Updating Cryptographic Security Platform Vault Node IP Addresses on an Individual VM

If the Cryptographic Security Platform Vault nodes in a cluster change, you need to update the IP address list on each Policy Agent unless you have specified a Cryptographic Security Platform Mapping for the VMs. Cryptographic Security Platform Mapping changes are done through Cryptographic Security Platform Vault and are communicated to each associated VM on the VM's next heartbeat. For more information, see High Availability Between a VM and the Cryptographic Security Platform Vault Cluster.

Procedure 

For each VM registered with this Cryptographic Security Platform Vault cluster:

  1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.

  2. Enter the hcl updatekc kc_hostname[:port],kc_hostname[:port],kc_hostname[:port],... command where kc_hostname,kc_hostname,kc_hostname... is a comma-separated list of the Cryptographic Security Platform Vault node IP addresses or hostnames and port is an optional port number (the default is port 443). If you are entering the command on Windows, use quotes around the list of hostnames.

    The first Cryptographic Security Platform Vault node in the list will be considered the primary node, and the VM will always attempt to reach Cryptographic Security Platform Vault through that node first. If that node is unavailable, the VM will try the other nodes in the list in order until it finds a Cryptographic Security Platform Vault node that it can communicate with.

    For example, if you want to specify the Cryptographic Security Platform Vault node named kc-chicago as your primary node and the nodes 10.238.66.234 and kc-bangalore on port 447 as your second and third nodes, you would specify:

    Linux: # hcl updatekc kc-chicago,10.238.66.234,kc-bangalore:447

    Windows: C:\> hcl updatekc "kc-chicago,10.238.66.234,kc-bangalore:447" (Note the " " around the hostname list for Windows.)

Important: The list you specify overwrites any existing list on the Policy Agent. So if the Policy Agent is currently connected to three Cryptographic Security Platform Vault nodes and you remove one, you must specify the two remaining nodes with the updatekc command. The third node will be removed automatically. Similarly, if you add a fourth Cryptographic Security Platform Vault node, you must specify all four IP addresses with the updatekc command. If you only specify the new Cryptographic Security Platform Vault node, then that becomes the only node that the Policy Agent will communicate with.

To verify the connection status, enter the hcl status command, as shown. The first line shows the Cryptographic Security Platform Vault that the VM is currently communicating with and the second line shows the three Cryptographic Security Platform Vault nodes available to the VM. 

C:\> hcl status
Summary
---------------------------------------------------
KeyControl: kc-chicago:443
KeyControl list: kc-chicago:443,10.238.66.234:443,kc-bangalore:447
Status: Connected