@PSUStevens headshot

@PSUStevens blog

You are reading the blog of @PSUStevens.
You can reach me through one of the social accounts below.

How to Deploy a HyTrust KeyControl 2-Node Cluster

See how easy it is to deploy a 2-node HyTrust KeyControl Key Management Server (KMS) for encrypting sensitive data in virtual machines.

PSUStevens

7 minutes read

KeyControl

Deploy the First HyTrust KeyControl Appliance

  1. Log in to the Virtual Center Appliance (VCSA). Once logged in, right-click and select Deploy OVF Template…
Deploy OVF Template

Deploy OVF Template...

  1. Click on Upload Files and navigate to the directory where you placed the HyTrust KeyControl OVA, select it, then click Open.
Select OVF Template step

Select OVF Template

  1. Now that you have the HyTrust KeyControl OVA selected, click on Next.
Selected OVF Template

Selected OVF Template

  1. Provide a name for the HyTrust KeyControl appliance, select a deployment location, then click Next.
Select a Name and Folder step

Select a Name and Folder

  1. Select the vSphere Cluster or host, then click Next.
Select a Compute Resource step

Select a Compute Resource

  1. Review the details, then click Next.
Review Details

Review Details

  1. Accept the license agreement, then click Next.
License Agreement step

License Agreement

  1. Select the proper configuration from the list, then click Next.
Deployment Size

Deployment Size

  1. Select the appropriate storage and disk format for the appliance, then click Next.
Select Storage step

Select Storage

  1. Select the appropriate network, then click Next.
Select Network step

Select Network

  1. Provide the required information, then click Next.
Appliance Properties

Appliance Properties

  1. Review the summary screen. If everything is correct, click Finish.
Review step

Review Settings

You have successfully deployed the first HyTrust KeyControl node.


Deploy the Second HyTrust KeyControl Appliance

Before moving forward, run back through the same steps again and deploy a second virtual appliance. I strongly suggest this because once you begin encrypting VM workloads, you should make sure you don’t lose access to them. Treat the Key Management Service (KMS) as critical as the Domain Name Service (DNS). Losing access to encryption keys could turn out to be a bad day for you. Later in the steps below, I will walk you through configuring both virtual appliances into a 2-node HA cluster.

After you have deployed the second appliance, come back to this point and work on configuring the first appliance.


Configure the First Appliance

  1. Locate the newly deployed HyTrust KeyControl appliance. Power it on, then open a console to it.

  2. Set the password for the system administrator account, htadmin on the appliance. Using the Tab key, move to OK and press Enter on your keyboard.

NOTE: This password controls access to the HyTrust KeyControl System Console, allowing users to perform some privileged KeyControl administration tasks.

After pressing OK, the networking and other subsystems are configured. This can take several minutes. So, be patient.

Specify htadmin Password

Specify htadmin Password

  1. After setup has completed, a window will display the management IP address of the appliance. Please make a note of the management IP address because you will need it in the next step. Tab to OK and press Enter on your keyboard.
Setup Complete

Setup Complete


Continue Configuration using the WebGUI

  1. Launch a web browser and navigate to the IP Address or fully-qualified domain name (FQDN) of the management IP address of the appliance. Use the following credentials to log in:
    • User Name: secroot
    • Password: secroot
KeyControl Login screen

KeyControl Login screen

  1. Upon logging in, read and accept the EULA by clicking on, I Agree at the bottom of the agreement.
EULA screen

EULA screen

  1. Since this is the first KeyControl node, click Continue as a Standalone Node.
Welcome to KeyControl screen

Welcome to KeyControl screen

  1. Enter a new password for the secroot account, making sure to follow the password complexity rules, then click Update Password.
Change Password screen

Change Password

  1. Configure E-Mail and Mail Server Settings by entering the relevant information for your email address and email server.

I discourage you from disabling e-mail notifications because if you are running a trial, then you want to be notified when the trial license is about to expire. You will also miss out on potentially important system alerts. The same applies if you are not using a trial license.

If you do decide to skip this step, you can configure email notifications at a later time.

Email and Mail Server settings

Email and Mail Server settings

  1. This is a crucial step. Please, please, please click the Download button. Read through the entire text in this dialog. I want to stress that if you do not download the Admin key and for whatever reason you need to do some sort of recovery of the appliance, you MUST have this key. Otherwise, as the text states, you may lose access to your encryption keys.
Download Admin Key

Download Admin Key

  1. If you are running a trial of KeyControl Vitals, reporting cannot be disabled. Otherwise, you can disable Vitals after you apply a purchased license. Vitals is a good thing. Trust me. Click Continue.
Vitals Reporting

Vitals Reporting

After clicking the Continue button, the main WebGUI is displayed. You have successfully finished configuring the first node of the cluster. Move to the next step to add the second node to the cluster.


Adding the Second KeyControl Node to the Cluster

  1. Launch a web browser and navigate to the IP Address or fully-qualified domain name (FQDN) of the management IP address of the second appliance. Use the following credentials to log in:
    • User Name: secroot
    • Password: secroot
KeyControl Login screen

KeyControl Login screen

  1. Upon logging in, read and accept the EULA by clicking on, I Agree at the bottom of the agreement.
EULA screen

EULA screen

  1. Since this is the second KeyControl node, click Join an Existing Cluster.
Welcome to KeyControl screen

Welcome to KeyControl screen

  1. You will notice the workflow for configuring the second node is quite different. Review the information and click Continue.
Getting Started with Cluster Join

Getting Started with Cluster Join

  1. Click Generate and Download CSR. This will place a .csr file in your downloads directory. We will need this file in just a few steps.
Generate & Download CSR

Generate & Download CSR

  1. Click Continue.
Downloaded CSR

Downloaded CSR

  1. At this point, you need to open a new browser window or a new tab and login to the first KeyControl node. Do NOT click the continue button on this screen yet!
Add Node to Cluster

Add Node to Cluster

  1. After logging into the first KeyControl node, click Cluster in the top menu. Next, click the blue Actions button and select Add a Node.
Add Node

Add Node

  1. Click the Load File button and select the .csr file from step 6. Next, enter a passphrase that is at least 12 characters long. You will need this passphrase in an upcoming step. Click Save and Download Bundle. A zip file is placed in the downloads directory on your computer. The zip file contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.
Load CSR

Load CSR

  1. As the window states, click OK and switch back to the browser window or browser tab of the second node, you are in the process of adding to the cluster.
Switch to First Node

Switch to First Node

  1. Now, you can click the Continue button on this screen.
Click Continue

Click Continue

  1. Under Upload SSL Certificate click the Load File button and select the encrypted SSL certificate. The SSL certificate is the file that does NOT have a .pem extension. Under Upload CA Certificate click the Load File button and select the CA certificate. This is the file that has a .pem file extension (cacert.pem). Enter the passphrase that you created back in step 9. Click Join.
Upload Certificates

Upload Certificates

  1. After clicking the join button, the joining process will display the steps it takes to join the node to the cluster. The second node will be restarted during this process
Cluster Join Progress

Cluster Join Progress

  1. After the node has successfully restarted, click the Login button and login to the newly joined node. You will use the new secroot password you created during the configuration of the first KeyControl node.
Node Addition Successful

Node Addition Successful

After logging into the second node, you will notice that the Cluster button in the top menu will show a green number two. Click to see all of the nodes in the cluster.

Confirm Node Status

Confirm Node Status

Pat yourself on the back. You have successfully created a 2-node HyTrust KeyControl KMS cluster.


Summary

In summary, creating a Key Management cluster involves a few steps. But, it should be something you can complete in under 30 minutes. I do this regularly and can go through this process in under 15 minutes.

In a follow-on blog, I will write about connecting this cluster to vCenter so you can begin encrypting VMs.


Here are links to related posts:

If there is something you think I’m missing and feel should be added, please let me know.

Thanks for reading!

Recent posts

See more

Categories

About

This is my personal blog about technical topics including virtualization, storage, networking, backups, and some random IT stuff that strikes my fancy.