KeyControl Installation on AWS

Deploying an Initial KeyControl node

To begin with, you need to have an existing account on Amazon Web Services. You will start by logging in to that account.

Log on to Amazon Web Services

1. Point your browser at: https://aws.amazon.com/
2. On the menu bar, select Console > My Account Console. Your company name should already be filled in.
3. Enter the User Name and Password that your Security Administrator supplied to you. Note that your User Name does not have a domain (@companyname.com, for example). The Services menu appears.

4. Click Services > EC2.

   

Select a Region

1. Log on to your EC2 account.
2. Navigate to the EC2 Console Dashboard.

3. At the top right of the EC2 Dashboard, click your deployment region from the drop-down list. In the example below, US West (Oregon) is chosen, but you should choose based on your needs.

   

Create a Key Pair

1. From the EC2 Dashboard, click Key Pairs from the navigation panel.

2. Click Create a Key Pair.

   

3. Create a name for the Key Pair.
4. Click Create.

5. The private key file is created and you may get the option to Open it or Save it. Choose Save File, if you have that option. The likelier case is that it is downloaded automatically. The screen shot below shows the Firefox download dialog box.

   The Key Pair is automatically downloaded by your browser as a .pem file into the default download location for your system. Save your .pem file. The base file name is the name you specified as the name of your Key Pair, and the file name extension is .pem. Save the private key file in a safe place; you will refer to it at various points in your interaction with your system.

   

Create a VPC

1. Navigate to Console Home (yellow cube) at top left of the Dashboard.
2. Under Networking, click VPC (Isolated Cloud Resources).

3. From the VPC Dashboard, click Start VPC Wizard.

   

4. Click Select to set up VPC with a Single Public Subnet.

   

5. By default, when a VPC is created, an Internet Gateway is automatically assigned to it. If the assigned gateway and/or IP block is insufficient, you can modify the IP block and subnet information according to your needs. You can also create a new Internet Gateway and assign it to your VPC.

   Note:

   In order for two VPCs to communicate, there should not be any overlapping IP addresses between the two VPCs. A good example is 50.0.0.0/16 and 100.0.0.0/16.

6. Give your VPC a name.

   

7. Click Create VPC, and then click OK. Note the VPC ID.

   

Create a Security Group

As part of VPC creation a default Security Group is assigned to your VPC. For KeyControl communication, it is recommended to create a Security Group that only enables certain inbound services/ports.

1. From the VPC Dashboard, under Security, click Security Groups.
2. Click Create Security Group.
3. Create a Name and Description for the Security Group.

4. Select the VPC ID from the drop-down list, selecting the VPC that was just created above. Make sure No VPC is NOT selected.

   

5. Click Yes, Create.

Add Rules to the Security Group

1. In the Security Group page, click the Security Group that was just created.

2. Click the Inbound Rules tab and make sure that the following rules exist and that the Source IP address list is properly configured. If the Source column shows 0.0.0.0/0, that means those ports are open to the world. It is the responsibility of the administrator to set these ports to the specific IP addresses that require access to the KeyControl cluster.

   Type	Protocol	Port Range	Source
   SSH (22)	TCP (6)	22	IP address list
   HTTPS (443)	TCP (6)	443	IP address list
   Custom TCP Rule	TCP (6)	2525	IP address list
   Custom TCP Rule	TCP (6)	6666	IP address list
   Custom TCP Rule	TCP (6)	8443	IP address list
   Custom UDP Rule	UDP (17)	123	IP address list

   If your KeyControl nodes do not reside in the same VPC (that is, if they reside in different availability zones, or different regions, or on a different VPC in the same availability zone) you must add rules to your Security Group so that each node allows inbound network traffic from the VPC subnet of other KeyControl nodes.

   For example if your KeyControl_Node1 resides in a VPC with subnet 172.31.68.0/24 and KeyControl_Node2 resides in another VPC with subnet 90.232.96.0/24, then the Security Group rule for KeyControl_Node1 must allow:

   • Inbound network traffic from 90.232.96.0/24 (or a range containing KeyControl_Node2) for the protocols/ports listed above.
   • Similarly, KeyControl_Node2 must allow inbound network traffic from 172.31.68.0/24 (or a range containing KeyControl_Node1).
3. Click Save.

Create an EIP Address

AWS has two separate pools for Elastic IP (EIP) addresses: one pool is for EC2-Classic, and the other for EC2-VPC. It is crucial to allocate the EIP for KeyControl from the EC2-VPC pool.

1. From the VPC Dashboard (Services > VPC ),click Elastic IPs.

   

2. Click Allocate New Address.

   It should display that the EIP is for VPC usage and not EC2. This appears in the Scope column.

3. Click Yes, Allocate. Make a note of the allocated EIP.

   

Launch an Instance

1. From VPC Dashboard, click Launch EC2 Instances.

   

2. From Step 1: Choose an Amazon Machine Image (AMI) dialog box, click AWS Marketplace, and type HyTrust in the search box. Press Enter:

   

3. A list of HyTrust DataControl AMIs appears. Read the descriptions, and pick one by clicking Select. For this tutorial, we clicked the first one listed, HyTrust DataControl for AWS 5VM.

   

4. The Pricing Details page appears, which outlines the costs of various instances. Click Continue.

5. The Step 2: Choose an Instance Type dialog box appears.

   

6. From the list of Instance Types, click m3.large or whatever best fits your bandwidth/latency requirements.
7. Click Next: Configure Instance Details.

8. The Step 3: Configure Instance Details dialog box appears.

   

9. Select your VPC ID as the Network used for launch.
10. Number of instances should be 1.
11. Make sure Auto-assign Public IP is NOT set. Click Disable.
12. Click Next: Add Storage.

13. The Step 4: Add Storage dialog box appears.

    

14. Root device with all defaults works fine. There is no need to change anything.
15. Click Next: Tag Instance.

16. The Step 5: Tag Instance dialog box appears.

    

17. If you wish to add key-value tags to your instance, do so.
18. Click Next: Configure Security Group.

19. The Step 6: Configure Security Group dialog box appears.

    

20. In Assign a Security Group click Select an existing Security Group.
21. Select the Security Group you created above.
22. Click Review and Launch.

23. The Boot from General Purpose (SSD) dialog box appears.

    

24. Click on your choice of boot volume for this instance, and then click Next.

25. The Step 7: Review and Launch dialog box appears.

    

26. Review your settings, paying particular attention to the IP address ranges you have open to external browsers. Your current settings, set at 0.0.0.0/0, are "open to the world."
27. When you are satisfied with your settings, click Launch.

28. The Select an existing key pair or create a new key pair dialog box appears:

    

• When asked to click a Key Pair, click Choose an existing Key Pair.
• Select the Key Pair that you created earlier.
• Click the checkbox acknowledgment that you have access to this Key Pair.

• Click Launch instances. AWS displays a message that the instance is launching and displays the instance ID. Make a note of the ID, as it will be your initial KeyControl password.

  

Connect to KeyControl

Use ssh to log into the new KeyControl menu system. You will use the key pair associated with the VPC and the EIP associated with the instance. Use the login ID sysmenus. The initial password is the instance ID shown above. Issue the following command from your UNIX shell:

• # ssh -i <my_key> -l sysmenus <my_EIP>

• When you are prompted for the sysmenus password, enter the instance ID of your VM as shown above. You are then prompted to change the sysmenus password. Passwords must be a minimum of eight characters.

• The menus to which the root/password combination enables access are where diagnostics and settings can be manipulated for this system during its lifetime. Without the password, access to the system for these tasks is impossible. It is critical that the password be stored safely somewhere.

  Note that this is not a general login account. Since this is a secure node, you cannot get a shell prompt, and only have access to a basic menu system that allows for hardware change, network setup and general debugging capabilities. We cover these topics later.

• The last step in configuration is choosing whether you are going to add this new KeyControl instance as a new node to an existing cluster:

  

• If this is your first KeyControl node, select No. The installer completes and displays a message stating that the the system has been configured and pointing you to the webGUI interface. Make a note of this IP address, as you will need to use it to configure your KeyControl system.

  

• If you want to add this KeyControl instance as a new node in an existing cluster, select Yes and follow the prompts.
• After this, you are brought to the main System Console Menu. At this point you can choose to log out. Remember that further access to the system menus requires the password that you just set up.

Initializing the KeyControl webGUI

The first time you log into the webGUI for a KeyControl node, you need to do some basic initialization. After this process is complete, you can log directly into the webGUI without going through these steps.

1. Use a web browser to navigate to the IP address assigned to the KeyControl node during installation.

   Tip:

   If you do not know the IP address for the node, from the main System Console Menu select Manage Network Settings > Show Current Network Configuration.

2. If prompted, add a security exception for the KeyControl IP address and proceed to the KeyControl webGUI.

   KeyControl uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see KeyControl Certificates.

3. On the HyTrust KeyControl Login page, enter secroot for the username and the instance ID for your VM as the password.

   Tip:

   If you do not know the instance ID, look at the list of sessions in AWS. The instance ID is listed in that table.

4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

5. On the Change Password page, enter a new password for the secroot account.

6. On the Configure E-Mail and Mail Server Settings page, specify your email settings.

   If you specify an email address, KeyControl sends an email with the Admin Key for the new node. It also sends system alerts to this email address.

   To disable alerts, select the Disable e-mail notifications checkbox. You can then download the Admin Key from the Settings tab in the webGUI.

7. When you are done, click Update Mail Settings.

   KeyControl displays the KeyControl webGUI. For details about the tasks you can perform from the webGUI, see the HyTrust DataControl Administration Guide.