Adding a New Cryptographic Security Platform Vault Node to an Existing Cluster (OVA Install)

When you log into the target system for the first time after installing the Cryptographic Security Platform Vault software, Cryptographic Security Platform Vault displays the Cryptographic Security Platform Vault System Menu. This procedure explains how to use this menu to configure this system as a new node in an existing Cryptographic Security Platform Vault cluster.

Before You Begin 

• Make sure you know the IP address of any Cryptographic Security Platform Vault node that is already part of the cluster you want to join.
• If Startup Authentication is enabled, you cannot add a new Cryptographic Security Platform Vault node. You must disable Startup Authentication on the existing Cryptographic Security Platform Vault node, add the new node, and then re-enable Startup Authentication.

Procedure 

1. Log into the VM on which you installed the Cryptographic Security Platform Vault software.

2. Enter a password for the Cryptographic Security Platform Vault system administration account htadmin and press Enter. Password requirements are configured by a Cryptographic Security Platform Vault administrator in the System Settings.

   This password controls access to the Entrust Cryptographic Security Platform Vault System Console that allows users to perform some Cryptographic Security Platform Vault administration tasks. It does not permit a Cryptographic Security Platform Vault user to access the full OS.

   Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, Cryptographic Security Platform Vault does not provide a user-accessible password recovery mechanism.

3. Use a web browser to navigate to https://node-ip-address, where node-ip-address is the Management IP address you specified during installation. For security reasons, you must explicitly specify https:// in the URL.

   Tip: If you do not know the Management IP address for the node, log into the system on which the node is installed as htadmin. Cryptographic Security Platform Vault displays the Entrust Cryptographic Security Platform Vault System Console. From the menu, select Manage Network Settings > Show Current Network Configuration.

4. If prompted, add a security exception for the Cryptographic Security Platform Vault IP address and proceed to the Cryptographic Security Platform Vault webGUI.

   Cryptographic Security Platform Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Cryptographic Security Platform Vault Certificates.

5. On the Entrust Cryptographic Security Platform Vault Login page, enter secroot for both the username and password.
6. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

7. On the Welcome to Cryptographic Security Platform Vault screen, click Join an Existing Cluster.

   The Join Existing Cluster window displays.

8. On the Get Started page, review the overview information to determine that you are ready to begin. This includes: 

   • Access to the cluster you are joining the node to. We recommend that you open the webGUI for the cluster in a different tab or browser window.
   • Permissions on both this node and the cluster node so you can download and import the required certificates and files.
   • A passphrase to use during the joining process. Passphrase requirements are configured by a Cryptographic Security Platform Vault administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing cluster.
   • Verifying that both this node and the cluster node are running the same Cryptographic Security Platform Vault version and build. The version number for the cluster node is on the Settings > System Upgrade page.
9. Click Continue.
10. On the Download CSR page, click Generate and Download CSR.
11. Click Continue.
12. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
13. Select Actions > Add a Node.

14. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

15. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

16. Click OK to close the Add a Node window.
17. Return to the new node and click Continue.

18. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

    Note: Cryptographic Security Platform Vault uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.

19. Click Join.

    During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    The cluster will automatically be placed in maintenance mode.

    The node will restart after the join is complete.

20. When the node has successfully restarted, click Login.

What to Do Next 

• To create a dedicated webGUI account with Cloud Admin privileges that you can use to install the Entrust Policy Agent, see Creating a Cloud Admin User Account.
• To create at least one Cloud VM Set into which you can put the VMs you plan to encrypt, see Creating a Cloud VM Set for the Cryptographic Security Platform Vault for VM Encryption.