Configuring Additional Cryptographic Security Platform Vault Nodes

After the AWS instance is deployed, you need to configure the Cryptographic Security Platform Vault node using SSH. The following procedure describes how to configure the node as part of an existing Cryptographic Security Platform Vault cluster. If you want to configure this node as the first node in the Cryptographic Security Platform Vault cluster, see Configuring the First Cryptographic Security Platform Vault Node.

Before You Begin 

Make sure that the new Cryptographic Security Platform Vault node can communicate with the Cryptographic Security Platform Vault nodes in the existing Cryptographic Security Platform Vault cluster. For details, see your AWS documentation.

Make sure you have the following information:

  • The Amazon instance ID for the new Cryptographic Security Platform Vault instance.
  • The Elastic (Public) IP address associated with the new instance.

  • The private key file (in pem format) that was used when the new instance was created.

    Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the Cryptographic Security Platform Vault instance in the table. In the Description tab, look at the Instance ID, IPv4 Public IP, and Key pair name fields.

  • The private IP address of one of the existing Cryptographic Security Platform Vault nodes in the cluster.

    Tip: To find this IP address, log into the Cryptographic Security Platform Vault webGUI on one of the existing nodes and click Cluster in the top menu bar. Go to the Servers tab and look at the IP address in the table.

Procedure 

  1. Use a web browser to navigate to https://<Elastic-IP-addy>, where <Elastic-IP-addy> is the Elastic IP address associated with the Cryptographic Security Platform Vault AWS instance. For security reasons, you must explicitly specify https:// in the URL.

  2. If prompted, add a security exception for the Cryptographic Security Platform Vault IP address and proceed to the Cryptographic Security Platform Vault webGUI.

    Cryptographic Security Platform Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Cryptographic Security Platform Vault Certificates.

  3. On the Entrust Cryptographic Security Platform Vault Login page, enter secroot for the username and the AWS instance ID as the password.
  4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

  5. On the Welcome to Cryptographic Security Platform Vault screen, click Join an Existing Cluster.

    The Join Existing Cluster window displays.

  6. On the Get Started page, review the overview information to determine that you are ready to begin. This includes: 

    • Access to the cluster you are joining the node to. We recommend that you open the webGUI for the cluster in a different tab or browser window.
    • Permissions on both this node and the cluster node so you can download and import the required certificates and files.
    • A passphrase to use during the joining process. Passphrase requirements are configured by a Cryptographic Security Platform Vault administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing cluster.
    • Verifying that both this node and the cluster node are running the same Cryptographic Security Platform Vault version and build. The version number for the cluster node is on the Settings > System Upgrade page.
  7. Click Continue.
  8. On the Download CSR page, click Generate and Download CSR.
  9. Click Continue.
  10. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
  11. Select Actions > Add a Node.

  12. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

  13. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

  14. Click OK to close the Add a Node window.
  15. Return to the new node and click Continue.

  16. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

    Note: Cryptographic Security Platform Vault uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.

  17. Click Join.

    During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    The cluster will automatically be placed in maintenance mode.

    The node will restart after the join is complete.

  18. When the node has successfully restarted, click Login.

  19. Optional. Log into the htadmin account on the keycontrol System Console using the private key file. For example: 

    ssh -i <key-file>.pem htadmin@<Elastic-IP-addy>

    The password is the Amazon instance ID.

    After logging in, you can change this password. The change applies only to the htadmin login on this node.