Changing the Properties for a Specific VM

When you add a VM to a Cloud VM Set, the VM inherits the settings for most of its property settings from the global defaults specified for the associated Cloud VM Set. (The only exception is the Description, which is set when you register the VM with KeyControl.) You can override the global defaults for individual VMs as required. For details about setting the global defaults, see Creating a Cloud VM Set.

1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.
2. In the top menu bar, click Cloud.
3. Select the VM whose properties you want to set and click the Expand button (>) at the end of the row.

4. On the Details tab, specify the options you want to use.

   Options

   Option	Description
   Description	A user-defined string identifying this VM.
   Certificate Valid Until	The date on which the certificate for this VM will expire. To have KeyControl automatically renew the certificate, set the Certificate Auto Renewal Period option, described below.
   Heartbeat	The length of time between the heartbeats each VM in the set sends to KeyControl to verify that the connection between them is functioning normally. You can specify seconds, minutes, hours, or days. The default is 5 minutes. This value should be set to a minimum of 10 seconds. If changes have been made to the VMs through the KeyControl webGUI, those changes are communicated to the VMs during the heartbeat. That means if the heartbeat is set to 5 minutes, then it can take up to 5 minutes for any changes made in the KeyControl webGUI to be applied to the VMs in the set. If a VM cannot reach KeyControl during the heartbeat, the VM continues to run but any changes made in KeyControl are not picked up by the VM until the next successful heartbeat. KeyControl sets the status of the VM to Unreachable, but it takes no further action unless the heartbeat continues to fail after the Grace Period has expired.
   Grace Period	The length of time that can pass without a successful heartbeat. The default is 1 day. You can specify the grace period in seconds, minutes, hours, or days. If a VM remains unresponsive past the grace period, access to the data on the VM will be unavailable until the VM is re-authenticated with KeyControl.
   OS	The operating system running on the VM.
   HyTrust Agent Version	The version of the HyTrust DataControl Policy Agent running on the VM.
   Rekey Interval	If you specify any value other than 0 (zero) for this option, KeyControl periodically creates a rekey task for every encrypted disk in the Windows VM. You can select any number of days, weeks, months, or years and KeyControl will automatically rekey the Windows disks on that schedule. To disable Auto Rekey, enter 0 in this field. By default, Auto Rekey is disabled. Note: The Auto Rekey feature only works with Windows disks. If you enable Auto Rekey for a Linux VM, this feature will be ignored and the Linux disks will not be automatically rekeyed.
   Certificate Auto Renewal Period	If you want KeyControl to automatically renew the certificate for a VM in this Cloud VM Set, enter an integer greater than zero in this field. KeyControl will renew the certificate that many days before the old one expires. For example, if you enter a value of 5 in this field and a VM certificate is set to expire on June 12, 2019, KeyControl will renew the license on June 7, 2019. The default is 10 days. To change the renewal period, click the existing value and enter a new value in the text field, then select days/weeks/months/years from the drop-down list. When you are finished, click Save. If you want to disable certificate auto-renewal, enter 0 (zero) in this field.
   Mapping	The KeyControl Mapping associated with this VM, if any. For details, see Creating a KeyControl Mapping.
   Single Encryption Key State	Whether the Single Encryption Key (SEK) option is enabled or disabled for the Cloud VM Set with which this VM is registered. For details, see Data Deduplication with Cloud VM Sets.

5. On the Reauthentication Settings tab, you can change any of the following options by clicking the entry in the field, setting the new value, and then clicking Save. You must click Save after each change or your changes will be lost when you select a different field.

   Options

   Option	Description
   Reauthentication on IP Change	Whether the VM must be re-authenticated when the VM's IP address changes. The default is No.
   Reauthentication on H/W Signature Change	Whether the VM must be re-authenticated if its MAC address or UUID changes. The options are: Yes — If either the MAC address or the UUID changes, the VM requires reauthentication. This is the default. We recommend that you do not change this option. Permissive — Both the MAC address and the UUID must change before the VM requires reauthentication. No — KeyControl does not require reauthentication if VM's MAC address or UUID changes. We strongly recommend that you do not select this option. If you do, a cloned or misconfigured VM could gain access to the keys associated with the original VM. If you do select this option, you must confirm the selection before you can proceed. If KeyControl detects multiple VMs with the same MAC address and UUID combination when hardware validation is off, KeyControl generates an alert every 8 hours until the cloned VMs stop heartbeating or hardware authentication is set to Yes or Permissive. In addition, KeyControl generates an alert when client operations, such as key access or device registration, occur on the cloned VMs. Note: If this VM is a Master vSphere VDI VM, this option should always be Yes. If it is set to No, KeyControl may not be able to tell the Master VM from its clones. For details, see VMware vSphere VDI Encryption.
   Reauthentication on Reboot	Whether the VM must be re-authenticated every time it reboots. The default is No. Setting this value to Yes is similar to requiring a boot-time password before the VM can come up completely.