Installing a New KeyControl Cluster Node from an ISO Image

This procedure describes how to use the HyTrust-provided ISO image to install and configure a new KeyControl that you want to add to an existing cluster. If you want to configure a standalone KeyControl node or the first node in the cluster, see Installing the First KeyControl Node from an ISO Image.

Important: Make sure that all KeyControl nodes reside on devices that are not encrypted. KeyControl has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.

Before You Begin 

• If you are installing KeyControl on an existing VM, make sure that there is no important data currently on the target system. The installer will overwrite all data on the selected disks.
• Make sure that the target VM can access the HyTrust DataControl ISO image.
• Make sure the target VM meets the basic system requirements described in System Requirements.

Note: The following procedure is based on vCenter Web Client version 6.5.0. If your version of the vCenter Web Client is different from what is described below, please see your vCenter documentation for details about the ISO deployment process.

Procedure 

1. Log into the vSphere Web Client.
2. Create a new virtual machine using the settings appropriate to your environment.

3. When you are prompted to select a guest OS, set the following:

   Field	Setting
   Guest OS Family	Linux
   Guest OS Version	Centos 7 (64-bit)

4. Click Next.

5. On the Virtual Hardware tab of the Customize hardware page, make sure the VM configuration meets the following system resource recommendations:

   Resource	Demo or Proof of Concept	Standard Installation	Large Installation
   CPUs	2	2	4
   RAM	4 GB	8 GB	16 GB
   Disk	60 GB	60 GB	140 GB

   The rest of the options on this tab should be configured to match your vSphere environment.

6. Connect the KeyControl version 5.1.2 installation ISO image to the VM so that the VM will boot from this ISO image when you power on the VM. How you do this depends on how your vSphere environment is configured and what options you have available.

   For example, you could upload the KeyControl ISO image to a datastore that vSphere can access and then attach the datastore ISO image as a CD/DVD drive that is connected when the VM powers on. After KeyControl is successfully installed, it automatically disconnects the CD/DVD drive so that it will not boot from that drive again should the node be restarted.

7. Power on the KeyControl VM and have it boot from the KeyControl version 5.1.2 installation ISO image .

8. When the VM boots from the ISO image, it will begin installing CentOS.

   Note: The installer will post messages as the CentOS operating system install proceeds. Some parts of the OS take longer to install than others, and there may be times when no new messages appear for over ten minutes. Do not attempt to cancel or restart the installation procedure during this time.

   The installer will automatically reboot the VM as needed.

   When then installer has finished, it displays a prompt asking for a password for the htadmin account.

9. Enter a password for the KeyControl system administration account htadmin and press Enter. The password must contain at least 6 characters and cannot contain spaces or any non-ASCII characters.

   This password controls access to the HyTrust KeyControl System Console that allows users to perform some KeyControl administration tasks. It does not permit a KeyControl user to access the full OS.

   Important: Make sure you keep this password in a secure place. If you lose the password, you will need to contact HyTrust Support. For security reasons, KeyControl does not provide a user-accessible password recovery mechanism.

10. On the System Configuration page, select Add KeyControl Node to Existing Cluster and press Enter.
11. The next page asks if you want to use DHCP for the node. We highly recommend that you do not do this, as the KeyControl node should always be available at a set IP address. Make sure No is selected and press Enter to acknowledge this message.
12. On the Confirm Network Configuration page, enter the appropriate network information for the KeyControl node. When you are done, press Enter to save this information.
13. The next page confirms that you are about to join this node with an existing cluster, and that you may need to enter an authentication passphrase based on how your KeyControl cluster is configured. Press Enter to acknowledge this message.
14. Enter the IP address of a KeyControl node already in the cluster you want to join and press Enter.

15. On the System Configuration page, review the configuration settings and press Enter if you are ready to configure the node.

    The installer configures KeyControl and then starts the appropriate services. This process will take a few minutes to complete.

16. If prompted, type an authentication passphrase that you can use to authenticate this node with the KeyControl cluster and press Enter. A domain administrator must log into one of the nodes in the KeyControl cluster that you are joining and authorize this node before the configuration can be completed. For details, see Authenticating New KeyControl Nodes.

    After the node has been authenticated, the installer displays a message that the passphrase was successfully verified and automatically continues configuring the node.

17. Review the confirmation dialog that provides the URL of the KeyControl webGUI (also known as the Management IP Address).

    When you are done, press Enter to finish the installation. KeyControl displays the CentOS login prompt.

What to Do Next 

• To create a dedicated webGUI account with Cloud Admin privileges that you can use to install the HyTrust DataControl Policy Agent, see Creating a Cloud Admin User Account.
• To create at least one Cloud VM Set into which you can put the VMs you plan to encrypt, see Creating a Cloud VM Set.