Configuring Additional Cryptographic Security Platform Compliance Manager Nodes

You can add a Cryptographic Security Platform Compliance Manager node running in the Azure environment to any other Cryptographic Security Platform Compliance Manager nodes running in any other environments as long as the Azure node can communicate with the other nodes in the cluster.

Before You Begin 

  • Make sure you have the private SSH key file that matches the public SSH key that was specified when the instance was created.

    Important: The private part of the SSH key file cannot be reset or recovered once the VM is configured, even if you use the Azure "Reset Password" method. Please ensure that you keep it in a safe place.

  • Make sure you know the static public IP address associated with the Azure node.

    To find the public IP address, select All resources from the Azure Resource Manager dashboard, then click on the virtual machine name on which the Cryptographic Security Platform Compliance Manager node is running. The public IP address is displayed in the VM details section at the top of the page.

  • Make sure you know the IP address of one of the Cryptographic Security Platform Compliance Manager nodes already in the cluster.

    This IP address may not be the same as the public IP address. Make sure you verify the IP address before you attempt to add the node to the cluster.

    To find the correct IP address, log into the Cryptographic Security Platform Compliance Manager webGUI with Domain Admin privileges and go to Cluster > Servers. The IP address for each Cryptographic Security Platform Compliance Manager node is listed in the table.

  • Make sure that the Azure node can communicate with the Cryptographic Security Platform Compliance Manager cluster in which you want to add the node. For details on setting up communication between the Azure VM and a Cryptographic Security Platform Compliance Manager VM running in a different Azure location or a different environment such as vSphere or AWS, see your Azure documentation.

Important: Azure might disconnect ssh sessions if idle for more than 5 minutes. To prevent this, please use the ServerAliveInterval and ServerAliveCountMax opens in the ssh client command line to keep the session active.

We recommend using ssh CLI options to send a KeepAlive packet with a frequency duration of less than 5 minutes. Please refer to the sshd_config man page for how to use the ServerAliveInterval and ServerAliveCountMax options. For example: 

ssh -o ServerAliveInterval=180 -o ServerAliveCountMax=10 user@host

Procedure 

  1. Use a web browser to navigate to https://<Public-IP-addy>, where <Public-IP-addy> is the Public IP address Azure assigned to the Cryptographic Security Platform Compliance Manager VM. For security reasons, you must explicitly specify https:// in the URL.

  2. If prompted, add a security exception for the Cryptographic Security Platform Compliance Manager IP address and proceed to the Cryptographic Security Platform Compliance Manager webGUI.

    Cryptographic Security Platform Compliance Manager uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Cryptographic Security Platform Compliance Manager Certificates.

  3. On the Entrust Cryptographic Security Platform Compliance Manager login page, enter secroot for the username and enter the VM unique ID (vmId) for the password.
  4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

  5. On the Welcome to Cryptographic Security Platform Compliance Manager screen, click Join an Existing Cluster.

    The Join Existing Cluster window displays.

  6. On the Get Started page, review the overview information to determine that you are ready to begin. This includes: 

    • Access to the cluster you are joining the node to. We recommend that you open the Cryptographic Security Platform Compliance Manager webGUI for the cluster in a different tab or browser window.
    • Permissions on both this node and the cluster node so you can download and import the required certificates and files.
    • A passphrase to use during the joining process. Passphrase requirements are configured by a Cryptographic Security Platform Compliance Manager administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing Cryptographic Security Platform Compliance Manager cluster.
    • Verifying that both this node and the cluster node are running the same Cryptographic Security Platform Compliance Manager version and build. The version number for the cluster node is on the Settings > System Upgrade page.
  7. Click Continue.
  8. On the Download CSR page, click Generate and Download CSR.
  9. Click Continue.
  10. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
  11. Select Actions > Add a Node.

  12. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

  13. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

  14. Click OK to close the Add a Node window.
  15. Return to the new node and click Continue.

  16. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

    Note: Cryptographic Security Platform Compliance Manager uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.

  17. Click Join.

    During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    The cluster will automatically be placed in maintenance mode.

    The node will restart after the join is complete.

  18. When the node has successfully restarted, click Login.

  19. Optional. Log into the htadmin account on the Cryptographic Security Platform Compliance Manager System Console using the private key file. For example: 

    ssh -i <key-file>.pem htadmin@<Public-IP-addy>

    The password is the VM unique ID (vmId).

    After logging in, you can change this password. The change applies only to the htadmin login on this node.

What to Do Next 

For details about additional Cryptographic Security Platform Vault configuration options and your data encryption options, see the Entrust Cryptographic Security Platform Compliance Manager Administration Guide.