Linking KeyControl with HTCC

If you want to use the BoundaryControl feature for VMs in a Cloud VM Set or you want to link KMIP-client VMs to the KMIP objects they create in the KeyControl KMIP server, you need to link KeyControl to one or more HyTrust CloudControl (HTCC) servers. HTCC can then be used to configure rules and policies for the VMs in the associated Cloud VM Set while the Inventory feature tracks which client VMs go with which KMIP objects.

Each Cloud VM Set in KeyControl can be linked to a specific HTCC server, allowing you to select the best HTCC server for the VMs in each Cloud VM Set.

Before You Begin 

• Make sure you know the hostname or IP address of one or more HyTrust CloudControl servers to which you want to connect.
• Make sure that the license for HTCC has the Boundary Control feature enabled.
• If you are using HTCC version 5.1 or later, establishing the connection between KeyControl and HTCC requires a one-time password generated by a HTCC user with AppLink Management privileges. This one-time password is valid for 10 minutes after it is generated. Make sure that you can get the password from your HTCC administrator and enter it into KeyControl within that time.
• If you are using HTCC version 5.0 or 4.6, establishing the connection requires the login credentials for a HTCC account with the ASC_BCAdmin user role.

• Make sure that the latest version of VMware Tools is installed on each VM that will be associated with a BoundaryControl-enabled Cloud VM Set.

Procedure 

1. If you are using HTCC version 5.1 or later, log into HTCC using an account with AppLink Management privileges and do the following:

   1. Select Configuration > App Links.
   2. On the One Time Code tab in the Select Role for App Link drop-down, select ASC_AppLinkAdmin.
   3. When you are ready to transfer the code to KeyControl, click Submit.
   4. Copy the one-time code displayed in the Code field.

2. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.

3. In the top menu bar click Settings.
4. In the System Settings section, click HTCC App Link.

5. On the HTCC App Link page, select Actions > Link and specify the options you want to use.

   Options

   Field	Description
   Host	The hostname or IP address and port number for the HTCC server, in the form hostname or IP address:port-number. When connecting to the server, KeyControl automatically prepends HTTPS:// to this field.
   Protocol	The protocol should match the version of HTCC that you are using. The default is HTCC 5.1.
   SSL Verify	If Yes, the certificate for the HTCC server is verified every time contact between KeyControl and HTCC is established. If the KeyControl certificate changes, the connection will fail. If No, the HTCC server certificate is only checked when the initial connection is established. The default is Yes.
   One Time Code	If Protocol is set to HTCC 5.1 or higher, enter the App Link code generated in HTCC.
   Username Password	If Protocol is set to HTCC 5.0 or HTCC 4.6, enter the username and password for a HTCC user account with the ASC_BCAdmin user role.

6. When you are finished, click Create.
7. If the connection information is correct, KeyControl displays the HTCC certificate. Verify that the certificate is correct and that it is linked to the expected server. If is it correct, click Yes.
8. If desired, repeat this procedure to add a link to another KeyControl server.

What to Do Next 

To enable the BoundaryControl feature on a VM, you must first create a Cloud VM Set with BoundaryControl enabled and then add the VM to that set. For details, see Creating a Cloud VM Set. For information about the KeyControl KMIP server, see KMIP Client and Server Configuration.