Configuring the First KeyControl Vault Node

You need to configure the KeyControl Vault instance using SSH before you can use the KeyControl webGUI to configure and maintain your KeyControl Vault cluster.

The following procedure describes how to configure the first KeyControl Vault node in the cluster. If you are adding this node to an existing cluster, see Configuring Additional KeyControl Vault Nodes.

Before You Begin 

Make sure you have the following information:

  • The Amazon instance ID for the KeyControl Vault instance.
  • The Elastic (Public) IP address associated with the instance.
  • The private key file (in pem format) that was used when the instance was created.

Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the KeyControl Vault instance in the table. In the Description tab, look at the Instance ID, IPv4 Public IP, and Key pair name fields.

Procedure 

  1. Open a terminal window and navigate to the directory in which you have stored the private key file. If you have not used this key file before, make sure the permissions are set to -r-------- (chmod 400).

  2. Log into the htadmin account on the KeyControl Vault instance using the private key file.

    ssh -i <key-file>.pem htadmin@<Elastic-IP-addy>

    where key-file.pem is the name of the key pair associated with the instance and Elastic-IP-Addy is the public IPv4 address associated with the instance. For example, if your key pair is called KeyControl-Cluster-NorthAmerica.pem and the Elastic IP address is 52.18.58.35, you would enter:

    ssh -i KeyControl-Cluster-NorthAmerica.pem htadmin@52.18.58.35

  3. When prompted for the htadmin password,

    Enter the Amazon instance ID for the KeyControl Vault instance that you are configuring.

  4. Enter a new password for the KeyControl Vault system administration account htadmin and press Enter.

    This password controls access to the Entrust KeyControl System Console that allows users to perform some KeyControl Vault administration tasks. It does not permit a KeyControl Vault user to access the full OS. Password requirements are configured by a KeyControl Vault administrator in the System Settings.

    Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, KeyControl Vault does not provide a user-accessible password recovery mechanism.

  5. On the System Configuration screen, select Install KeyControl Node and press Enter.

    The installer begins the installation and configuration process. When the installer is done, it displays the status of the install and basic system configuration information.

  6. After the installation process has finished, review the confirmation dialog. This dialog provides the public URL that can be used with the KeyControl webGUI as well as the private IP address that you can use if you want to add other KeyControl Vault nodes to this cluster. When you are ready, press Enter to finish the configuration process.

  7. To initialize the KeyControl webGUI for this cluster, do the following:

    1. Use a web browser to navigate to https://<Elastic-IP-addy>, where <Elastic-IP-addy> is the Elastic IP address associated with the KeyControl Vault AWS instance. For security reasons, you must explicitly specify https:// in the URL.

    2. If prompted, add a security exception for the KeyControl Vault IP address and proceed to the KeyControl webGUI.

      KeyControl Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see KeyControl Vault Certificates.

    3. On the HyTrust KeyControl Login page, enter secroot for the username and the AWS instance ID as the password.
    4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.
    5. On the Welcome to KeyControl Vault screen, click Continue as a Standalone Node.

    6. On the Change Password page, enter a new password for the secroot account and click Update Password.

    7. On the Configure E-Mail and Mail Server Settings page, specify your email settings.

      If you specify an email address, KeyControl Vault sends an email with the Admin Key for the new node. It also sends system alerts to this email address.

      To disable alerts, select the Disable e-mail notifications checkbox. You can then download the Admin Key from the Settings tab in the webGUI.

    8. When you are done, click Continue.

    9. On the Download Admin Key page, click the Download button to save the admin key locally. Please keep the admin key in a safe place for later use. When KeyControl Vault prompts for an admin key to recover your KeyControl Vault system, you must provide this admin key to proceed. If you do not have your admin key, you may lose your data.

      Note: Whenever the admin key is regenerated, KeyControl Vault forces you to download the admin key.

    10. On the Automatic Vitals Reporting page, specify whether you want to enable or disable Automatic Vitals Reporting.

      Automatic Vitals Reporting lets you automatically share information about the health of your KeyControl Vault cluster with Entrust Support. If you enable this service, KeyControl Vault periodically sends an encrypted bundle containing system status and diagnostic information to a secure Entrust server. Entrust Support may proactively contact you if the Vitals Service identifies issues with the health of your cluster.

      KeyControl Vault Security Admins can enable or disable this service at any time by selecting Settings > Vitals in the KeyControl webGUI. For details, see Configuring Automatic Vitals Reporting.

      Note: You cannot disable Automatic Vitals Reporting during the trial license period.

    11. When you are finished, click Continue.

      KeyControl Vault displays the KeyControl webGUI. For details about the tasks you can perform from the webGUI, see the Administration Guide.

What to Do Next