In the Part-1 we configured HyTrust KeyControl Cluster , now lets configure this cluster in vCenter and configure encryption for Virtual Machines..

Lets create a user to be utilize with vCenter –  click on the Users tab to create a new user. Click on the Actions drop down button and select, Create User.

Create a user called the same name as the VMware VCSA name for ease of use.

NOTE – Do NOT specify a password, else trust will fail.

Highlight the newly created user, click the Actions dropdown button, then click the Download Certificate option. This will download the certificate created for that user. A zip file containing the Certificate of Authority (CA) will be downloaded.

Once you have downloaded Certificate , Log in to the VCSA, highlight the vCenter on the left hand pane, click on the configure tab on the right hand pane, click on Key Management Servers, then click the Add KMS button.

Enter a Cluster name, Server Alias, Fully Qualified Domain Name (FQDN)/IP of the server, and the port number. Leave the other fields as the default, then click OK.

Click on Yes to set the KMS cluster “Hytrust” as the default.

Click on Trust to trust the Certificate from HyTrust KeyControl.

Now we have to establish the trust relationship between vCenter and HyTrust KeyControl. Highlight the KeyControl appliance, click on All Actions, then click on Establish trust with KMS.

Select the Upload certificate and private key option, then click OK.

Click on Upload file button

Browse to where the CA file was previously generated, select the “vcenter”.pem file, then click Open.

Repeat the process for the private key by clicking on the second Upload file button and Verify that both fields are populated with the same file, then click OK.

You will now see that the Connection status is shown as Normal indicating that trust has been established.Hytrust KeyControl is now set up as the Key Management Sever (KMS) for vCenter.

Now we successfully add one Node of cluster , add another node by following the same steps..

Let’s You can now begin to encrypting virtual machines with vSphere 6.5 which i will be covering in the next post. Happy Learning 🙂

 

 

HyTrust KeyControl supports a fully functional KMIP server that can be deployed as a vSphere Key Management Server and once deployment is completed and a trusted connection between KeyControl and vSphere has been established, KeyControl can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption.

In this post we will deploy HyTrust KeyControl KMS server and setup KMS Cluster…

There are two methods for installation of Key Control… either we can use OVA appliance or another Method to use ISO. in this Post we will use OVA method..

Open your vSphere Web Client and Click on “Deploy OVF Template”.

Choose OVF

Provide Name for the HyTrust KeyControl Appliance, select a deployment location, then click Next.

Select the vSphere cluster or host Where you would like to install the HyTrust KeyControl appliance on, then click Next.

Review the details, then click Next.

Select the proper configuration from the drop down menu, then click Next.

Select the preferred storage and disk format for the KeyControl appliance, then click Next.

Select the appropriate network, enter appropriate network details then click Next.

Review the summary screen, if everything is correct, click Finish.

Appliance deployment is successfully completed.. since i am going to setup a cluster , so i would go ahead and deploy another appliance using the same procedure…

One Both the appliance has been deployed , power on the newly created HyTrust KeyControl appliance, then open a console to the KeyControl appliance. Set the system password, then press OK.

Since this is the First Node ,Select No, then press enter.

Review the Appliance Configuration, then press OK.

Now First KeyControl appliance is configured and you can now move to the KeyControl WebGUI. Open a web browser and navigate to the IP or FQDN of the KeyControl appliance. Use the the following credentials to initially log in:
Username: secroot
Password: secroot

After login , read and accept the EULA by clicking on I Agree at the bottom of the agreement.

Enter a new password for the secroot account, then click Update Password.

Now we successful setup our first Node..

Setup Cluster

Power on the second appliance and follow all the steps as above , except.. Click “YES” Here.

This will take us to the process of Cluster process..

Enter the IP address of First Node.

The final piece of information required is the passphrase. We would require a minimum of 16 characters.

The node must now be authenticated through the webGUI, as the following message indicates:

At this point you need to log on to the webGUI console of First Node with Administration privileges. The new KeyControl node will automatically appear as an unauthenticated node in the KeyControl cluster, as shown below:

To authenticate this new node, click the Actions Button and then click Authenticate. This will take you to the authentication screen shown below. You are prompted to enter the Authentication Passphrase.

On the new KeyControl’s console, you will see a succession of status messages, as shown below:

Once authentication completes, the KeyControl node is listed as Authenticated but Unreachable until cluster synchronization completes and the cluster is ready for use. This should not take more than a minute or two. Then it will show as Authenticated and Online.Once the KeyControl node is available, the status will automatically move to Online and the cluster status at the top right of the screen will change back to Healthy.

At this point, the new cluster/node is ready to use.

Now Click on the KMIP button on the toolbar to configure the KMIP.

Enable KMIP by changing the state from disabled to enabled, then click save, then click Apply.NOTE: Take note of the port number 5696 and have it handy. You will specify this port number in the vCenter\VCSA configuration, later on.

Now we have successfully setup KMS Cluster.

In the next post , we will use this cluster for vSphere to use as KMS server. Happy Learning 🙂