Joining or Re-joining a KeyControl Cluster

When you install KeyControl, you can specify whether you want to configure the node as the first node in the system or add it to an existing cluster.

If you ever need to change the node's cluster assignment, or you need to re-join a node with its previous cluster, you can do so using the KeyControl HyTrust KeyControl System Console TUI (Text-based User Interface) installed on the node. You do not need to re-install the KeyControl software.

Warning: When a node is added to a cluster, any existing configuration data and encryption keys are permanently deleted and cannot be restored. If this node was previously part of a different cluster or was used in standalone mode, make sure you do not need the encryption keys stored on this node before you add it to the new cluster.

Before You Begin 

• Make sure you know the IP address of any KeyControl node that is already part of the cluster you want to join.
• If the node is currently part of a different cluster, you should remove the node from the original cluster so that the original cluster does not become degraded. For details, see Removing a KeyControl Node from a Cluster.
• If you are re-joining a node to an existing cluster and you are using an externally signed SSL certificate for KeyControl, make sure that you use the same hostname for the KeyControl node that it had originally. If you change the hostname, you will need to reinstall the externally signed SSL certificate on that node.

Procedure 

1. Log into the KeyControl VM console as htadmin on the KeyControl node you want to join with the cluster.

   KeyControl displays the HyTrust KeyControl System Console TUI (Text-based User Interface).

2. From the main HyTrust KeyControl System Console, select Join an Existing KeyControl Cluster and press Enter.
3. KeyControl displays a prompt explaining that you will need the IP address of one of the nodes in the cluster. Press Enter to acknowledge the message and continue.

4. Type the IP address of any KeyControl node already in the cluster and press Enter. KeyControl begins the initial configuration process for the node.

5. If this node:

   • Was previously a part of the selected cluster, KeyControl displays a prompt stating this fact and asking if you want to clear the existing data and re-join the cluster. Select Yes and press Enter.

   • Was a member of a different cluster, or was originally configured as the only node in the cluster, KeyControl prompts you that all data will be destroyed on the current node if you continue. Select Yes and press Enter, then press Enter again to confirm the action at the next prompt.

6. If prompted, type a one-time passphrase for this KeyControl node and press Enter.

   The passphrase must contain at least 16 alphanumeric characters. It cannot contain spaces or special characters. This phrase is a temporary string used to encrypt the initial communication between this node and the existing KeyControl cluster. When you authenticate the new node with the existing cluster, you will specify this passphrase in the KeyControl webGUI so that the existing node can decrypt the communication and verify that the join request is valid.

   If the wizard can connect to the designated KeyControl node, it displays the Authentication screen informing you that the node is now part of the cluster but must be authenticated in the KeyControl webGUI before it can be used by the system.

7. Authenticate the node in the KeyControl webGUI as described in Authenticating New KeyControl Nodes.

   When the Joining KeyControl Cluster screen displays a message stating that a Domain Administrator needs to authenticate the new node, log into the KeyControl webGUI on that node and authenticate the new server. After the node has been authenticated, KeyControl continues the setup process.

8. Once the authentication process is finished, KeyControl displays a message stating that the node was successfully added to the cluster and showing the IP address for the node. Press Enter to acknowledge the message.

What to Do Next 

If necessary, update the list of KeyControl IP addresses on the VMs associated with this cluster. If you are maintaining the list of IP addresses on the VMs, see Updating KeyControl Node IP Addresses on an Individual VM. If you are using KeyControl Mappings, see Changing a KeyControl Mapping.