In the Part-1 we configured HyTrust KeyControl Cluster , In this post we will configure this cluster in vCenter and configure encryption for Virtual Machines. Let’s create a certificate on KMS server, which we will use to authenticate with vCenter.
To create certificate , login to KMS server and go to KMIP
- Click on “Client Certificates”
- Then click on Actions and “Create Certificates”
- Enter the required details for creating certificate and click on create.
Configure KMS with vCenter
- Highlight the newly created certificate, click the Actions dropdown button, then click the Download Certificate option. This will download the certificate created above. A zip file containing the Certificate of Authority (CA) and certificate will be downloaded.
- Once you have downloaded Certificate , Log in to the VCSA, highlight the vCenter on the left hand pane, click on the configure tab on the right hand pane, click on Key Management Servers, then click the Add KMS button.
- Enter a Cluster name, Server Alias, Fully Qualified Domain Name (FQDN)/IP of the server, and the port number. Leave the other fields as the default, then click OK.
Enable Trust between vCenter and KMS
- Now we have to establish the trust relationship between vCenter and HyTrust KeyControl. Highlight the KeyControl appliance and click on Establish trust with KMS.
- Select the Upload certificate and private key option, then click OK.
- Click on Upload file button , browse to where the CA file was previously generated, select the “vcenter name”.pem file, then click Open.
- Repeat the process for the private key by clicking on the second Upload file button and Verify that both fields are populated with the same file, then click OK.
- You will now see that the Connection status is shown as Normal indicating that trust has been established. Hytrust KeyControl is now set up as the Key Management Sever (KMS) for vCenter.
- Now we successfully add one Node of cluster , add another node by following the same steps..
Create Tag Category, Tag & Attach to Datastore
Now we need to “Tag” few data stores which will hold these encrypted VMs , please create a “Tag Category” and a “Tag” in the vcenter and tag the data stores with this “Tag”.
Create Storage Profile
- log into vCenter > Home > Policies and Profiles > VM Storage Policies > Create VM Storage Policy > Give it a name > Next
- Select “Enable host based rules” and select “Enable tag based placement rules”
- Select “Storage Policy Component” and choose “Default Encryption Properties”.The default properties are appropriate in most cases. You need a custom policy only if you want to combine encryption with other features such as caching or replication.
- Select “Tag Category” and choose Appropriate Tag.
- View Data Stores,review the configuration and finish.
This completes vCenter Configuration, in the next post will be configuring cloud director to consume these policies and tenant will use these policies.