Registering a Linux Root-Drive-Encrypted Cloned VM with Simplified Authentication

Backups, clones, and snapshots look identical to KeyControl Vault. If you want both a VM and its clone running at the same time, you need to clone the VM certificate issued to the original VM and then register the clone using that certificate.

If the root drive is encrypted on a Linux VM, you must access the VM through your hypervisor and use the Entrust Debug Console as described below.

If only data drives are encrypted on the VM, there are two ways to register the certificate:

  • Standard Authentication—The most secure authentication method. You create a certificate in the KeyControl webGUI which you then copy to the target system. For details, see Registering a Cloned VM with Standard Authentication.
  • Simplified Authentication—The easiest method. It allows you to skip downloading a certificate from KeyControl Vault, but it does require you to enter the KeyControl Vault credentials on the command line. You should only use this method if the VM is secure. For details, see Registering a Cloned VM with Simplified Authentication.

Procedure 

  1. Power on the cloned Linux VM. The clone VM's attempt to boot will fail because KeyControl Vault determines that the cloned VM has a different hardware signature than the original VM.
  2. Open console access to the cloned VM through your hypervisor and wait for the VM to display the prompt asking if you want to use the Entrust Debug Console. When it does, type y and press Enter to launch the Debug Console.
  3. From the Debug Console menu, select Advanced Access.

  4. If you are using a static IP address for the cloned VM, do the following to change the IP address. (If you are using DHCP, the system automatically assigns a new IP address to the cloned VM.) In the following examples, the original VM's IP address is 10.238.66.240 and the clone's IP address is 10.238.66.100.

    1. Add the new IP address you want to use for the cloned VM by entering the ip addr add <clone IP address>/<netmask> dev <interface name> command. For example:

      # ip addr add 10.238.66.100/24 dev eth0

    2. Delete the IP address being used by the original VM by entering the ip addr del <original VM IP address>/<netmask> dev <interface name> command. For example:

      # ip addr del 10.238.66.240/24 dev eth0

    3. If needed, add the clone IP address to the routing table with the ip route add [default] <network/netmask> [via <gateway IP address>|dev <device>] command.

  5. Update the certificate on the cloned VM by entering the command hcl updatecert -a [-u username -p password] [-e certificate expiration] command, where:

    • -a tells hcl to contact KeyControl Vault to get the new certificate.
    • -u is a KeyControl Vault user account with Cloud Admin privileges. If you do not enter a user account name you will be prompted for one.
    • -p is the password for the KeyControl Vault user account. If you do not enter a password you will be prompted for one.
    • -e is the certificate expiration date in the format MM/DD/YYYY. If you do not enter an expiration date, KeyControl Vault uses the default date set in the Certificate Expiration option for the Cloud VM Set that this VM belongs to. The default is one year from the creation date.

    For example:

    # hcl updatecert -a -u CloudAdmin -p DogDays123! -e 06/30/2022

  6. Register the cloned VM with KeyControl Vault by entering the following command:

    hcl register -a -c [-h vm-name] [-d "vm-description"] [-u username [-p password]] [-z cvm-set] kc-hostname[:port],kc-hostname2[:port],...

    where:

    • -a indicates that hcl should download the VM certificate from KeyControl Vault and do the registration and authentication in one step.
    • -c indicates that this a cloned VM.
    • -h (optional) — The name of the clone VM that will be displayed in the KeyControl webGUI (Default: hostname).
    • -d (optional) — A description of the clone VM that will be displayed in the KeyControl webGUI.
    • -u is a KeyControl Vault user account with Cloud Admin privileges. If you do not enter a user account you will be prompted for one.
    • -p is the password for the KeyControl Vault user account. If you do not enter a password you will be prompted for one.
    • -z (optional) — The name of the Cloud VM Set defined in the KeyControl Vault cluster to which you want to assign this VM. If you do not specify this parameter, the registration prompts you for the set name.

    • kc-hostname[:port],kc-hostname2[:port],... (required) — The list of IP addresses or hostnames for the KeyControl Vault nodes with which you want to register the VM. You must specify at least one KeyControl Vault node in this list. You must also specify a port if the KeyControl Vault nodes use anything other than the default port (443). On Windows, if you specify more than one IP address, enclose the list in double-quotes.

    For example, if the clone VM name is "hq-vm-clone", the description is "Clone of HQ Server", and you want to register it with two KeyControl Vault nodes at 10.238.32.74 and 10.238.32.75, you would enter:

    # hcl register -a -c -h hq-vm-clone -d "Clone of HQ Server" 10.238.32.74,10.238.32.75
Please provide the KeyControl login details
username: htcloudadmin
password:  ********

Registered as hq-vm-clone with KeyControl node(s) 10.238.32.74,10.238.32.75

Completing authentication for hq-vm-clone on KeyControl node(s) 10.238.32.74,10.238.32.75
Authentication complete, machine ready to use
  7. After the VM has been registered, exit from the Advanced Access shell and let the VM finish booting. After the VM has booted, log into the clone VM as root and set the clone VM's IP address using your standard Linux networking tools.
  8. Update the Entrust Bootloader network information with the htroot update [-c params.conf] command, where -c tells the command to run non-interactively.