Configuring the First Cryptographic Security Platform Vault Node

You need to configure the Cryptographic Security Platform Vault instance using SSH before you can use the Cryptographic Security Platform Vault webGUI to configure and maintain your Cryptographic Security Platform Vault cluster.

The following procedure describes how to configure the first Cryptographic Security Platform Vault node in the cluster. If you are adding this node to an existing cluster, see Configuring Additional Cryptographic Security Platform Vault Nodes.

Before You Begin 

Make sure you have the following information:

  • The Amazon instance ID for the Cryptographic Security Platform Vault instance.
  • The Elastic (Public) IP address associated with the instance.
  • The private key file (in pem format) that was used when the instance was created.

Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the Cryptographic Security Platform Vault instance in the table. In the Description tab, look at the Instance ID, IPv4 Public IP, and Key pair name fields.

Procedure 

  1. To initialize Cryptographic Security Platform Vault for this cluster, do the following:

    1. Use a web browser to navigate to https://<Elastic-IP-addy>, where <Elastic-IP-addy> is the Elastic IP address associated with the Cryptographic Security Platform Vault AWS instance. For security reasons, you must explicitly specify https:// in the URL.

    2. If prompted, add a security exception for the Cryptographic Security Platform Vault IP address and proceed to the Cryptographic Security Platform Vault Management webGUI.

      Cryptographic Security Platform Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Cryptographic Security Platform Vault Certificates.

    3. On the Entrust Cryptographic Security Platform Vault Management login, enter secroot for the username and the AWS instance ID as the password.
    4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.
    5. On the Welcome to Cryptographic Security Platform Vault screen, click Continue as a Standalone Node.

    6. On the Change Password page, enter a new password for the secroot account and click Update Password.

    7. On the Configure E-Mail and Mail Server Settings page, specify your email settings.

      If you specify an email address, Cryptographic Security Platform Vault sends an email with the Admin Key for the new node. It also sends system alerts to this email address.

      To disable alerts, select the Disable e-mail notifications checkbox. You are then prompted to download the Admin Key.

    8. When you are done, click Continue.

    9. On the Download Admin Key page, click the Download button to save the admin key locally. Please keep the admin key in a safe place for later use. When Cryptographic Security Platform Vault prompts for an admin key to recover your Cryptographic Security Platform Vault system, you must provide this admin key to proceed. If you do not have your admin key, you may lose your data.

      Note: Whenever the admin key is regenerated, Cryptographic Security Platform Vault forces you to download the admin key.

    10. When you are finished, click Continue.

      Cryptographic Security Platform Vault displays the Cryptographic Security Platform Vault Management webGUI. For details about the tasks you can perform from the webGUI, see the Administration Guide.

  2. Optional. Log into the htadmin account on the keycontrol System Console using the private key file. For example: 

    ssh -i <key-file>.pem htadmin@<Elastic-IP-addy>

    The password is the same as the secroot password that you changed in step f above.

    Important: The secroot password is used for this first login. You can either change it, or leave it as is. If you change the htadmin password in the System Console, it only changes the password for this particular node, and does not affect the secroot password.

What to Do Next