Configuring Additional KeyControl Vault Nodes

You can add a KeyControl Vault node running in the Azure environment to any other KeyControl Vault nodes running in any other environments as long as the Azure node can communicate with the other nodes in the cluster.

Before You Begin 

  • Make sure you have the private SSH key file that matches the public SSH key that was specified when the instance was created.

  • Make sure you know the static public IP address associated with the Azure node.

    To find the public IP address, select All resources from the Azure Resource Manager dashboard, then click on the virtual machine name on which the KeyControl Vault node is running. The public IP address is displayed in the VM details section at the top of the page.

  • Make sure you know the IP address of one of the KeyControl Vault nodes already in the cluster.

    This IP address may not be the same as the public IP address. Make sure you verify the IP address before you attempt to add the node to the cluster.

    To find the correct IP address, log into the KeyControl webGUI with Domain Admin privileges and go to Cluster > Servers. The IP address for each KeyControl Vault node is listed in the table.

  • Make sure that the Azure node can communicate with the KeyControl Vault cluster in which you want to add the node. For details on setting up communication between the Azure VM and a KeyControl Vault VM running in a different Azure location or a different environment such as vSphere or AWS, see your Azure documentation.

Important: Azure might disconnect ssh sessions if idle for more than 5 minutes. To prevent this, please use the ServerAliveInterval and ServerAliveCountMax opens in the ssh client command line to keep the session active during KeyControl Vault management.

We recommend using ssh CLI options to send a KeepAlive packet with a frequency duration of less than 5 minutes. Please refer to the sshd_config man page for how to use the ServerAliveInterval and ServerAliveCountMax options. For example: 

ssh -o ServerAliveInterval=180 -o ServerAliveCountMax=10 user@host

Procedure 

  1. Open a terminal window and navigate to the directory in which you have stored the private key file. If you have not used this key file before, make sure the permissions are set to -r-------- (chmod 400).

  2. Log into the htadmin account on the KeyControl Vault instance using the private key file.

    ssh -i <key-file>.pem htadmin@<Public-IP-addy>

    where key-file.pem is the name of the private key associated with the instance and Public-IP-Addy is the public IPv4 address associated with the instance. For example, if your private key is called KeyControl-Cluster-NorthAmerica.pem and the Public IP address is 52.18.58.35, you would enter:

    ssh -i KeyControl-Cluster-NorthAmerica.pem htadmin@52.18.58.35

  3. When prompted for the htadmin password, enter the VM unique ID (vmId).

    You can find the vmId by either of the following methods:

    • Access the CLI by clicking the Cloud Shell icon in the Azure GUI, then type the following command:

      Azure:~$ az vm show -g <resource-group> -n <name> --query vmId

      Make sure that v, m, and d are lower-case and that I is the upper-case i in vmId.

    • Open the JSON View link from the VM's Essentials information screen and locate the vmId.

  4. Enter a new password for the KeyControl Vault system administration account htadmin and press Enter.

    This password controls access to the Entrust KeyControl System Console that allows users to perform some KeyControl Vault administration tasks. It does not permit a KeyControl Vault user to access the full OS. Password requirements are configured by a KeyControl Vault administrator in the System Settings.

    Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, KeyControl Vault does not provide a user-accessible password recovery mechanism.

  5. Use a web browser to navigate to https://<Public-IP-addy>, where <Public-IP-addy> is the Public IP address Azure assigned to the KeyControl Vault VM. For security reasons, you must explicitly specify https:// in the URL.

  6. If prompted, add a security exception for the KeyControl Vault IP address and proceed to the KeyControl webGUI.

    KeyControl Vault uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see KeyControl Vault Certificates.

  7. On the HyTrust KeyControl Login page, enter secroot for the username and enter the VM unique ID (vmId) for the password.
  8. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

  9. On the Welcome to KeyControl Vault screen, click Join an Existing Cluster.

    The Join Existing Cluster window displays.

  10. On the Get Started page, review the overview information to determine that you are ready to begin. This includes: 

    • Access to the cluster you are joining the node to. We recommend that you open the webGUI for the cluster in a different tab or browser window.
    • Permissions on both this node and the cluster node so you can download and import the required certificates and files.
    • A passphrase to use during the joining process. Passphrase requirements are configured by a KeyControl Vault administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing KeyControl Vault cluster.
    • Verifying that both this node and the cluster node are running the same KeyControl Vault version and build. The version number for the cluster node is on the Settings > System Upgrade page.
  11. Click Continue.
  12. On the Download CSR page, click Generate and Download CSR.
  13. Click Continue.
  14. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
  15. Select Actions > Add a Node.

  16. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

  17. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

  18. Click OK to close the Add a Node window.
  19. Return to the new node and click Continue.

  20. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

    Note: KeyControl Vault uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.

  21. Click Join.

    During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    The cluster will automatically be placed in maintenance mode.

    The node will restart after the join is complete.

  22. When the node has successfully restarted, click Login.

What to Do Next 

For details about additional KeyControl Vault configuration options and your data encryption options, see the Administration Guide.