In the Part-1 & Part-2 we configured HyTrust KeyControl Cluster & vCenter, In this post we will configure Cloud director to utilize what we have configured till now…
Attach Storage Policy to Provider VDC
To update the information in the vCloud Director database about the VM storage policies which we had created in underlying vSphere environment, we must refresh the storage policies of the vCenter Server instance.
- Login to Cloud Director with cloud admin account and go to vSphere resources and choose vCenter on which we had created policies and click on “REFRESH POLICIES”
- You can add a VM storage policy to a provider virtual data center, after which you can configure organization virtual data centers backed by this provider virtual data center to support the added storage policy.
- Login to Cloud Director, go to Provider VDCs and choose PVDC which is backed by the cluster where we had created storage policies.
- Click on “ADD”
- Choose the Policy that we created in previous post.
Attach Storage Policy to Organization VDC
You can configure an organization virtual data center to support a VM storage policy that you previously added to the backing provider virtual data center.
- Now click on Organization VDCs, and click the name of the target organization virtual data center like
- Click the Storage tab, and click Add.
- You can see a list of the available additional storage polices in the source provider virtual data center
- Select the check boxes of one or more storage policies that you want to add, and click Add.
Self Services Tenant Consumption
When Provider’s tenant try to create a VM/vAPP (A virtual machine can exist as a standalone machine or it can exist within a vApp) , he can use the encryption policy that we have created previously.
- This is new VM creation wizard from template , Tenant user must choose “use custom storage policy” and select the “encryption policy”
- Once VM is provisioned , user can go and check the Storage policy by clicking on VM.
- User can also go in to “Hard Disk” section of VM and check disk policy.
Encrypt Named Disks
Named disks are standalone virtual disks that you create in Organization VDCs.When you create a named disk, it is associated with an Organization VDC but not with a virtual machine. After you create the disk in a VDC, the disk owner or an administrator can attach it to any virtual machine deployed in the VDC. The disk owner can also modify the disk properties, detach it from a virtual machine, and remove it from the VDC. System administrators and organization administrators have the same rights to use and modify the disk as the disk owner.
- Here we will create a new encrypted “Named Disk” by choosing storage policy as “Encryption Policy”.
- Cloud Director allow users to connect these named disks
- Click the radio button next to the name of the named disk that you want to attach to a virtual machine, and click Attach
- From the drop-down menu, select a virtual machine to which to attach the named disk, and click Apply.
This competes three part Cloud Director encryption configuration and use by the tenants , this features enables VMware Cloud Providers new offering and monetisation opportunities, go ahead , deploy and start offering additional/deferential services.
In the Part-1 we configured HyTrust KeyControl Cluster , In this post we will configure this cluster in vCenter and configure encryption for Virtual Machines. Let’s create a certificate on KMS server, which we will use to authenticate with vCenter.
To create certificate , login to KMS server and go to KMIP
- Click on “Client Certificates”
- Then click on Actions and “Create Certificates”
- Enter the required details for creating certificate and click on create.
Configure KMS with vCenter
- Highlight the newly created certificate, click the Actions dropdown button, then click the Download Certificate option. This will download the certificate created above. A zip file containing the Certificate of Authority (CA) and certificate will be downloaded.
- Once you have downloaded Certificate , Log in to the VCSA, highlight the vCenter on the left hand pane, click on the configure tab on the right hand pane, click on Key Management Servers, then click the Add KMS button.
- Enter a Cluster name, Server Alias, Fully Qualified Domain Name (FQDN)/IP of the server, and the port number. Leave the other fields as the default, then click OK.
Enable Trust between vCenter and KMS
- Now we have to establish the trust relationship between vCenter and HyTrust KeyControl. Highlight the KeyControl appliance and click on Establish trust with KMS.
- Select the Upload certificate and private key option, then click OK.
- Click on Upload file button , browse to where the CA file was previously generated, select the “vcenter name”.pem file, then click Open.
- Repeat the process for the private key by clicking on the second Upload file button and Verify that both fields are populated with the same file, then click OK.
- You will now see that the Connection status is shown as Normal indicating that trust has been established. Hytrust KeyControl is now set up as the Key Management Sever (KMS) for vCenter.
- Now we successfully add one Node of cluster , add another node by following the same steps..
Create Tag Category, Tag & Attach to Datastore
Now we need to “Tag” few data stores which will hold these encrypted VMs , please create a “Tag Category” and a “Tag” in the vcenter and tag the data stores with this “Tag”.
Create Storage Profile
- log into vCenter > Home > Policies and Profiles > VM Storage Policies > Create VM Storage Policy > Give it a name > Next
- Select “Enable host based rules” and select “Enable tag based placement rules”
- Select “Storage Policy Component” and choose “Default Encryption Properties”.The default properties are appropriate in most cases. You need a custom policy only if you want to combine encryption with other features such as caching or replication.
- Select “Tag Category” and choose Appropriate Tag.
- View Data Stores,review the configuration and finish.
This completes vCenter Configuration, in the next post will be configuring cloud director to consume these policies and tenant will use these policies.
Latest Cloud Director 10.1 release adds support for VM Encryption using cloud director self service portal, this means it allow users to encrypt/decrypt VMs and disks via Cloud Director, view the encryption status of VMs and disks in the API as well as user interface. Some of the key features are:
- Ability to encrypt VMs at rest through Cloud Director UI and API
- Cloud Providers configure Key Management Service (KMS), and encryption policy in backend vSphere
- Cloud Providers can choose to make VM encryption available for some or all tenant
- Tenant users can choose to apply encryption policy to VMs or individual disks.
- In case of Tenant Managed Dedicated vCenter then Tenant can manages Keys and VM Encryption
I am going to write three part blog posts , which will cover:
- VMware Cloud Director Encryption – PartI
- VMware Cloud Director Encryption – PartII
- VMware Cloud Director Encryption – PartIII
With HyTrust KeyControl supports a fully functional KMIP server that can be deployed as a vSphere Key Management Server and once deployment is completed and a trusted connection between KeyControl and vSphere has been established, KeyControl can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption.
In this post we will deploy HyTrust KeyControl KMS server and setup KMS Cluster..There are two methods for installation of Key Control… either we can use OVA appliance or another Method to use ISO. in this Post we will use OVA method..
- Open your vSphere Web Client and Click on “Deploy OVF Template”.
- Choose OVF
- Provide Name for the HyTrust KeyControl Appliance, select a deployment location, then click Next.
- Select the vSphere cluster or host Where you would like to install the HyTrust KeyControl appliance on, then click Next.
- Review the details, then click Next.
- Select the proper configuration from the drop down menu, then click Next. ( i am using Demo as resources are less in my Lab)
- Select the preferred storage and disk format for the KeyControl appliance, then click Next.
- Select the appropriate network, enter appropriate network details then click Next.
- Review the summary screen, if everything is correct, click Finish.
Appliance deployment is successfully completed.. since i am going to setup a cluster , so i would go ahead and deploy another appliance using the same procedure
Configure KMS Cluster
Once Both the appliance has been deployed ,
- Power on the newly created HyTrust KeyControl appliance.then open a console to the KeyControl appliance. Set the system password, then press OK.
- Since this is the First Node ,Select No, then press enter.
- Review the Appliance Configuration, then press OK.
- Now First KeyControl appliance is configured and you can now move to the KeyControl WebGUI. Open a web browser and navigate to the IP or FQDN of the KeyControl appliance. Use the the following credentials to initially log in:
- Username: secroot
- After login , read and accept the EULA by clicking on I Agree at the bottom of the agreement.
- Enter a new password for the secroot account, then click Update Password.
- Now we successful setup our first Node..
- Power on the second appliance and follow all the steps as above , except.. Click “YES” Here.
- This will take us to the process of Cluster creation process..
- Enter the IP address of First Node.
- The final piece of information required is the passphrase. We would require a minimum of 16 characters.
- The node must now be authenticated through the webGUI, as the following message indicates:
- At this point you need to log on to the webGUI console of First Node with Administration privileges. The new KeyControl node will automatically appear as an unauthenticated node in the KeyControl cluster, as shown below:
- To authenticate this new node, click the Actions Button and then click Authenticate. This will take you to the authentication screen shown below. You are prompted to enter the Authentication Passphrase.
- On the new KeyControl’s console, you will see a succession of status messages, as shown below:
- Once authentication completes, the KeyControl node is listed as Authenticated but Unreachable until cluster synchronisation completes and the cluster is ready for use. This should not take more than a minute or two. Then it will show as Authenticated and Online.Once the KeyControl node is available, the status will automatically move to Online and the cluster status at the top right of the screen will change back to Healthy.
At this point, the new cluster/node is ready to use.
Enable KMS Service
- Now Click on the KMIP button on the toolbar to configure the KMIP.
- Enable KMIP by changing the state from disabled to enabled, then click save, then click Apply.
- NOTE: Take note of the port number 5696 and have it handy. You will specify this port number in the vCenter\VCSA configuration, later on.
- Now we have successfully setup KMS Cluster.
This completes process of KMS server installation , their configuration and KMS cluster creation and configuration. In the next post , we will use this cluster for vSphere to use as KMS server.