Registering a Cloned VM with Standard Authentication

Backups, clones, and snapshots look identical to KeyControl Vault. If you want both a VM and its clone running at the same time, you need to clone the VM certificate issued to the original VM and then register the clone using that certificate.

If the root drive is encrypted on the VM, you must register the certificate from the debug console or the VM console. For details, see Registering a Linux Root-Drive-Encrypted Cloned VM with Simplified Authentication.

If only data drives are encrypted on the VM, there are two ways to register the certificate:

  • Standard Authentication—The most secure authentication method. You create a certificate in the KeyControl webGUI which you then copy to the target system. This method is described below.
  • Simplified Authentication—The easiest method. It allows you to skip downloading a certificate from KeyControl Vault, but it does require you to enter the KeyControl Vault credentials on the command line. You should only use this method if the VM is secure. For details, see Registering a Cloned VM with Simplified Authentication.

Procedure 

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Click the VMs tab.
  4. Select the VM that you want to clone from the list.
  5. Select Actions > Clone Certificate.
  6. Optionally enter a passphrase for the certificate. If you enter one here, you will be required to enter the same passphrase when you register the cloned VM.
  7. If you want to change the date on which the certificate expires, enter a new date in the Date field.
  8. When you are done, click Clone. KeyControl Vault creates a cloned certificate and copies it to your browser's default download location.
  9. Copy the certificate to the cloned VM.

  10. Register the cloned VM using the command hcl register -c [-h  myname] [-d description] [-p certificate_password] [-o one_time_passphrase] kc_hostname[:port],kc_hostname2[:port2],... /path/to/certificate.cert, where:

    • -c indicates that this is a cloned VM.
    • -h specifies the name associated with this VM. This name is visible in the webGUI and through APIs.
    • -d is an optional description for the VM.
    • -p is the password for the certificate if one was entered when the certificate was created. If you omit this option and a password is required, you will be prompted for the password when you execute the command.
    • -o is a one-time passphrase that will be used to authenticate the VM with KeyControl Vault through the webGUI. If you do not specify a passphrase, you will be prompted for one when you execute the command. The passphrase must contain at least 16 alphanumeric characters.

    • kc-hostname[:port],kc-hostname2[:port],... (required) — The list of IP addresses or hostnames for the KeyControl Vault nodes with which you want to register the VM. You must specify at least one KeyControl Vault node in this list. You must also specify a port if the KeyControl Vault nodes use anything other than the default port (443). On Windows, if you specify more than one IP address, enclose the list in double-quotes.

    • The final option is the fully-qualified name of the certificate that you downloaded from the webGUI.

    For example:

    # hcl register -c -h "ubuntu-12.10" -d "My 12.10 VM" 192.168.140.15\
     bbd7d0c7-*_130415215216.cert

Certificate passphrase might be required
Certificate successfully unpacked

You need to specify a passphrase which will be used for authentication with KeyControl
Enter passphrase (min 16 characters): onetimepassword16chrs

Registered as ubuntu-12.10 with KeyControl(s) 192.168.140.15
Please log on to any KeyControl to complete the authentication of this node

  11. Return to the webGUI and authenticate the VM:

    1. Click the Unauthenticated VMs tab.
    2. Select the clone VM you just registered.
    3. Select Actions > Authenticate.
    4. Enter the one-time passphrase at the prompt.
  12. If you want to change the KeyControl Vault node IP addresses the clone VM will use, see Updating KeyControl Vault Node IP Addresses on an Individual VM. If you want to associate a KeyControl Mapping with the clone VM, see Managing the KeyControl Mapping on a VM.