Linking Cryptographic Security Platform Vault with CloudControl
If you want to use the BoundaryControl feature for VMs in a Cloud VM Set or you want to link KMIP client VMs to the KMIP objects they create in the Cryptographic Security Platform Vault KMIP server, you need to link Cryptographic Security Platform Vault to one or more Entrust CloudControl servers. CloudControl can then be used to configure rules and policies for the VMs in the associated Cloud VM Set while the Inventory feature tracks which client VMs go with which KMIP objects.
Figure: Cryptographic Security Platform Vault KMIP Server Objects with the CloudControl Identifier
Each Cloud VM Set in Cryptographic Security Platform Vault can be linked to a specific CloudControl server, allowing you to select the best CloudControl server for the VMs in each Cloud VM Set.
After the BoundaryControl feature has been enabled for a Cloud VM Set, all VMs you register with the set must be authenticated by the selected CloudControl server when they are first registered. After that, individual VMs in the set only need to be re-authenticated when they reboot or when their VMware session ID changes.
If Cryptographic Security Platform Vault cannot communicate with CloudControl when it attempts to re-authenticate a VM, Cryptographic Security Platform Vault tells the Policy Agent on that VM that the heartbeat has failed and it starts a two hour BoundaryControl grace period that is shared by all the VMs in the Cloud VM Set. Cryptographic Security Platform Vault then tries to re-authenticate the VM with CloudControl each time the VM heartbeats during this grace period. If this grace period expires and Cryptographic Security Platform Vault has still not received a response from CloudControl, then Cryptographic Security Platform Vault disables access to all VMs in the Cloud VM Set that require re-authentication. For example, if Cryptographic Security Platform Vault attempts to re-authenticate VM A at 4 p.m., VM B at 4:30 p.m., and VM C at 5:45 p.m., and it does not receive a response from CloudControl by 6 p.m., it immediately revokes access to all three VMs. It does not wait until 7:45 p.m. to revoke access to VM C.
After the BoundaryControl grace period has expired, all disabled VMs must be manually re-authenticted by a Cryptographic Security Platform Vault Cloud Admin.
Note: If the SSL certificate for CloudControl expires or is changed, you need to create a new App Link as described below. Then, for each Cloud VM Set that uses the BoundaryControl feature, you need to change the Boundary Control property so that it points to the new App Link. For details, see Changing Cloud VM Set Properties.
Before You Begin
- Make sure you know the hostname or IP address of one or more Entrust CloudControl servers to which you want to connect.
- Make sure that the license for CloudControl has the BoundaryControl feature enabled.
- If you want Cryptographic Security Platform Vault to verify the CloudControl certificate every time it connects to CloudControl, make sure that the SSL certificate installed in CloudControl includes the entire certificate chain, starting from the root CA certificate. When SSL Verify is enabled, Cryptographic Security Platform Vault expects the entire CloudControl certificate chain when it communicates with CloudControl.
- 
                                                    Make sure that VMware Tools is installed on each VM that will be associated with the a BoundaryControl-enabled Cloud VM Set. While any VMware-supported version of the tools will work, we recommend that you keep VMware Tools up to date. 
Procedure
- 
                                                    Log into CloudControl using an account with AppLink Management Privileges. 
- From the Home tab, select System > App Links.
- Click Initiate App Link.
- 
                                                    In the Initiate App Link window, click Generate Code. Note: For this release, Boundary Control is the only type of app link supported, and ASC_BoundaryControlUser is the only role. 
- Copy the code to your clipboard. The code and the certificate will be needed by Cryptographic Security Platform Vault when you link Cryptographic Security Platform Vault to CloudControl.
- Click Close.
- Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
- In the top right, click the Switch to Appliance Management link.
- In the top menu bar click Settings.
- In the System Settings section, click App Links.
- On the App Links page, select Actions > Link HTCC.
- 
                                                    In the Create a New Link dialog box, specify the options you want to use.  Options OptionsField Description Name A user-defined name for the App Link. Cryptographic Security Platform Vault displays this name as well as the host name when you are choosing the App Link you want to associate with a Cloud VM Set. If you have multiple App Links between Cryptographic Security Platform Vault and the same CloudControl instance, this name should be descriptive enough that you can easily determine which App Link you want to use. Host The hostname or IP address and port number for the CloudControl server, in the form hostnameorIP address:port-number. When connecting to the server, Cryptographic Security Platform Vault automatically prepends HTTPS:// to this field.Protocol The protocol should match the version of CloudControl that you are using. SSL Verify If Yes, the certificate for the CloudControl server is verified every time contact between Cryptographic Security Platform Vault and CloudControl is established. If the Cryptographic Security Platform Vault certificate changes, the connection will fail. If No, the CloudControl server certificate is only checked when the initial connection is established. The default is Yes. Important: If you select Yes, Cryptographic Security Platform Vault expects the entire certificate chain from CloudControl when it connects. Make sure that the SSL certificate installed in CloudControl includes the entire certificate chain, starting from the root CA certificate. One Time Code Enter the App Link code generated in CloudControl. 
- When you are finished, click Create.
- 
                                                    If you specified Yes for SSL Verify, Cryptographic Security Platform Vault verifies the connection information and displays the CloudControl certificate if the connection can be established. Verify that the certificate is correct and that it is linked to the expected server. If is it correct, click Yes. If you specified No for SSL Verify, Cryptographic Security Platform Vault verifies the connection information. If the CloudControl host can be contacted, Cryptographic Security Platform Vault creates the App Link and automatically returns to the App Links page. 
- 
                                                    If desired, repeat this procedure to add a link to another CloudControl server. 
What to Do Next
If you are enabling the BoundaryControl feature for the first time, create one or more Cloud VM Sets with the BoundaryControl feature enabled and then add the desired VMs to one of those sets. For details, see Creating a Cloud VM Set for the Cryptographic Security Platform Vault for VM Encryption.
If you want to use this App Link for an existing Cloud VM Set that already has the BoundaryControl feature enabled, you can select it from the Boundary Control drop-down list in the Details area for the Cloud VM Set. For details, see Changing Cloud VM Set Properties.

