Configuring Additional KeyControl Nodes

After the AWS instance is deployed, you need to configure the KeyControl node using SSH. The following procedure describes how to configure the node as part of an existing KeyControl cluster. If you want to configure this node as the first node in the KeyControl cluster, see Configuring the First KeyControl Node.

Before You Begin 

Make sure that the new KeyControl node can communicate with the KeyControl nodes in the existing KeyControl cluster. For details, see your AWS documentation.

Make sure you have the following information:

  • The Amazon instance ID for the new KeyControl instance.
  • The Elastic (Public) IP address associated with the new instance.

  • The private key file (in pem format) that was used when the new instance was created.

    Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the KeyControl instance in the table. In the Description tab, look at the Instance ID, IPv4 Public IP, and Key pair name fields.

  • The private IP address of one of the existing KeyControl nodes in the cluster.

    Tip: To find this IP address, log into the KeyControl webGUI on one of the existing nodes and click Cluster in the top menu bar. Go to the Servers tab and look at the IP address in the table.

Procedure 

  1. Open a terminal window and navigate to the directory in which you have stored the private key file. If you have not used this key file before, make sure the permissions are set to -r-------- (chmod 400).

  2. Log into the htadmin account on the KeyControl instance using the private key file.

    ssh -i <key-file>.pem htadmin@<Elastic-IP-addy>

    where key-file.pem is the name of the key pair associated with the instance and Elastic-IP-Addy is the public IPv4 address associated with the instance. For example, if your key pair is called KeyControl-Cluster-NorthAmerica.pem and the Elastic IP address is 52.18.58.35, you would enter:

    ssh -i KeyControl-Cluster-NorthAmerica.pem htadmin@52.18.58.35

  3. When prompted for the htadmin password, enter the Amazon instance ID for the KeyControl instance that you are configuring.

  4. Enter a new password for the KeyControl system administration account htadmin and press Enter. The password must contain at least 6 characters and cannot contain spaces or any non-ASCII characters.

    This password controls access to the HyTrust KeyControl System Console that allows users to perform some KeyControl administration tasks. It does not permit a KeyControl user to access the full OS.

    Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact HyTrust Support. For security reasons, KeyControl does not provide a user-accessible password recovery mechanism.

  5. On the System Configuration screen, select Add KeyControl Node to Existing Cluster and press Enter.

  6. Type the private (internal) IP address of any KeyControl node already in the cluster and press Enter. KeyControl begins the initial configuration process for the node.

    Tip: To find the internal IP address for the existing node, log into the KeyControl webGUI and click Cluster in the top menu bar. Go to the Servers tab and look at the IP address in the table. Alternatively, in the AWS Management Console, you can look at the Private IPs field in the Description tab for the KeyControl instance.

  7. If this node:

    • Was previously a part of the selected cluster, KeyControl displays a prompt stating this fact and asking if you want to clear the existing data and re-join the cluster. Select Yes and press Enter.

    • Was a member of a different cluster, or was originally configured as the only node in the cluster, KeyControl prompts you that all data will be destroyed on the current node if you continue. Select Yes and press Enter, then press Enter again to confirm the action at the next prompt.

  8. If prompted, type a one-time passphrase for this KeyControl node and press Enter.

    The passphrase must contain at least 16 alphanumeric characters. It cannot contain spaces or special characters. This phrase is a temporary string used to encrypt the initial communication between this node and the existing KeyControl cluster. When you authenticate the new node with the existing cluster, you will specify this passphrase in the KeyControl webGUI so that the existing node can decrypt the communication and verify that the join request is valid.

    If the wizard can connect to the designated KeyControl node, it displays the Authentication screen informing you that the node is now part of the cluster but must be authenticated in the KeyControl webGUI before it can be used by the system.

  9. Authenticate the node in the KeyControl webGUI as described in Authenticating New KeyControl Nodes.

    When the Joining KeyControl Cluster screen displays a message stating that a Domain Administrator needs to authenticate the new node, log into the KeyControl webGUI on that node and authenticate the new server. After the node has been authenticated, KeyControl continues the setup process.

  10. Once the authentication process is finished, KeyControl displays a message stating that the node was successfully added to the cluster and showing the IP address for the node. Press Enter to acknowledge the message.

  11. Review the confirmation dialog that provides the public URL that can be used with the KeyControl webGUI as well as the private IP address that you can use if you want to add other KeyControl nodes to this cluster. When you are done, press Enter to finish the installation.