Linking CloudAdvisor with KeyControl

You can link CloudAdvisor with HyTrust KeyControl so that CloudAdvisor can access and monitor the VMs registered with the KeyControl cluster and encrypted by the HyTrust DataControl Policy Agent.

If you have multiple KeyControl clusters, you need to create a separate link between CloudAdvisor and at least one KeyControl node in each cluster.

Before You Begin 

• Make sure you know the hostname or IP address of one HyTrust KeyControl server in each KeyControl cluster to which you want to connect. (You only need to link CloudAdvisor with one KeyControl server per KeyControl cluster, regardless of how many KeyControl servers are in that cluster.) The KeyControl servers must be running KeyControl version 4.2 or later.

• If you want CloudAdvisor to verify the KeyControl root CA certificate every time it connects to KeyControl, make sure that the SSL certificate installed in KeyControl includes the entire certificate chain, starting from the root CA certificate. When SSL Verify is enabled, CloudAdvisor verifies the root CA certificate when it communicates with KeyControl.

• Establishing the connection between CloudAdvisor and KeyControl requires a one-time App Link code generated by a KeyControl user with Security Admin privileges. This one-time code is valid for 24 hours after it is generated. If you do not have a KeyControl user account with the correct privileges, make sure that you can get the code from your KeyControl security administrator and enter it into CloudAdvisor within that time.

Procedure 

1. Generate the one-time App Link code in KeyControl.

   Details

   1. Log into the KeyControl webGUI using an account with Security Admin privileges.
   2. In the top menu bar, click Settings.
   3. In the System Settings section, click App Links.
   4. Select Actions > Generate One Time Code. The KeyControl webGUI displays the App Link one time code in a pop-up dialog box along with the length of time for which the code is valid. Make sure you specify the code exactly as shown when entering it in an application link request and that you submit the link request before the code expires.
   5. If you want to generate another code, click Generate. Otherwise, click Close.

2. Log into the CloudAdvisor interface.

3. From the Home tab, select System > System Settings.
4. From the System Management tab, select Settings > App Links.
5. On the App Links page, click the + (Add) button.

6. In the Create App Link dialog box, specify the options you want to use.

   Options

   Field	Description
   Name	A user-defined name for the app link.
   Description	A user-defined description for the app link.
   Server	The hostname or IP address and port number for the KeyControl server. When connecting to the server, CloudAdvisor automatically prepends HTTPS:// to this field. If you have multiple KeyControl nodes in the cluster, enter as many of the node IP addresses as you want. If the first node is not available, CloudAdvisor will try each node in turn when it attempts to contact KeyControl in order to decrypt and analyze a VM.
   Server Type	Select HyTrust KeyControl.
   SSL Verify	If this option is enabled, the certificate for the KeyControl server is verified every time a connection between CloudAdvisor and KeyControl is established. If the KeyControl certificate changes, the connection will fail. This is the default. If this option is not enabled, the KeyControl server certificate is never checked by CloudAdvisor. Important: If you enable this option, CloudAdvisor expects the entire certificate chain from KeyControl when the link is established. Make sure that the SSL certificate installed in KeyControl includes the entire certificate chain, starting from the root CA certificate.
   One Time Code	The App Link code generated in KeyControl.

7. When you are finished, click Create.

8. If the connection information is correct and you have enabled the SSL Verify option, CloudAdvisor displays the available KeyControl certificates. Verify that the certificates are correct and that the link is going to the expected server. If the information is correct, click Yes.

9. If desired, repeat this procedure to link CloudAdvisor to another KeyControl server.