Updating KeyControl Vault Node IP Addresses on an Individual VM

If the KeyControl Vault nodes in a cluster change, you need to update the IP address list on each Policy Agent unless you have specified a KeyControl Mapping for the VMs. KeyControl Mapping changes are done through KeyControl Vault and are communicated to each associated VM on the VM's next heartbeat. For more information, see High Availability Between a VM and the KeyControl Vault Cluster.

Procedure 

For each VM registered with this KeyControl Vault cluster:

  1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.

  2. Enter the hcl updatekc kc_hostname[:port],kc_hostname[:port],kc_hostname[:port],... command where kc_hostname,kc_hostname,kc_hostname... is a comma-separated list of the KeyControl Vault node IP addresses or hostnames and port is an optional port number (the default is port 443). If you are entering the command on Windows, use quotes around the list of hostnames.

    The first KeyControl Vault node in the list will be considered the primary node, and the VM will always attempt to reach KeyControl Vault through that node first. If that node is unavailable, the VM will try the other nodes in the list in order until it finds a KeyControl Vault node that it can communicate with.

    For example, if you want to specify the KeyControl Vault node named kc-chicago as your primary node and the nodes 10.238.66.234 and kc-bangalore on port 447 as your second and third nodes, you would specify:

    Linux: # hcl updatekc kc-chicago,10.238.66.234,kc-bangalore:447

    Windows: C:\> hcl updatekc "kc-chicago,10.238.66.234,kc-bangalore:447" (Note the " " around the hostname list for Windows.)

Important: The list you specify overwrites any existing list on the Policy Agent. So if the Policy Agent is currently connected to three KeyControl Vault nodes and you remove one, you must specify the two remaining nodes with the updatekc command. The third node will be removed automatically. Similarly, if you add a fourth KeyControl Vault node, you must specify all four IP addresses with the updatekc command. If you only specify the new KeyControl Vault node, then that becomes the only node that the Policy Agent will communicate with.

To verify the connection status, enter the hcl status command, as shown. The first line shows the KeyControl Vault that the VM is currently communicating with and the second line shows the three KeyControl Vault nodes available to the VM. 

C:\> hcl status
Summary
---------------------------------------------------
KeyControl: kc-chicago:443
KeyControl list: kc-chicago:443,10.238.66.234:443,kc-bangalore:447
Status: Connected