Adding a KeyControl Node to an Existing Cluster (ISO Install)

When you reboot the target system after installing the KeyControl software from an ISO image, KeyControl launches the HyTrust SecureOS System Configuration wizard. This procedure explains how to use the wizard to add this node to an existing KeyControl cluster.

If you want to configure this node as the first KeyControl node in the system, see Configuring the First KeyControl Node (ISO Install).

Before You Begin 

• Make sure you know the IP address of any KeyControl node that is already part of the cluster you want to join.

• If there are multiple NICs already configured on this VM, KeyControl will prompt you to select a management interface from a list of the MAC address available on the VM. The management interface must be able to access port TCP/2525, and it will handle all internal node management traffic such as node authorization requests and the initialization of internal node communication.

  Make sure you know the MAC address of the NIC that you want to use as your management interface. After you have configured the management interface for a node, we strongly recommend that you do not change this interface. All other NICs can be reconfigured as needed at any point.

Procedure 

1. Log into the system on which you installed the KeyControl software. If you do not see the HyTrust SecureOS System Configuration wizard, make sure the drive with the ISO install image is disconnected and reboot the system.
2. On the Choose Install Type screen, select Add a new KeyControl Cluster Node and press Enter.

3. Select Yes and press Enter to confirm the installation type at the prompt.

4. On the Set System Password screen, enter a password for the KeyControl system administration account root and press Enter. The password must contain at least 6 characters and cannot contain spaces or any non-ASCII characters.

   This password cannot be reset from within KeyControl. If you lose the password, you will need to re-install the KeyControl software.

   Note:

   This password controls access to the System Console Menu that allows users to perform some KeyControl administration tasks. It does not permit a KeyControl user to access the full OS.

5. If there are multiple NICs configured on the VM, select the NIC you want use for the management interface and press Enter. This interface must be able to access port TCP/2525. After you have configured the management interface for a node, we strongly recommend that you do not change this interface.

6. On the HyTrust SecureOS Network Configuration screen, select the type of network you want to use for communication between the KeyControl nodes in the cluster and between the KeyControl nodes and the HyTrust DataControl Policy Agents running on the encrypted VMs in the system. You can select:

   • Use DHCP — Communication uses Dynamic Host Configuration Protocol. When you select this option, KeyControl queries the network and gathers as much information as it can automatically. This option is generally used for testing or proof of concept systems. Because KeyControl requires a static IP address, you should not use this option unless you manage your IP address assignments through your DHCP server.
   • Custom Configuration — KeyControl gathers any network information it can find and displays the Network Configuration screen. If the node was deployed from an OVA template, KeyControl displays the network information entered during deployment.
   • VLAN Configuration — Communication uses a virtual LAN. KeyControl queries the network and gathers as much information as it can automatically.

   After you have selected the network configuration type, select OK and press Enter.

7. If you selected VLAN Configuration, type the VLAN ID at the prompt, then select OK and press Enter.

8. On the Network Configuration screen, review any network information the wizard automatically gathered and make any required additions or modifications. While you do so, keep in mind:

   • The hostname can contain any alphanumeric characters or hyphens (-). You cannot specify spaces or any other special characters in this field.

   • To enter multiple DNS addresses, separate them with a comma. For example, you could enter 192.168.162.2,192.168.162.3.

   • Make sure you specify a static IP address for the KeyControl node. If you specified DHCP as the communication protocol, this assignment must be done through your DHCP server.
   • For all network types, the NTP Servers configuration defaults to a set of pooled servers provided by ntp.org.  This default is set by FreeBSD.

9. When you have finished specifying the network information, select OK and press Enter. The installer restarts the network services to verify that the connection settings are correct.

   If the network is correctly configured, the wizard displays the HyTrust SecureOS Authentication screen stating that you need to have the IP address of one of the KeyControl nodes currently in the cluster, and that you may need a passphrase if Strict Authentication has been enabled for this cluster.

   If the network is not correctly configured, you will be prompted to change the settings until KeyControl can connect to the network. The installation process will not complete without a valid network connection.

10. Press Enter to acknowledge the message and continue.
11. Type the IP address of any KeyControl node already in the cluster and press Enter.

12. If prompted, type a one-time passphrase for this KeyControl node and press Enter.

    The passphrase must contain at least 16 characters. It is a temporary string used to encrypt the initial communication between this node and the existing KeyControl cluster. When you authenticate the new node with the existing cluster, you will specify this passphrase in the KeyControl webGUI so that the existing node can decrypt the communication and verify that the join request is valid.

    If the wizard can connect to the designated KeyControl node, it displays the Authentication screen informing you that the node is now part of the cluster but must be authenticated in the KeyControl webGUI before it can be used by the system.

13. Authenticate the node in the KeyControl webGUI as described in Authenticating New KeyControl Nodes.

    The Authentication screen displays a series of messages beginning with Successfully Authenticated and ending with Cluster Setup Complete after you begin the authorization process in the webGUI.

14. Once the authentication process is finished, KeyControl displays the HyTrust SecureOS Appliance Configuration screen with a message stating that the node was successfully added to the cluster and showing the IP address for the node. Press Enter to acknowledge the message.

What to Do Next 

If you have configured multiple NICs on the VM in which you installed KeyControl, you configure the additional NICs at any point after you add the node to the cluster. For details, see Multi-NIC Node Configuration.