Creating a Cloud Admin User Account

When you register a Entrust KeyControl Policy Agent, you need to specify a KeyControl user account with Cloud Admin privileges. While you can use the default secroot account, we recommend that you make a separate account with just the  Cloud Admin permissions to use for this purpose. To make a Cloud Admin user account:

  1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.
  2. In the top menu bar, click Users.
  3. Select Actions > Create User.

  4. Enter the following information. All fields are required.

    Field Description
    Full Name

    The full name of the user associated with the account. This name is included on any audit log messages generated by that user's activity. Therefore, we recommend that you specify a unique full name for each KeyControl user.
    Email

    If your system is configured to send email alerts, they will be sent to this email address. The alerts a user sees depends on their user role and group access.

    Account Decay

    The amount of time an account can stay enabled without logging in. The default and maximum value is 10 years from the last login date.

    If the user does not log in within that time period, KeyControl automatically disables the account, but does not delete it. You will need to contact Entrust Support to re-enable the account.

    Account Enabled

    Check this box to have the account be available as soon as you create it. If you clear this check box, KeyControl sets the account status to Disabled and you will need to manually enable it through the webGUI.
  5. Click Add.
  6. When you see the User Successfully Added message, click Close.

  7. On the Authentication tab, select the type of authentication you want to use.

    Authentication Method Description
    Locally by KeyControl
    1. In the Authentication drop-down list, select Local.
    2. In the Password and Repeat Password fields, enter the password for this user account.

    3. In the Password Expiration field, enter the date on which the password should expire. Once this date is reached, the user will be prompted to enter a new password the next time they log into KeyControl.

      The expiration date cannot be longer than the number of days defined in the default local authentication settings. For more information, see Configuring Local Authentication Settings.

      Tip: If you want to force the user to change their password the first time they log in, select a date in the past for the Password Expiration date.

    Externally by an LDAP authentication server

    In the Authentication drop-down list, select LDAP.

    KeyControl does not currently support individual LDAP settings. Instead, every LDAP user account must use the global LDAP configuration.

  8. When you have finished specifying the authentication method, click Next.

  9. On the Privileges and Groups tab:

    1. Check the Cloud Admin checkbox.

      If you want this account to have additional privileges, you can also check the Security Admin or Domain Admin check boxes. For details, see Creating a New KeyControl-Managed User Account.

    2. In the Available Groups list box, click Cloud Admin Group, then click the right arrow above the list box. This group should move to the Assigned Groups list box.

      If desired, select any other groups to which this account should belong.

    3. Click Create.
  10. When you see the User Successfully Created message, click Close.

What to Do Next 

Install the HyTrust DataControl Policy Agent on the VM you want to encrypt and register it with KeyControl.