iDRAC is represented on the KMS by a separate user account, the keys created by one
iDRAC are by default not accessible to another iDRAC. To enable the other iDRAC to get the key generated
by the first iDRAC and provide it to PERC to unlock the migrated SED, create a Group to include the two
iDRAC usernames and then give the key group permissions so that the iDRACs in the group can share the
key. The steps to do this for the Gemalto KeySecure are described below.
1. Log in to the KeySecure Management Console and click Users and Groups Local Users and
Groups.
2. To create a new group, click Add in the Local groups section.
3. Select the newly created group and click Properties.
4. In the User List section, click Add, and then add both the iDRAC user names to this group.
5. After the group is created, click Security Keys.
6. Identify the key created by the first iDRAC using the iDRAC unique user name.
7. Select the key and click Properties.
8. Click the Permissions tab, and then click Add under Group Permissions.
9. Enter the name of the newly created Group in step 2 above.
10. Remove and insert the drive to initiate a key exchange.
Now the second iDRAC should be able to get the key and provide it to PERC to successfully unlock the
drive. The SED should appear as Foreign and Unlocked, and now you can import or clear the foreign
configuration on the drive.