This procedure describes how to use the Entrust-provided ISO image to install and configure the first node in a new Cryptographic Security Platform Compliance Manager cluster. If you want to add a Cryptographic Security Platform Compliance Manager node to an existing cluster, see Installing a New Cryptographic Security Platform Compliance Manager Cluster Node from an ISO Image.

If you want to deploy the node from an OVA template, see Installing Cryptographic Security Platform Compliance Manager from an OVA.

Before You Begin 

  • If you are installing Cryptographic Security Platform Compliance Manager on an existing VM, make sure that there is no important data currently on the target system. The installer will overwrite all data on the selected disks.
  • Make sure that the target VM can access the Cryptographic Security Platform Compliance Manager ISO image.
  • Make sure the target VM meets the basic system requirements described in Installation Requirements.

  • If you are using VMware, ensure that all of your Cryptographic Security Platform Compliance Manager deployments have VM-to-Host affinity enabled. This allows you to avoid Admin Key Recovery due to host migration. We recommend that you select 'Should run on hosts in group' for the rule specification. The group should contain only the one ESXi host that you are using for this Cryptographic Security Platform Vault VM.

Procedure 

  1. Log into the vSphere Client.
  2. Create a new virtual machine using the settings appropriate to your environment.

  3. At the Select Compatibility prompt, select your ESXi version.

    For more information on versions, see Supported Platforms.

  4. When you are prompted to select a guest OS, set the following according to the Guest OS version that you are using:

    Field

    Setting

    Guest OS Family

    Linux

    Guest OS Version

    Oracle Linux 8 or 9 (64-bit)

  5. Click Next.

  6. On the Virtual Hardware tab of the Customize hardware page, make sure the VM configuration meets the following system resource recommendations:

    Resource

    Recommended
    Installation

    Large
    Installation

    CPUs

    4

    8

    RAM

    16 GB

    64 GB

    Disk

    250 GB

    250 GB

    The rest of the options on this tab should be configured to match your vSphere environment.

    Note:  

    • For the SCSI controller, we suggest that you use VMware Paravirtual. While other choices should work, VMware Paravirtual is used regularly in our testing.

    • For the network adapter type, we suggest that you use VMXNET 3. While other choices should work, VMXNET3 is used regularly in our testing.

  7. Connect the Cryptographic Security Platform Compliance Manager installation ISO image to the VM so that the VM will boot from this ISO image when you power on the VM. How you do this depends on how your vSphere environment is configured and what options you have available.

    For example, you could upload the Cryptographic Security Platform Compliance Manager ISO image to a datastore that vSphere can access and then attach the datastore ISO image as a CD/DVD drive that is connected when the VM powers on.

  8. Power on the Cryptographic Security Platform Compliance Manager VM and have it boot from the Cryptographic Security Platform Compliance Manager installation ISO image.

  9. When the VM boots from the ISO image, it will begin installing Oracle Linux.

    Note: The installer will post messages as the Oracle Linux operating system install proceeds. Some parts of the OS take longer to install than others, and there may be times when no new messages appear for over ten minutes. Do not attempt to cancel or restart the installation procedure during this time.

    The installer will automatically reboot the VM as needed.

    When then installer has finished, it displays a prompt asking for a password for the htadmin account.

  10. Enter a password for the Cryptographic Security Platform Compliance Manager system administration account htadmin and press Enter. Password requirements Cryptographic Security Platform Compliance Manager are configured by an administrator in the System Settings.

    This password controls access to the Cryptographic Security Platform Compliance Manager System Console that allows users to perform some Cryptographic Security Platform Compliance Manager administration tasks. It does not permit a Cryptographic Security Platform Compliance Manager user to access the full OS.

    Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, Cryptographic Security Platform Compliance Manager does not provide a user-accessible password recovery mechanism.

  11. The System Configuration page asks if you want to use DHCP for the node. We highly recommend that you do not do this, as the Cryptographic Security Platform Compliance Manager node should always be available at a set IP address. Make sure No is selected and press Enter to acknowledge this message.
  12. On the Confirm Network Configuration page, enter the appropriate network information for the Cryptographic Security Platform Compliance Manager node. When you are done, press Enter to save this information.

  13. On the System Configuration page, review the configuration settings and press Enter if you are ready to configure the node.

    The installer configures Cryptographic Security Platform Compliance Manager and then starts the appropriate services. This process will take a few minutes to complete. When the installer has finished, Cryptographic Security Platform Compliance Manager displays a confirmation dialog stating that the setup was completed successfully.

  14. Review the confirmation dialog that provides the URL of the Cryptographic Security Platform Compliance Manager webGUI (also known as the Management IP Address). You will need this URL in the next step.

    When you are done, press Enter to finish the installation. Cryptographic Security Platform Compliance Manager displays the Oracle Linux login prompt.

  15. After the configuration is complete, power off your VM, detach the ISO, and reset the boot order. Then you can safely power on your VM again.

  16. To initialize the Cryptographic Security Platform Compliance Manager webGUI and finish the configuration of the first node, do the following:

    1. Use a web browser to navigate to https://node-ip-address, where node-ip-address is the Management IP address. For security reasons, you must explicitly specify https:// in the URL.

    2. If prompted, add a security exception for the Cryptographic Security Platform Compliance Manager IP address and proceed to the Cryptographic Security Platform Compliance Manager webGUI.

      Cryptographic Security Platform Compliance Manager uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Cryptographic Security Platform Compliance Manager Certificates.

    3. On the Entrust Cryptographic Security Platform Compliance Manager login page, enter secroot for both the username and password.
    4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.
    5. On the Welcome to Cryptographic Security Platform Vault screen, click Continue as a Standalone Node.

    6. On the Change Password page, enter a new password for the secroot account and click Update Password.

    7. On the Configure E-Mail and Mail Server Settings page, specify your email settings.

      If you specify an email address, Cryptographic Security Platform Vault sends an email with the Admin Key for the new node. It also sends system alerts to this email address.

      To disable alerts, select the Disable e-mail notifications checkbox. You are then prompted to download the Admin Key.

    8. When you are done, click Continue.

    9. On the Download Admin Key page, click the Download button to save the admin key locally. Please keep the admin key in a safe place for later use. When Cryptographic Security Platform Compliance Manager prompts for an admin key to recover your Cryptographic Security Platform Compliance Manager system, you must provide this admin key to proceed. If you do not have your admin key, you may lose your data.

      Note: Whenever the admin key is regenerated, Cryptographic Security Platform Compliance Manager forces you to download the admin key.

    10. When you are finished, click Continue.

      Cryptographic Security Platform Compliance Manager displays the Cryptographic Security Platform Compliance Manager webGUI

What to Do Next 

To add additional Cryptographic Security Platform Vault nodes to form a cluster, see Installing a New Cryptographic Security Platform Compliance Manager Cluster Node from an ISO Image.