Linking KeyControl with CloudControl

If you want to use the BoundaryControl feature for VMs in a Cloud VM Set or you want to link KMIP-client VMs to the KMIP objects they create in the KeyControl KMIP server, you need to link KeyControl to one or more HyTrust CloudControl servers. CloudControl can then be used to configure rules and policies for the VMs in the associated Cloud VM Set while the Inventory feature tracks which client VMs go with which KMIP objects.

Figure: KeyControl KMIP Server Objects with the CloudControl Identifier

Each Cloud VM Set in KeyControl can be linked to a specific CloudControl server, allowing you to select the best CloudControl server for the VMs in each Cloud VM Set.

Before You Begin 

• Make sure you know the hostname or IP address of one or more HyTrust CloudControl servers to which you want to connect.
• Make sure that the license for CloudControl has the BoundaryControl feature enabled.
• If you want KeyControl to verify the CloudControl certificate every time it connects to CloudControl, make sure that the SSL certificate installed in CloudControl includes the entire certificate chain, starting from the root CA certificate. When SSL Verify is enabled, KeyControl expects the entire CloudControl certificate chain when it communicates with CloudControl.
• If you are using CloudControl version 5.1 or later, establishing the connection between KeyControl and CloudControl requires a one-time password generated by a CloudControl user with AppLink Management privileges. This one-time password is valid for 10 minutes after it is generated. Make sure that you can get the password from your CloudControl administrator and enter it into KeyControl within that time.
• If you are using CloudControl version 5.0 or 4.6, establishing the connection requires the login credentials for a CloudControl account with the ASC_BCAdmin user role.

• Make sure that VMware Tools is installed on each VM that will be associated with the a BoundaryControl-enabled Cloud VM Set. While any VMware-supported version of the tools will work, we recommend that you keep VMware Tools up to date.

Procedure 

1. If you are using CloudControl version 5.1 or later, log into CloudControl using an account with AppLink Management privileges and do the following:

   1. Select Configuration > App Links.
   2. On the One Time Code tab in the Select Role for App Link drop-down, select ASC_AppLinkAdmin.
   3. When you are ready to transfer the code to KeyControl, click Submit.
   4. Copy the one-time code displayed in the Code field.

2. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.

3. In the top menu bar click Settings.
4. In the System Settings section, click App Links.
5. On the App Links page, select Actions > Link HTCC.

6. In the Create a New Link dialog box, specify the options you want to use.

   Options

   Field	Description
   Host	The hostname or IP address and port number for the CloudControl server, in the form hostname or IP address:port-number. When connecting to the server, KeyControl automatically prepends HTTPS:// to this field.
   Protocol	The protocol should match the version of CloudControl that you are using.
   SSL Verify	If Yes, the certificate for the CloudControl server is verified every time contact between KeyControl and CloudControl is established. If the KeyControl certificate changes, the connection will fail. If No, the CloudControl server certificate is only checked when the initial connection is established. The default is Yes. Important: If you select Yes, KeyControl expects the entire certificate chain from CloudControl when it connects. Make sure that the SSL certificate installed in CloudControl includes the entire certificate chain, starting from the root CA certificate.
   One Time Code	If Protocol is set to HTCC 5.1 or higher, enter the App Link code generated in CloudControl.
   Username Password	If Protocol is set to HTCC 5.0 or HTCC 4.6, enter the username and password for a CloudControl user account with the ASC_BCAdmin user role.

7. When you are finished, click Create.
8. If the connection information is correct, KeyControl displays the CloudControl certificate. Verify that the certificate is correct and that it is linked to the expected server. If is it correct, click Yes.

9. If desired, repeat this procedure to add a link to another CloudControl server.

What to Do Next 

If you are enabling the BoundaryControl feature for the first time, create one or more Cloud VM Sets with the BoundaryControl feature enabled and then add the desired VMs to one of those sets. For details, see Creating a Cloud VM Set.

If you want to use this App Link for an existing Cloud VM Set that already has the BoundaryControl feature enabled, you can select it from the Boundary Control drop-down list in the Details area for the Cloud VM Set. For details, see Changing Cloud VM Set Properties.