Installing the First KeyControl Vault Node from an ISO Image

This procedure describes how to use the Entrust-provided ISO image to install and configure a standalone KeyControl Vault node or the first node in new KeyControl Vault cluster. If you want to add a KeyControl Vault node to an existing cluster, see Installing a New KeyControl Vault Cluster Node from an ISO Image.

If you want to deploy the node from an OVA template, see Installing KeyControl Vault from an OVA Template.

Important: Make sure that all KeyControl Vault nodes reside on devices that are not encrypted. KeyControl Vault has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.

Before You Begin 

• If you are installing KeyControl Vault on an existing VM, make sure that there is no important data currently on the target system. The installer will overwrite all data on the selected disks.
• Make sure that the target VM can access the Entrust DataControl ISO image.
• Make sure the target VM meets the basic system requirements described in System Requirements.

• VM host affinity is enabled to avoid Admin Key Recovery due to host migration.

Procedure 

1. Log into the vSphere Web Client.
2. Create a new virtual machine using the settings appropriate to your environment.

3. At the Select Compatibility prompt, select your ESXi version.

   For more information on versions, see the Supported Platforms.

4. When you are prompted to select a guest OS, set the following according to the Guest OS version that you are using:

   Field	Setting
   Guest OS Family	Linux
   Guest OS Version	Centos 7 (64-bit) or Centos 8 (64-bit)

5. Click Next.

6. On the Virtual Hardware tab of the Customize hardware page, make sure the VM configuration meets the following system resource recommendations:

   Resource	Standard Installation	Large Installation
   CPUs	2	4
   RAM	8 GB	16 GB
   Disk	60 GB	140 GB

   Entrust recommends that you select a large installation if your system meets one or more of the following criteria:

   • More than four nodes in the KeyControl Vault cluster.
   • More than 500 virtual machine heartbeats OR more than 10,000 KMIP keys across all tenants together.
   • More than 100,000 secrets stored.

   The rest of the options on this tab should be configured to match your vSphere environment.

   Note:  

   • For the SCSI controller, we suggest that you use VMware Paravirtual. While other choices should work, VMware Paravirtual is used regularly in our testing.

   • For the network adapter type, we suggest that you use VMXNET 3. While other choices should work, VMXNET3 is used regularly in our testing.

7. Connect the KeyControl Vault version 10.1.1 installation ISO image to the VM so that the VM will boot from this ISO image when you power on the VM. How you do this depends on how your vSphere environment is configured and what options you have available.

   For example, you could upload the KeyControl Vault ISO image to a datastore that vSphere can access and then attach the datastore ISO image as a CD/DVD drive that is connected when the VM powers on. After KeyControl Vault is successfully installed, it automatically disconnects the CD/DVD drive so that it will not boot from that drive again should the node be restarted.

8. Power on the KeyControl Vault VM and have it boot from the KeyControl Vault version 10.1.1 installation ISO image .

9. When the VM boots from the ISO image, it will begin installing CentOS.

   Note: The installer will post messages as the CentOS operating system install proceeds. Some parts of the OS take longer to install than others, and there may be times when no new messages appear for over ten minutes. Do not attempt to cancel or restart the installation procedure during this time.

   The installer will automatically reboot the VM as needed.

   When then installer has finished, it displays a prompt asking for a password for the htadmin account.

10. Enter a password for the KeyControl Vault system administration account htadmin and press Enter. Password requirements are configured by a KeyControl Vault administrator in the System Settings.

    This password controls access to the Entrust KeyControl System Console that allows users to perform some KeyControl Vault administration tasks. It does not permit a KeyControl Vault user to access the full OS.

    Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, KeyControl Vault does not provide a user-accessible password recovery mechanism.

11. The System Configuration page asks if you want to use DHCP for the node. We highly recommend that you do not do this, as the KeyControl Vault node should always be available at a set IP address. Make sure No is selected and press Enter to acknowledge this message.
12. On the Confirm Network Configuration page, enter the appropriate network information for the KeyControl Vault node. When you are done, press Enter to save this information.

13. On the System Configuration page, review the configuration settings and press Enter if you are ready to configure the node.

    The installer configures KeyControl Vault and then starts the appropriate services. This process will take a few minutes to complete. When the installer has finished, KeyControl Vault displays a confirmation dialog stating that the setup was completed successfully.

14. Review the confirmation dialog that provides the URL of the KeyControl webGUI (also known as the Management IP Address). You will need this URL in the next step.

    When you are done, press Enter to finish the installation. KeyControl Vault displays the CentOS login prompt.

15. To initialize the KeyControl webGUI and finish the configuration of the first node, do the following:

    1. Use a web browser to navigate to https://node-ip-address, where node-ip-address is the Management IP address. For security reasons, you must explicitly specify https:// in the URL.

    2. If prompted, add a security exception for the KeyControl Vault IP address and proceed to the KeyControl webGUI.

       KeyControl Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see KeyControl Vault Certificates.

    3. On the HyTrust KeyControl Login page, enter secroot for both the username and password.
    4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.
    5. On the Welcome to KeyControl Vault screen, click Continue as a Standalone Node.

    6. On the Change Password page, enter a new password for the secroot account and click Update Password.

    7. On the Configure E-Mail and Mail Server Settings page, specify your email settings.

       If you specify an email address, KeyControl Vault sends an email with the Admin Key for the new node. It also sends system alerts to this email address.

       To disable alerts, select the Disable e-mail notifications checkbox. You can then download the Admin Key from the Settings tab in the webGUI.

    8. When you are done, click Continue.

    9. On the Download Admin Key page, click the Download button to save the admin key locally. Please keep the admin key in a safe place for later use. When KeyControl Vault prompts for an admin key to recover your KeyControl Vault system, you must provide this admin key to proceed. If you do not have your admin key, you may lose your data.

       Note: Whenever the admin key is regenerated, KeyControl Vault forces you to download the admin key.

    10. On the Automatic Vitals Reporting page, specify whether you want to enable or disable Automatic Vitals Reporting.

        Automatic Vitals Reporting lets you automatically share information about the health of your KeyControl Vault cluster with Entrust Support. If you enable this service, KeyControl Vault periodically sends an encrypted bundle containing system status and diagnostic information to a secure Entrust server. Entrust Support may proactively contact you if the Vitals Service identifies issues with the health of your cluster.

        KeyControl Vault Security Admins can enable or disable this service at any time by selecting Settings > Vitals in the KeyControl webGUI. For details, see Configuring Automatic Vitals Reporting.

        Note: You cannot disable Automatic Vitals Reporting during the trial license period.

    11. When you are finished, click Continue.

        KeyControl Vault displays the KeyControl webGUI. For details about the tasks you can perform from the webGUI, see the Administration Guide.

What to Do Next 

• To add additional KeyControl Vault nodes to form a cluster, see Installing a New KeyControl Vault Cluster Node from an ISO Image.
• To create a dedicated webGUI account with Cloud Admin privileges that you can use to install the Entrust DataControl Policy Agent, see Creating a Cloud Admin User Account.
• To create at least one Cloud VM Set into which you can put the VMs you plan to encrypt, see Creating a Cloud VM Set.