Configuring Additional KeyControl Vault Nodes

After the AWS instance is deployed, you need to configure the KeyControl Vault node using SSH. The following procedure describes how to configure the node as part of an existing KeyControl Vault cluster. If you want to configure this node as the first node in the KeyControl Vault cluster, see Configuring the First KeyControl Vault Node.

Before You Begin

Make sure that the new KeyControl Vault node can communicate with the KeyControl Vault nodes in the existing KeyControl Vault cluster. For details, see your AWS documentation.

Make sure you have the following information:

The Amazon instance ID for the new KeyControl Vault instance.
The Elastic (Public) IP address associated with the new instance.
The private key file (in pem format) that was used when the new instance was created.

Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the KeyControl Vault instance in the table. In the Description tab, look at the Instance ID, IPv4 Public IP, and Key pair name fields.
The private IP address of one of the existing KeyControl Vault nodes in the cluster.

Tip: To find this IP address, log into the KeyControl webGUI on one of the existing nodes and click Cluster in the top menu bar. Go to the Servers tab and look at the IP address in the table.

Procedure

Open a terminal window and navigate to the directory in which you have stored the private key file. If you have not used this key file before, make sure the permissions are set to -r-------- (chmod 400).
Log into the htadmin account on the KeyControl Vault instance using the private key file.

ssh -i <key-file>.pemhtadmin@<Elastic-IP-addy>

where key-file.pem is the name of the key pair associated with the instance and Elastic-IP-Addy is the public IPv4 address associated with the instance. For example, if your key pair is called KeyControl-Cluster-NorthAmerica.pem and the Elastic IP address is 52.18.58.35, you would enter:

ssh -i KeyControl-Cluster-NorthAmerica.pem htadmin@52.18.58.35
When prompted for the htadmin password, enter the Amazon instance ID for the KeyControl Vault instance that you are configuring.
Enter a new password for the KeyControl Vault system administration account htadmin and press Enter. Password requirements are configured by a KeyControl Vault administrator in the System Settings.

This password controls access to the Entrust KeyControl System Console that allows users to perform some KeyControl Vault administration tasks. It does not permit a KeyControl Vault user to access the full OS.

Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, KeyControl Vault does not provide a user-accessible password recovery mechanism.
Use a web browser to navigate to https://<Elastic-IP-addy>, where <Elastic-IP-addy> is the Elastic IP address associated with the KeyControl Vault AWS instance. For security reasons, you must explicitly specify https:// in the URL.
If prompted, add a security exception for the KeyControl Vault IP address and proceed to the KeyControl webGUI.

KeyControl Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see KeyControl Vault Certificates.
On the HyTrust KeyControl Login page, enter secroot for the username and the AWS instance ID as the password.
Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.
On the Welcome to KeyControl Vault screen, click Join an Existing Cluster.

The Join Existing Cluster window displays.
On the Get Started page, review the overview information to determine that you are ready to begin. This includes:
- Access to the cluster you are joining the node to. We recommend that you open the webGUI for the cluster in a different tab or browser window.
- Permissions on both this node and the cluster node so you can download and import the required certificates and files.
- A passphrase to use during the joining process. Passphrase requirements are configured by a KeyControl Vault administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing KeyControl Vault cluster.
- Verifying that both this node and the cluster node are running the same KeyControl Vault version and build. The version number for the cluster node is on the Settings > System Upgrade page.
Click Continue.
On the Download CSR page, click Generate and Download CSR.
Click Continue.
Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
Select Actions > Add a Node.
On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.
Click Save and Download Bundle to download the certificate bundle from the cluster node.

The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.
Click OK to close the Add a Node window.
Return to the new node and click Continue.
On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

Note: KeyControl Vault uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.
Click Join.

During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

The cluster will automatically be placed in maintenance mode.

The node will restart after the join is complete.
When the node has successfully restarted, click Login.