Installing a New Cryptographic Security Platform Vault Cluster Node from an ISO Image

This procedure describes how to use the Entrust-provided ISO image to install and configure a new Cryptographic Security Platform Vault that you want to add to an existing cluster. If you want to configure a standalone Cryptographic Security Platform Vault node or the first node in the cluster, see Installing the First Cryptographic Security Platform Vault Node from an ISO Image.

Important: Make sure that all Cryptographic Security Platform Vault nodes reside on devices that are not encrypted. Cryptographic Security Platform Vault has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.

Before You Begin 

• If you are installing Cryptographic Security Platform Vault on an existing VM, make sure that there is no important data currently on the target system. The installer will overwrite all data on the selected disks.
• Make sure that the target VM can access the Entrust Cryptographic Security Platform Vault ISO image.
• Make sure the target VM meets the basic system requirements described in System Requirements.

• If EMS is disabled, you will need to configure the node as a standalone node, disable EMS, and then join the cluster.

  For more information on EMS, see Configuring TLS. For more information on joining a cluster, see Joining a Cryptographic Security Platform Vault Cluster.

Note: If your version of vCenter is different from what is described below, please see your vCenter documentation for details about the ISO deployment process.

Procedure 

1. Log into the vSphere Web Client.
2. Create a new virtual machine using the settings appropriate to your environment.

3. At the Select Compatibility prompt, select your ESXi version.

   For more information on versions, see the Supported Platforms.

4. When you are prompted to select a guest OS, set the following according to the Guest OS version that you are using:

   Field	Setting
   Guest OS Family	Linux
   Guest OS Version	Oracle Linux 8 or 9 (64-bit)

5. Click Next.

6. On the Virtual Hardware tab of the Customize hardware page, make sure the VM configuration meets the following system resource recommendations:

   Resource	Standard Installation	Large Installation
   CPUs	2	4
   RAM	8 GB	16 GB
   Disk	65 GB	150 GB

   Entrust recommends that you select a large installation if your system meets one or more of the following criteria:

   • More than four nodes in the Cryptographic Security Platform Vault cluster.
   • More than 500 virtual machine heartbeats OR more than 10,000 KMIP keys across all KMIP vaults together.
   • More than 100,000 secrets stored.

   The rest of the options on this tab should be configured to match your vSphere environment.

   Note:  

   • For the SCSI controller, we suggest that you use VMware Paravirtual. While other choices should work, VMware Paravirtual is used regularly in our testing.

   • For the network adapter type, we suggest that you use VMXNET 3. While other choices should work, VMXNET3 is used regularly in our testing.

7. On the VM Options tab of the Customize hardware page, expand Boot Options and set the Firmware to BIOS.

8. Connect the Cryptographic Security Platform Vault version 10.4.5 installation ISO image to the VM so that the VM will boot from this ISO image when you power on the VM. How you do this depends on how your vSphere environment is configured and what options you have available.

   For example, you could upload the Cryptographic Security Platform Vault ISO image to a datastore that vSphere can access and then attach the datastore ISO image as a CD/DVD drive that is connected when the VM powers on.

9. Power on the Cryptographic Security Platform Vault VM and have it boot from the Cryptographic Security Platform Vault version 10.4.5 installation ISO image .

10. When the VM boots from the ISO image, it will begin installing Oracle Linux.

    Note: The installer will post messages as the Oracle Linux operating system install proceeds. Some parts of the OS take longer to install than others, and there may be times when no new messages appear for over ten minutes. Do not attempt to cancel or restart the installation procedure during this time.

    The installer will automatically reboot the VM as needed.

    When then installer has finished, it displays a prompt asking for a password for the htadmin account.

11. Enter a password for the Cryptographic Security Platform Vault system administration account htadmin and press Enter. Password requirements are configured by a Cryptographic Security Platform Vault administrator in the System Settings.

    This password controls access to the Entrust Cryptographic Security Platform Vault System Console that allows users to perform some Cryptographic Security Platform Vault administration tasks. It does not permit a Cryptographic Security Platform Vault user to access the full OS.

    Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, Cryptographic Security Platform Vault does not provide a user-accessible password recovery mechanism.

12. The System Configuration page asks if you want to use DHCP for the node. We highly recommend that you do not do this, as the Cryptographic Security Platform Vault node should always be available at a set IP address. Make sure No is selected and press Enter to acknowledge this message.
13. On the Confirm Network Configuration page, enter the appropriate network information for the Cryptographic Security Platform Vault node. When you are done, press Enter to save this information.

14. On the System Configuration page, review the configuration settings and press Enter if you are ready to configure the node.

    The installer configures Cryptographic Security Platform Vault and then starts the appropriate services. This process will take a few minutes to complete. When the installer has finished, Cryptographic Security Platform Vault displays a confirmation dialog stating that the setup was completed successfully.

15. Review the confirmation dialog that provides the URL of the Cryptographic Security Platform Vault webGUI (also known as the Management IP Address).

    When you are done, press Enter to finish the installation. Cryptographic Security Platform Vault displays the Oracle Linux login prompt.

16. After the configuration is complete, power off your VM, detach the ISO, and reset the boot order. Then you can safely power on your VM again.

17. Log into the webGUI on the Cryptographic Security Platform Vault node you want to join with the cluster using secroot for both the username and password.

18. On the Welcome to Cryptographic Security Platform Vault screen, click Join an Existing Cluster.

    The Join Existing Cluster window displays.

19. On the Get Started page, review the overview information to determine that you are ready to begin. This includes: 

    • Access to the cluster you are joining the node to. We recommend that you open the webGUI for the cluster in a different tab or browser window.
    • Permissions on both this node and the cluster node so you can download and import the required certificates and files.
    • A passphrase to use during the joining process. Passphrase requirements are configured by a Cryptographic Security Platform Vault administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing cluster.
    • Verifying that both this node and the cluster node are running the same Cryptographic Security Platform Vault version and build. The version number for the cluster node is on the Settings > System Upgrade page.
20. Click Continue.
21. On the Download CSR page, click Generate and Download CSR.
22. Click Continue.
23. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
24. Select Actions > Add a Node.

25. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

26. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

27. Click OK to close the Add a Node window.
28. Return to the new node and click Continue.

29. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

    Note: Cryptographic Security Platform Vault uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.

30. Click Join.

    During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    The cluster will automatically be placed in maintenance mode.

    The node will restart after the join is complete.

31. When the node has successfully restarted, click Login.

What to Do Next 

• To create a dedicated webGUI account with Cloud Admin privileges that you can use to install the Entrust Policy Agent, see Creating a Cloud Admin User Account.
• To create at least one Cloud VM Set into which you can put the VMs you plan to encrypt, see Creating a Cloud VM Set for the Cryptographic Security Platform Vault for VM Encryption.