Deploying Additional KeyControl Nodes

The following procedure describes how to deploy a KeyControl node that you intend to add to an existing KeyControl cluster. If you want to deploy a KeyControl node that will become the first node in a new cluster, see Deploying the First KeyControl Node.

Note:

The following procedure is based on the 2018 AWS Console interface. If your version of the AWS Console is different from what is described below, please see your AWS documentation.

Before You Begin 

If you want to use a existing VPC for the new node that is different from the VPC used for the first KeyControl node, make sure that you have set up VPC-to-VPC communication between the VPCs. This includes configuring a Peering Connection and setting the correct Routing Table information. For details, see your AWS documentation.

If you want to use the same VPC for the new node as you used for the first node, make sure you know the following information:

• The region in which the first node is deployed.

• The VPC assigned to the first node.

• The Security Group assigned to the first node.

Tip:

To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the first KeyControl node in the table. In the Description tab, look at the VPC ID and Security groups fields.

Procedure 

1. Open a web browser and navigate to the Amazon Web Services login page for your company. The default login page is https://aws.amazon.com/.
2. Log in to the AWS Management Console with your AWS user name and password.

3. In the top menu bar just after your login name, select the Region into which you want to deploy the KeyControl node. If you want to use the same VPC as the first KeyControl node, you must deploy the new node in the same region as the first node.

4. If you have an existing VPC  that you want to use for the KeyControl node, proceed to the next step. Otherwise, create a new VPC.

   Details

   1. From the top menu bar, select Services > Networking & Content Delivery > VPC.
   2. Click the blue Launch VPC Wizard button.
   3. Make sure that VPC with a Single Public Subnet is selected and click Select.

   4. In the Step 2: VPC with a Single Public Subnet page:

      • Verify that the IPv4 addresses are correct, and make any required changes. Make sure that the main IPv4 CIDR block does not overlap with the Public subnet's IPv4 CIDR. KeyControl does not require any IPv6 addresses.

      • Specify a name for the VPC in the VPC name field. You will need to know this VPC name when you launch the KeyControl instance.
      • If desired, in the Availability Zone field, select the availability zone you want to use for this VPC, or select No Preference to let AWS select the availability zone.
      • We recommend that you set Enable DNS hostnames to Yes.
      • Make sure that the setting for Hardware tenancy matches your corporate standards. KeyControl does not require dedicated tenancy.
   5. When you are done, click Create VPC, then click OK to confirm the success message.
   6. Set up VPC-to-VPC communication between this VPC and the VPC used by the first KeyControl node. For details, see your AWS documentation.
5. In the top menu bar, select Services > Compute > EC2.
6. Click the blue Launch Instance button.
7. In the Step 1: Choose an Amazon Machine Image (AMI) page, click AWS Marketplace in the left-hand pane.

8. Search the Marketplace for "HyTrust" and select one of the following:

   • HyTrust DataControl for AWS BYOL (Bring Your Own License). With this option, you can try DataControl for a limited time, but then you must supply license information from HyTrust. We recommend that you select this option, as HyTrust can tailor the license to meet your needs.
   • HyTrust DataControl for AWS 5VM. With this option, AWS provides a licensed copy of DataControl for an hourly or yearly fee.
9. Review the details of the version you selected and click Continue.

10. In the Step 2: Choose an Instance Type page, select an instance type. For optimal performance, we recommend that you select a general purpose or compute optimized instance type with SSD Instanced storage, such as m3.large or c3.large. The KeyControl system resource recommendations are:

    Resource	Demo or Proof of Concept	Standard Installation	Large Installation
    CPUs	2	2	4
    RAM	1 GB	8 GB	16 GB
    Disk	GB	GB	GB

11. After you have selected the type, click Next: Configure Instance Details.

12. On the Step 3: Configure Instance Details page, set the following options:

    • Number of Instances —Specify the number of instances you want to launch in this field. All instances will run in the same region using the same VPC and instance settings.

    • Network — Select the VPC you want to use for the KeyControl node.
    • Set all other options on this page according to your corporate standards.
13. When you are done, click Next: Add Storage.

14. On the Step 4: Add Storage page, set the following options:

    • Volume Size — Set the size of the disk based on your configuration requirements. The default setting of 20 GB should work for most KeyControl installations.
    • Volume Type — For optimal performance, we recommend setting the volume type to one of the SSD options instead of the defaut Magnetic volume.
    • Delete on Termination — If you select this option and the instance is deleted, all keys stored on this KeyControl node will be deleted as well. In a single node configuration, this means that encrypted data cannot be decrypted, as the keys will be lost. If you want to use this option, make sure all data is decrypted before the instance is deleted.
15. When you are done, click Next: Add Tags.

16. On the Step 5: Add Tags page, click Add Tag and enter a Name tag for the instance:

    • Key — Enter "Name".
    • Value — Enter the name for this KeyControl node.

    Add any other tags as desired.

17. When you are done, click Next: Configure Security Group.

18. In the Step 6: Configure Security Group page, do the following:

    1. Make sure that the Assign a security group field is set to Create a new security group.

       Note:

       You can use an existing security group as long as all of the required ports are open in that security group.

    2. Optionally enter a custom security group name and description in the Security group name and Description fields.
    3. For each of the required entries in the security group, set the Source IP addresses or security groups that can communicate with KeyControl through the associated ports. We strongly recommend that you do not use the default 0.0.0.0/0 notation, which indicates that the ports are open to the world.

     KeyControl requires the following ports:

    Type	Protocol	Port Range	Source
    SSH (22)	TCP	22	IP address list or another security group
    HTTPS (443)	TCP	443	IP address list or another security group
    Custom TCP Rule	TCP	2525	IP address list or another security group
    Custom TCP Rule	TCP	6666	IP address list or another security group
    Custom TCP Rule	TCP	8443	IP address list or another security group
    Custom UDP Rule	UDP	123	IP address list or another security group

    For details about specifying the source IP addresses or security groups, see your AWS documentation.

19. When you are done, click Review and Launch.
20. In the Step 7: Review Instance Launch page, verify your selections and click Launch.
21. At the prompt, either select an existing key pair or select Create a new key pair, specify a key pair name, and download the new private key file for the new key pair.

22. When you are done, click Launch Instances. AWS displays a confirmation page stating that your instance is being launched and displays the instance ID. Make a note of the ID, as it will be your initial KeyControl password.

    

23. To verify the status of the instance, select Services > EC2 > Instances and locate the new instance in the table.

    Tip:

    If you requested multiple instances on the Step 3: Configure Instance Details page, you will see multiple KeyControl instances with the same name listed in the table. We recommend that you give each instance a unique name at this point so that you can tell them apart as you configure them. To do so, mouse over an instance name and click the pencil icon when it appears.

What to Do Next 

Associate an Elastic IP address with the instance as described in Associating an Elastic IP Address with the KeyControl Instance. An elastic IP address is required for every KeyControl instance so that you can configure and maintain the KeyControl instance using a static IPv4 address.

If you created multiple instances, you need to assign a different Elastic IP to each copy of the instance.