KeyControl Network Requirements

All KeyControl IP addresses must use IPv4. KeyControl does not support IPv6 addresses.

For KeyControl to KeyControl and Policy Agent to KeyControl, the following ports need to be open:

  • Internal protocol – TCP/443 (HTTPS) must be open between the KeyControl nodes in the cluster to support the rolling upgrade feature. The KeyControl nodes must also be able to communicate on TCP/8443. If you have a firewall between one or more nodes, you need to make sure that these ports are open.

    In addition, KeyControl uses the IP address 169.254.119.1 for internal communication. This IP address must be reserved for KeyControl.

  • KeyControl webGUI – Inbound TCP/443 to administrator systems from any KeyControl server in the cluster.
  • KeyControl support-level access – Inbound TCP/22 from administrator systems to any KeyControl server in the cluster.
  • Policy Agent to KeyControl — Inbound TCP/443 from the Policy Agent to each of the KeyControl nodes in the cluster.

For KeyControl infrastructure services, the following ports need to be open:

  • DNS — Outbound UDP/53
  • SMTP — Outbound mail server, typically TCP/25

  • SYSLOG — An outbound UDP between 25 and 65535 if you want to use a remote syslog server. KeyControl does not currently support TCP for syslog.

  • Backup and Restore via NFS — If you want to access the KeyControl-generated backup files via NFS, you need to open the following ports: Inbound TCP and UDP/111 (portmapper), 2046 (lockd), 2047 (rpc statd), 2048 (rcp mountd), and 2049 (default NFS port).
  • NTP — Outbound NTP servers, typically UDP/123 or TCP/123

  • Automatic Vitals Reporting — If you enable Automatic Vitals Reporting, KeyControl must be able to send the encrypted Vitals bundle outbound to https://vitals.hytrust.com via TCP/443.

    Note: You cannot disable Automatic Vitals Reporting during the trial license period.

Note: The network ports indicated for SMTP, syslog, and NTP are the typical ports for these services. If you need to change those ports, consult with the administrators of these services.

If you want to configure KeyControl as a KMIP server, you need to open the port that you plan to use for it. The default KMIP port is 5696.