Joining or Re-joining a KeyControl Cluster

When you install KeyControl, you can specify whether you want to configure the node as the first node in the system or add it to an existing cluster.

If you ever need to change the node's cluster assignment, or you need to re-join a node with its previous cluster, you can do so using the KeyControl System Console Menu TUI (Text-based User Interface) installed on the node. You do not need to re-install the KeyControl software.

Warning:

When a node is added to a cluster, any existing configuration data and encryption keys are permanently deleted and cannot be restored. If this node was previously part of a different cluster or was used in standalone mode, make sure you do not need the encryption keys stored on this node before you add it to the new cluster.

Before You Begin 

• Make sure you know the IP address of any KeyControl node that is already part of the cluster you want to join.
• If the node is currently part of a different cluster, you should remove the node from the original cluster so that the original cluster does not become degraded. For details, see Removing a KeyControl Node from a Cluster.
• If you are re-joining a node to an existing cluster and you are using an externally signed SSL certificate for KeyControl, make sure that you use the same hostname for the KeyControl node that it had originally. If you change the hostname, you will need to reinstall the externally signed SSL certificate on that node.

Procedure 

1. Log in as root on the server hosting the KeyControl node.

   KeyControl displays the System Console Menu TUI (Text-based User Interface).

2. From the main System Console Menu, select Join or Re-join a KeyControl Cluster and press Enter.
3. KeyControl displays a prompt explaining that you will need the IP address of one of the nodes in the cluster. Press Enter to acknowledge the message and continue.
4. Type the IP address of any KeyControl node already in the cluster and press Enter.

5. If prompted, type a one-time passphrase for this KeyControl node and press Enter.

   The passphrase must contain at least 16 characters. It is a temporary string used to encrypt the initial communication between this node and the existing KeyControl cluster. When you authenticate the new node with the existing cluster, you will specify this passphrase in the KeyControl webGUI so that the existing node can decrypt the communication and verify that the join request is valid.

   If the wizard can connect to the designated KeyControl node, it displays the Authentication screen informing you that the node is now part of the cluster but must be authenticated in the KeyControl webGUI before it can be used by the system.

6. Authenticate the node in the KeyControl webGUI as described in Authenticating New KeyControl Nodes.

   The Authentication screen displays a series of messages beginning with Successfully Authenticated and ending with Cluster Setup Complete after you begin the authorization process in the webGUI.

7. Once the authentication process is finished, KeyControl displays the HyTrust SecureOS Appliance Configuration screen with a message stating that the node was successfully added to the cluster and showing the IP address for the node. Press Enter to acknowledge the message.

What to Do Next 

If necessary, update the list of KeyControl IP addresses on the VMs associated with this cluster. If you are maintaining the list of IP addresses on the VMs, see Updating KeyControl Node IP Addresses on an Individual VM. If you are using KeyControl Mappings, see Changing a KeyControl Mapping.