Add a HyTrust KMS to vCenter v7 as a Key Provider
In vCenter 7 VMware moved away from the term KMS (Key Management Server) to Key Provider. This post will explain how to add HyTrust KeyControl as a Key Provider in vCenter 7.
In my How to Deploy a HyTrust KeyControl 2-node Cluster post I walked through the steps for deploying and configuring a 2-node HyTrust KeyControl cluster. Now that you have it deployed, let’s start using it. But before we can do that, we need to add it vCenter as a Key Provider. Let’s go!!
Before starting, I want to clear up some terminology. If you are familiar with using encryption in vCenter 6.5 or 6.7, you may remember VMware used the term KMS Cluster when referring to a Key Management Server. But, for some reason, which I haven’t been able to track down, they now use the term Key Provider. I think it has something to do with the new VMware vSphere Trust Authority, but this is a guess. If someone at VMware can explain the reason, I’d love to know why.
Login to the HyTrust KeyControl Cluster
- Log in to one of the KeyControl nodes. After logging in, click on the big KMIP icon in the top menu bar of the WebUI.
KMIP Server Settings
This is the screen where you will enable and make changes to the KMIP server settings.
Change the State field from Disabled to Enabled.
You will also need to change the version of the KMIP Protocol the server speaks in the Protocol field. Change the version from the default of 1.0 to 1.1
VMware supports KMIP version 1.1 for Key Providers.
Create a Client Certificate
The communication between HyTrust KeyControl and vCenter is done via certificates. So, the next step in the process is to create a client certificate for this purpose.
- Next to the blue Actions button, you will see the text, Client Certificates. Click this text, then click the blue Actions button and select Create Certificate.
- Enter a name for the certificate in the Certificate Name field. You can adjust the expiration date. But, do NOT add a certificate password—finally, click Create.
- You will see the new certificate in the WebUI. Click the certificate, then click the blue Action button and select Download Certificate. This will result in a zip file being downloaded to your system. Unzip the contents of the file. You will need the unzipped contents later.
Add a Key Provider
Log in to vCenter. Then perform the following steps.
Click on the name of your vCenter
Click Key Providers in the Security section
Click Add Standard Key Provider
Enter a name for the Key Provider. This is just a reference name. It doesn’t need to match any name you use in HyTrust KeyControl.
Enter a name for the KMS Server and the IP Address or FQDN of the first KeyControl node. I normally match the name of the KMS Server to the hostname of the node I’m adding. Click the Add KMS button and add the second KeyControl node.
You can ignore the optional proxy and password sections. Click Add Key Provider when you are finished.
The certificate details for each node will be displayed.
- Click the Trust button.
The newly added Key Provider will be displayed.
- Check the radio button next to the Key Provider. This will list the Key Management Servers at the bottom of the window.
- Click one of the KMS servers, then click Establish Trust. Select Make KMS trust vCenter.
- Click KMS certificate and private key, then click Next.
This is the point in the process where the client certificate is needed.
Click the KMS Certificate Upload a File button. Navigate to the location where you unzipped the contents of the client certificate zip file. You will see two .pem files. You can ignore the cacert.pem file. Select the second .pem file and click OK.
Repeat these steps for the KMS Private Key, then click Establish Trust
- At this point, all of the yellowish triangles from a previous step should now be green circles with checkmarks in them.
If you want a bit more detail, expand one of the KMS Server entries.
Congratulations!! You are finished. You are ready to begin encrypting VMs or enabling encryption for vSAN.
Let’s summarize what was covered in this post:
- You created a client certificate using the 2-node HyTrust KeyControl cluster from a previous post
- You added a Key Provider, which includes the two KeyControl cluster nodes
- You established a trust between the KeyControl Cluster using the client certificate
Thanks for reading this far. In the next blog post, I’ll walk through the steps for encrypting a VM. I hope this post has helped you?
Here are links to related posts:
If there is something you think I’m missing and feel should be added, please let me know.