Month: March 2018

vSphere 6.5 Encryption using HyTrust KeyControl 4.1 – Part-2

In the Part-1 we configured HyTrust KeyControl Cluster , now lets configure this cluster in vCenter and configure encryption for Virtual Machines..

Lets create a user to be utilize with vCenter –  click on the Users tab to create a new user. Click on the Actions drop down button and select, Create User.

1.png

Create a user called the same name as the VMware VCSA name for ease of use.

NOTE – Do NOT specify a password, else trust will fail.

2.png

Highlight the newly created user, click the Actions dropdown button, then click the Download Certificate option. This will download the certificate created for that user. A zip file containing the Certificate of Authority (CA) will be downloaded.

3.png

Once you have downloaded Certificate , Log in to the VCSA, highlight the vCenter on the left hand pane, click on the configure tab on the right hand pane, click on Key Management Servers, then click the Add KMS button.

4.png

Enter a Cluster name, Server Alias, Fully Qualified Domain Name (FQDN)/IP of the server, and the port number. Leave the other fields as the default, then click OK.

5.png

Click on Yes to set the KMS cluster “Hytrust” as the default.

6.png

Click on Trust to trust the Certificate from HyTrust KeyControl.

7.png

Now we have to establish the trust relationship between vCenter and HyTrust KeyControl. Highlight the KeyControl appliance, click on All Actions, then click on Establish trust with KMS.

8.png

Select the Upload certificate and private key option, then click OK.

9.png

Click on Upload file button

10

Browse to where the CA file was previously generated, select the “vcenter”.pem file, then click Open.

11.png

Repeat the process for the private key by clicking on the second Upload file button and Verify that both fields are populated with the same file, then click OK.

13.png

You will now see that the Connection status is shown as Normal indicating that trust has been established.Hytrust KeyControl is now set up as the Key Management Sever (KMS) for vCenter.

14.png

Now we successfully add one Node of cluster , add another node by following the same steps..

15.png

Let’s You can now begin to encrypting virtual machines with vSphere 6.5 which i will be covering in the next post. Happy Learning 🙂

 

 

Advertisements

vSphere 6.5 Encryption using HyTrust KeyControl 4.1 – Part-1

HyTrust KeyControl supports a fully functional KMIP server that can be deployed as a vSphere Key Management Server and once deployment is completed and a trusted connection between KeyControl and vSphere has been established, KeyControl can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption.

In this post we will deploy HyTrust KeyControl KMS server and setup KMS Cluster

There are two methods for installation of Key Control… either we can use OVA appliance or another Method to use ISO. in this Post we will use OVA method..

Open your vSphere Web Client and Click on “Deploy OVF Template”.1.png

Choose OVF2

Provide Name for the HyTrust KeyControl Appliance, select a deployment location, then click Next.3.png

Select the vSphere cluster or host Where you would like to install the HyTrust KeyControl appliance on, then click Next.

4.png

Review the details, then click Next.

5.png

Select the proper configuration from the drop down menu, then click Next.

6.png

Select the preferred storage and disk format for the KeyControl appliance, then click Next.

7.png

Select the appropriate network, enter appropriate network details then click Next.

9.png

Review the summary screen, if everything is correct, click Finish.

10.png

11

Appliance deployment is successfully completed.. since i am going to setup a cluster , so i would go ahead and deploy another appliance using the same procedure…

One Both the appliance has been deployed , power on the newly created HyTrust KeyControl appliance, then open a console to the KeyControl appliance. Set the system password, then press OK.

12.png

Since this is the First Node ,Select No, then press enter.

13.png

Review the Appliance Configuration, then press OK.

14.png

Now First KeyControl appliance is configured and you can now move to the KeyControl WebGUI. Open a web browser and navigate to the IP or FQDN of the KeyControl appliance. Use the the following credentials to initially log in:
Username: secroot
Password: secroot

15.png

After login , read and accept the EULA by clicking on I Agree at the bottom of the agreement.

16.png

Enter a new password for the secroot account, then click Update Password.

17

Now we successful setup our first Node..

18

Setup Cluster

Power on the second appliance and follow all the steps as above , except.. Click “YES” Here.

19.png

This will take us to the process of Cluster process..

20.png

Enter the IP address of First Node.

21.png

The final piece of information required is the passphrase. We would require a minimum of 16 characters.

25.png

The node must now be authenticated through the webGUI, as the following message indicates:

23

At this point you need to log on to the webGUI console of First Node with Administration privileges. The new KeyControl node will automatically appear as an unauthenticated node in the KeyControl cluster, as shown below:

26.png

To authenticate this new node, click the Actions Button and then click Authenticate. This will take you to the authentication screen shown below. You are prompted to enter the Authentication Passphrase.

2728.png

On the new KeyControl’s console, you will see a succession of status messages, as shown below:

30.png

Once authentication completes, the KeyControl node is listed as Authenticated but Unreachable until cluster synchronization completes and the cluster is ready for use. This should not take more than a minute or two. Then it will show as Authenticated and Online.Once the KeyControl node is available, the status will automatically move to Online and the cluster status at the top right of the screen will change back to Healthy.

31.png

At this point, the new cluster/node is ready to use.

Now Click on the KMIP button on the toolbar to configure the KMIP.

32.png

Enable KMIP by changing the state from disabled to enabled, then click save, then click Apply.NOTE: Take note of the port number 5696 and have it handy. You will specify this port number in the vCenter\VCSA configuration, later on.
33.png

Now we have successfully setup KMS Cluster.34.png

In the next post , we will use this cluster for vSphere to use as KMS server. Happy Learning 🙂