Creating the KMS Cluster in vSphere

Note: The following procedure is based on vCenter Web Client in vSphere 6.5. If your version of the vCenter Web Client is different from what is described below, please see your vCenter documentation to determine how to add the KMS cluster.

  1. Launch the vSphere Web Client and log into the vCenter server that you want to add to HyTrust KeyControl.
  2. Select the vCenter Server in the Global Inventory Lists.
  3. Click Configure.
  4. Select Key Management Servers.
  5. Click Add KMS and set the following configuration options:

    Option Description

    KMS cluster

    Select <Create new cluster>.

    Cluster name and Server alias

    Enter a name and alias for the cluster. These names are local to vSphere and are not used by KeyControl.

    Server address

    The IP address for the HyTrust KMIP server. This IP address must match the KeyControl KMIP server Host Name shown in the KeyControl webGUI.

    Important: Make sure that the KMIP server resides on a device that is not encrypted. The KMIP server must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.

    Server port

    The port number for the HyTrust KMIP server. The KMIP standard port is 5696.

    Proxy address and Proxy port

    Enter this information if required by your network administrator.

    User name and Password.

    Important: Do not enter a user name or password for the KMS cluster.

    For example:

  6. Click OK.
  7. When prompted, click Yes to make this the default KMS cluster.
  8. In the Trust Certificate dialog box, click Trust.

    This adds the KMS cluster to vCenter but the connection status will be "Cannot establish trust connection".

What to Do Next 

Establish a trusted connection between the KMS cluster and the HyTrust KMIP server. How you do this depends on whether you want vSphere or KeyControl to generate the Certificate Signing Rquest (CSR) used to establish the trusted connection. For more information, see: