Creating a Cloud Admin User Account

When you register a Entrust Policy Agent, you need to specify a Cryptographic Security Platform Vault user account with Cloud Admin privileges. While you can use the default secroot account, we recommend that you make a separate account with just the  Cloud Admin permissions to use for this purpose. To make a Cloud Admin user account:

  1. Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
  2. In the top menu bar, click Users.
  3. Select Actions > Create User.

  4. Enter the following information. All fields are required.

    Field Description
    Full Name

    The full name of the user associated with the account. This name is included on any audit log messages generated by that user's activity. Therefore, we recommend that you specify a unique full name for each Cryptographic Security Platform Vault user.
    Email

    If your system is configured to send email alerts, they will be sent to this email address. The alerts a user sees depends on their user role and group access.

    Account Decay

    The amount of time an account can stay enabled without logging in. The default and maximum value is 10 years from the last login date.

    If the user does not log in within that time period, Cryptographic Security Platform Vault automatically disables the account, but does not delete it. You will need to contact Entrust Support to re-enable the account.

    Account Enabled

    Check this box to have the account be available as soon as you create it. If you clear this check box, Cryptographic Security Platform Vault sets the account status to Disabled and you will need to manually enable it through the webGUI.
  5. Click Add.
  6. When you see the User Successfully Added message, click Close.

  7. On the Authentication tab, select the type of authentication you want to use.

    Authentication Method Description
    Locally by Cryptographic Security Platform Vault
    1. In the Authentication drop-down list, select Local.
    2. In the Password and Repeat Password fields, enter the password for this user account.

    3. In the Password Expiration field, enter the date on which the password should expire. Once this date is reached, the user will be prompted to enter a new password the next time they log into Cryptographic Security Platform Vault.

      The expiration date cannot be longer than the number of days defined in the default local authentication settings. For more information, see Configuring Local Authentication Settings.

      Tip: If you want to force the user to change their password the first time they log in, select a date in the past for the Password Expiration date.

    Externally by an LDAP authentication server

    In the Authentication drop-down list, select LDAP.

    Cryptographic Security Platform Vault does not currently support individual LDAP settings. Instead, every LDAP user account must use the global LDAP configuration.

  8. When you have finished specifying the authentication method, click Next.

  9. On the Privileges and Groups tab:

    1. Check the Cloud Admin checkbox.

      If you want this account to have additional privileges, you can also check the Security Admin or Domain Admin check boxes. For details, see Creating a New Cryptographic Security Platform Vault-Managed User Account.

    2. In the Available Groups list box, click Cloud Admin Group, then click the right arrow above the list box. This group should move to the Assigned Groups list box.

      If desired, select any other groups to which this account should belong.

    3. Click Create.
  10. When you see the User Successfully Created message, click Close.

What to Do Next 

Install the Entrust Policy Agent on the VM you want to encrypt and register it with KeyControl.