Deploying Additional Cryptographic Security Platform Vault Nodes

The following procedure describes how to deploy a Cryptographic Security Platform Vault node that you intend to add to an existing Cryptographic Security Platform Vault cluster. If you want to deploy a Cryptographic Security Platform Vault node that will become the first node in a new cluster, see Deploying the First Cryptographic Security Platform Vault Node.

Note: The following procedure is based on the 2019 AWS Console interface. If your version of the AWS Console is different from what is described below, please see your AWS documentation.

Before You Begin 

If you want to use a existing VPC for the new node that is different from the VPC used for the first Cryptographic Security Platform Vault node, make sure that you have set up VPC-to-VPC communication between the VPCs. This includes configuring a Peering Connection and setting the correct Routing Table information. For details, see your AWS documentation.

If you want to use the same VPC for the new node as you used for the first node, make sure you know the following information:

• The region in which the first node is deployed.

• The VPC assigned to the first node.

• The Security Group assigned to the first node.

Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the first Cryptographic Security Platform Vault node in the table. In the Description tab, look at the VPC ID and Security groups fields.

Procedure 

1. Open a web browser and navigate to the Amazon Web Services login page for your company. The default login page is https://aws.amazon.com/.
2. Log in to the AWS Management Console with your AWS user name and password.

3. In the top menu bar just after your login name, select the Region into which you want to deploy the Cryptographic Security Platform Vault node. If you want to use the same VPC as the first Cryptographic Security Platform Vault node, you must deploy the new node in the same region as the first node.

4. If you intend to use the same VPC as you used for the first Cryptographic Security Platform Vault node, proceed to the next step. Otherwise, make sure that you have configured VPC-to-VPC communication between the two VPCs as per your AWS documentation.

5. In the top menu bar, select Services > Compute > EC2.
6. Click the blue Launch Instance button.
7. In the Step 1: Choose an Amazon Machine Image (AMI) page, click AWS Marketplace in the left-hand pane.

8. Search the Marketplace for "Entrust" and select Entrust Cryptographic Security Platform Vault for AWS BYOL (Bring Your Own License).

9. Review the details of the version you selected and click Continue.

10. In the Step 2: Choose an Instance Type page, select an instance type. For optimal performance, we recommend that you select a general purpose or compute optimized instance type with SSD Instanced storage, such as m3.large or c3.large. The Cryptographic Security Platform Vault system resource recommendations are:

    Resource	Standard Installation	Large Installation
    CPUs	2	4
    RAM	8 GB	16 GB
    Disk	65 GB	150 GB

    Entrust recommends that you select a large installation if your system meets one or more of the following criteria:

    • More than four nodes in the Cryptographic Security Platform Vault cluster.
    • More than 500 virtual machine heartbeats OR more than 10,000 KMIP keys across all KMIP vaults together.
    • More than 100,000 secrets stored.
11. After you have selected the type, click Next: Configure Instance Details.

12. On the Step 3: Configure Instance Details page, set the following options:

    • Number of Instances—Specify the number of instances you want to launch in this field. All instances will run in the same region using the same VPC and instance settings.

    • Network —Select the VPC you want to use for the Cryptographic Security Platform Vault node.
    • Set all other options on this page according to your corporate standards.
13. When you are done, click Next: Add Storage.

14. On the Step 4: Add Storage page, set the following options:

    • Volume Size —Set the size of the disk based on your configuration requirements. The default setting of 20 GB should work for most Cryptographic Security Platform Vault installations.
    • Volume Type—For optimal performance, we recommend setting the volume type to one of the SSD options instead of the defaut Magnetic volume.
    • Delete on Termination—If you select this option and the instance is deleted, all keys stored on this Cryptographic Security Platform Vault node will be deleted as well. In a single node configuration, this means that encrypted data cannot be decrypted, as the keys will be lost. If you want to use this option, make sure all data is decrypted before the instance is deleted.
15. When you are done, click Next: Add Tags.

16. On the Step 5: Add Tags page, click Add Tag and enter a Name tag for the instance:

    • Key —Enter "Name".
    • Value—Enter the name for this Cryptographic Security Platform Vault node.

    Add any other tags as desired.

17. When you are done, click Next: Configure Security Group.

18. In the Step 6: Configure Security Group page Assign a security group field, do one of the following:

    • Select Select an existing security group and then select the security group you assigned to the first Cryptographic Security Platform Vault node.

      Note: You can use any existing security group as long as all of the required ports are open in that security group.

    • Select Create a new security group. For each of the required entries in the security group, set the Source IP addresses or security groups that can communicate with Cryptographic Security Platform Vault through the associated ports. We strongly recommend that you do not use the default 0.0.0.0/0 notation, which indicates that the ports are open to the world.

       Cryptographic Security Platform Vault requires the following ports:

      Type	Protocol	Port Range	Source
      SSH (22)	TCP	22	IP address list or another security group
      HTTPS (443)	TCP	443	IP address list or another security group
      Custom TCP Rule	TCP	5432	IP address list or another security group
      Custom TCP Rule	TCP	8443	IP address list or another security group
      Custom UDP Rule	UDP	123	IP address list or another security group

      For details about specifying the source IP addresses or security groups, see your AWS documentation.

19. When you are done, click Review and Launch.
20. In the Step 7: Review Instance Launch page, verify your selections and click Launch.
21. At the prompt, either select an existing key pair or select Create a new key pair, specify a key pair name, and download the new private key file for the new key pair.

22. When you are done, click Launch Instances. AWS displays a confirmation page stating that your instance is being launched and displays the instance ID. Make a note of the ID, as it will be your initial Cryptographic Security Platform Vault password.

    

23. To verify the status of the instance, select Services > EC2 > Instances and locate the new instance in the table.

    Tip: If you requested multiple instances on the Step 3: Configure Instance Details page, you will see multiple Cryptographic Security Platform Vault instances with the same name listed in the table. We recommend that you give each instance a unique name at this point so that you can tell them apart as you configure them. To do so, mouse over an instance name and click the pencil icon when it appears.

What to Do Next 

Associate an Elastic IP address with the instance as described in Associating an Elastic IP Address with the Cryptographic Security Platform Vault Instance. An elastic IP address is required for every Cryptographic Security Platform Vault instance so that you can configure and maintain the Cryptographic Security Platform Vault instance using a static IPv4 address.

If you created multiple instances, you need to assign a different Elastic IP to each copy of the instance.