Creating a Cryptographic Security Platform Mapping

A Cryptographic Security Platform Mapping lets you create a list of Cryptographic Security Platform Vault for VM Encryption IP addresses that you maintain in Cryptographic Security Platform Vault for VM Encryption. Each Cryptographic Security Platform Vault for VM Encryption node in the Mapping is associated with an externally-visible IP address or hostname that the VMs can use to access that Cryptographic Security Platform Vault for VM Encryption node. If you ever change the list of Cryptographic Security Platform Vault for VM Encryption nodes in the Mapping, Cryptographic Security Platform Vault for VM Encryption automatically disseminates the changes to the each associated VM at its next heartbeat.

Associating a Mapping with a VM enables High Availability between the VM and Cryptographic Security Platform Vault for VM Encryption by enabling failover among the Cryptographic Security Platform Vault for VM Encryption nodes, and it means you do not need to update the individual VMs when Cryptographic Security Platform Vault for VM Encryption nodes are added to, or removed from, the cluster.

For more information on High Availability and failover, see High Availability Between a VM and the Cryptographic Security Platform Vault Cluster.

Procedure 

  1. Log into the Cryptographic Security Platform Vault for VM Encryption using an account with Cloud Admin privileges.
  2. In the top menu bar, click Workloads.
  3. Click the Mappings tab.
  4. Select Actions > Create Mapping.

  5. On the Mapping tab, specify the options you want to use.

    Field Description
    Name Enter the name for this Cryptographic Security Platform Mapping. You can use - (hyphen) and _ (underscore) as well as any alphanumeric characters.
    Cloud Admin Group drop-down list Select the Cloud Admin Group associated with this Mapping. The Mapping will be available to all VMs that are registered with the Cloud VM Sets assigned to the selected Cloud Admin Group.
    Description Enter a description for the Cryptographic Security Platform Mapping. This description will be displayed on the VMs when they are associated with the Cryptographic Security Platform Mapping.
  6. When you are done, click Next.

  7. On the Servers tab, create an entry for the first Cryptographic Security Platform Vault for VM Encryption node by specifying the options you want to use.

    Field Description
    External IP

    The externally-visible hostname or IP address to which this node should be mapped. Each node in the cluster can be associated with one and only one externally-visible IP address.

    Note: If the VMs will be communicating with the Cryptographic Security Platform Vault for VM Encryption node through a firewall or in an environment like Amazon Web Services or Microsoft Azure, the externally-visible IP address may not be the same as the internal Cryptographic Security Platform Vault for VM Encryption node IP address. Make sure that all VMs that will use this Mapping can communicate with the Cryptographic Security Platform Vault for VM Encryption node via the specified IP address/port number combination.

    Port The port number for the specified Hostname or IP address. The default is 443.

    Cryptographic Security Platform Vault Server

    Select the appropriate Cryptographic Security Platform Vault for VM Encryption node in the drop-down list. You can only have one entry for each Cryptographic Security Platform Vault for VM Encryption node.

    State

    Select Enabled if the node is available to the VMs associated with this Cryptographic Security Platform Mapping. If you want to use this as a placeholder until you bring the node online, select Disabled. The default is Enabled.
    Description Enter a description for this node that lets you distinguish it from other nodes in the Cryptographic Security Platform Mapping.
  8. If you want to add another node, click the + button and enter the appropriate information.

  9. When you are done adding nodes, make sure that the order is correct because the order of the IP addresses in the list determines the order of precedence. The first node in a Cryptographic Security Platform Mapping is considered the preferred node, and all VMs will use that node as long as it is available. If the preferred node is offline when a VM heartbeats, the VM will try the other IP addresses in the Mapping, starting with the second IP address in the list and working downwards. Once the VM finds an available Cryptographic Security Platform Vault for VM Encryption node, it will use that node to complete the current heartbeat, and it will continue to use that node until the cluster returns to a healthy state. After the cluster becomes healthy, the VM will resume using the preferred node at its next heartbeat.

    If you need to change the order, click and hold on the arrow icon at the beginning of the line to drag the entry to the proper position. Release the mouse to drop the entry in the new location.

  10. When all nodes are included and the order is correct, click Create.
  11. At the Mapping Successfully Created message, click Close.

  12. If you want to associate the Cryptographic Security Platform Mapping with an existing VM that already has the Policy Agent installed:

    1. Log into the VM as an administrator.

    2. Enter the command hcl updatekc -a and enter the credentials for a Cryptographic Security Platform Vault for VM Encryption user account with Cloud Admin privileges at the prompt. Cryptographic Security Platform Vault for VM Encryption displays a list of available Cryptographic Security Platform Mapping that you can use with the VM.

    3. Select the Cryptographic Security Platform Mapping you want to use from the list. Cryptographic Security Platform Vault for VM Encryption echoes the IP addresses in the list for confirmation. 

      # hcl updatekc -a
Getting KeyControl Mapping information
Please provide the KeyControl login details
username: cloudadmin
password: ********
		
This VM can be added to one of the following KeyControl Mappings
---------------------------------------------------
1 : San Francisco Datacenter
2 : AWS VMs
---------------------------------------------------
Please select KeyControl Mapping (0 to skip): 1
							
KeyControl Mapping
server description KC-1, ip 192.168.140.151, port 443
server description KC-2, ip 192.168.140.152, port 443
Updated KeyControl list with KeyControl nodes 192.168.140.151:443,192.168.140.152:443

    Note: For details about specifying a Cryptographic Security Platform Mapping when you install the Policy Agent, see Linux Policy Agent Installation or Windows Policy Agent Installation.