Open topic with navigation

Adding a KeyControl Node to a Cluster in a Different Availability Zone on Amazon Web Services

The following components are required prior to adding a new KeyControl node to an existing KeyControl cluster in a different availability zone:

  • One or more running KeyControl servers
  • The CIDR block of the VPC or the VPC ID of a running KeyControl server
  • The internal IP address of the running KeyControl server

Log on to Amazon Web Services with an existing account

To begin with, you need to have an existing account on Amazon Web Services. You will start by logging in to that account.

For details, see Log on to Amazon Web Services with an Existing Account, elsewhere in this guide.

Connect to the Same Region as Your Existing KeyControl Server

  • Log on to your EC2 account.
  • Navigate to the EC2 Dashboard.
  • At the top right of the EC2 Dashboard, click your deployment region from the drop-down list. In the example below, US West (Oregon) is chosen, but you should choose based on the location of your existing KeyControl cluster.

Select a Region

Modify your Security Group

  • In order to allow communication between KeyControl servers, certain rules must be added to the Security Group of the existing KeyControl cluster.
  • From the VPC Dashboard, click Security Groups.
  • From the list of Security Groups in the table, click the Security Group of the existing KeyControl server.

    • Select a Security Group
  • Click the Inbound tab, and review the rules that exist. If they do not look like the following image, add more rules, as shown below.

    • Inbound rules with cluster deployed
  • If there is no Custom ICMP rule with Echo Reply in the Port Range column in the rules table on the right, create one, as follows:
    • Click Edit.
    • Click Add Rule.
    • Click Custom ICMP Rule from the drop down menu.
    • Click Echo Reply as Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.

      • Add ICMP rule
  • If there is no Custom ICMP rule with a Port Range of Echo Request in the rules table on the right, create one, as follows:
    • Click Add Rule.
    • Click Custom ICP Rule from the drop down menu.
    • Click Echo Request as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • If there is no Custom TCP rule with a Port Range of 2525 in the rules table on the right, create one, as follows:
    • Click Add Rule.
    • Click Custom TCP rule from the drop down menu.
    • Click 2525 as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • If there is no Custom TCP rule with a Port Range of 2526 in the rules table on the right, create one, as follows:
    • Click Add Rule.
    • Click Custom TCP rule from the drop down menu.
    • Click 2526 as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • If there is no Custom TCP rule with a Port Range of 6666 in the rules table on the right, create one, as follows.
    • Click Add Rule.
    • Click Custom TCP rule from the drop down menu.
    • Click 6666 as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • Click Save, and review your end result to ensure that it looks like this:

    • Inbound rules with cluster deployed

NOTE: The above is an example of inbound traffic rules for an AWS Security Group. These ports are open to the world, as indicated by their 0.0.0.0/0 CIDR notation, merely for demonstration purposes. Important: It is the responsibility of the administrator to open these ports only to the IP addresses that are absolutely necessary to connect to the KeyControl instance. When restricting inbound network traffic for security purposes and your KeyControl nodes do not reside in the same VPC (that is, if they reside in different availability zones, or different regions, or on a different VPC in the same availability zone) you must add rules to your Security Group so that each node allows inbound network traffic from the VPC subnet of other KeyControl nodes.

  • For example if your KeyControl_Node1 resides in a VPC with subnet 172.31.68.0/24 and KeyControl_Node2 resides in another VPC with subnet 90.232.96.0/24, then the Security Group rule for KeyControl_Node1 must allow:
    • Inbound network traffic from 90.232.96.0/24 (or a range containing KeyControl_Node2) for protocols/ports TCP/2525, TCP/2526, ICMP/Echo Request, and ICMP/Echo Reply.
    • Similarly, KeyControl_Node2 must allow inbound network traffic from 172.31.68.0/24 (or a range containing KeyControl_Node1).

Virtual Private Cloud (VPC)

  • Navigate to Console Home (yellow cube) at top left of the Dashboard.
  • Under Networking, click VPC (Isolated Cloud Resources).
    • Select VPC
  • From the VPC Dashboard, click Start VPC Wizard.
    • Start VPC wizard
  • Click Select to set up VPC with a Single Public Subnet.

    • Set up single public subnet
  • By default, when a VPC is created, an Internet Gateway is automatically assigned to it. If the assigned gateway and/or IP block is insufficient, you can modify the IP block and subnet information according to your needs. You can also create a new Internet Gateway and assign it to your VPC. Note: In order for two VPCs to communicate, there should not be any overlapping IP addresses between the two VPCs. A good example is 50.0.0.0/16 and 100.0.0.0/16.
  • Give your VPC a name.
    • Name your VPC
  • Click Create VPC, and then click OK. Note the VPC ID.

    • Note VPC ID

Use VPC Peering to Connect the Two VPCs

  • Navigate to Peering Connections in the VPC Dashboard in the target AWS account.
  • If both VPCs belong to the same account, stay in the existing account.
    • Note VPC ID
  • Click Create VPC Peering Connection. The Create VPC Peering Connection dialog box appears.
    • Create VPC peering connection
  • Give your Peering Connection a name, and click Create.
  • The Peering connection should indicate that it is pending acceptance.
    • Peering connection pending acceptance
  • Click OK, and then click Accept request.

    The state of the peering connection changes to Active.

    • Peering connection action

Modify the Routing Tables of the VPCs

Modify the main routing table of both VPCs to route the network traffic to the peering connection ID.

  • In the running KeyControl VPC (10.0.0.0/16), navigate to its routing table.

    • Routing
  • Click the Route table entry.
    • Edit route
  • Click Edit. A line opens up in the entry.
    • Edit Route add line
  • In the Destination field, enter the CIDR block of the new VPC (172.31.0.0/16).
  • In the Target field, click the ID of the VPC peering connection.
  • Click Save. Your first routing entry is complete.
  • Next, in the newly created VPC (172.31.0.0/16), navigate to its route table.

    • Routing Two
  • Click the Route table entry.
    • Edit route
  • Click Edit. A line opens up in the entry.
    • Edit route add line
  • In the Destination field enter the CIDR block of the running KeyControl VPC (10.0.0.0/16).
  • In the Target field, click the ID of the VPC peering connection.
  • Click Save. Your second routing entry is complete

Create a Key Pair, if One Does Not Exist

For step-by-step details, see Create a Key Pair, elsewhere in this guide.

Create a Security Group, if One Does Not Exist

As part of VPC creation a default Security Group is assigned to your VPC. For KeyControl communication, it is recommended to create a Security Group that only enables certain inbound services/ports.

For step-by-step details, see Create a Security Group, elsewhere in this guide.

Add Rules to the Security Group, if Rules Are Not Present

In order to allow communication between KeyControl servers, certain rules must be added to the Security Group of the existing KeyControl cluster.

For step-by-step details, see Add rules to the Security Group, elsewhere in this guide.

Modify your Security Group

  • In order to allow communication between KeyControl servers, certain rules must be added to the Security Group of the existing KeyControl cluster.
  • From the VPC Dashboard, click Security Groups.
  • From the list of Security Groups in the table, click the Security Group of the existing KeyControl server.

    • Select a Security Group
  • Click the Inbound tab, and review the rules that exist. If they do not look like the following image, add more rules, as shown below.

    • Inbound rules with cluster deployed
  • If there is no Custom ICMP rule with Echo Reply in the Port Range column in the rules table on the right, create one, as follows:
    • Click Edit.
    • Click Add Rule.
    • Click Custom ICMP Rule from the drop down menu.
    • Click Echo Reply as Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.

      • Add ICMP rule
  • If there is no Custom ICMP rule with a Port Range of Echo Request in the rules table on the right, create one, as follows:
    • Click Add Rule.
    • Click Custom ICP Rule from the drop down menu.
    • Click Echo Request as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • If there is no Custom TCP rule with a Port Range of 2525 in the rules table on the right, create one, as follows:
    • Click Add Rule.
    • Click Custom TCP rule from the drop down menu.
    • Click 2525 as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • If there is no Custom TCP rule with a Port Range of 2526 in the rules table on the right, create one, as follows:
    • Click Add Rule.
    • Click Custom TCP rule from the drop down menu.
    • Click 2526 as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • If there is no Custom TCP rule with a Port Range of 6666 in the rules table on the right, create one, as follows.
    • Click Add Rule.
    • Click Custom TCP rule from the drop down menu.
    • Click 6666 as the Port Range.
    • Select a Source of Anywhere or enter an IP range that includes all members of the cluster.
  • Click Save, and review your end result to ensure that it looks like this:

    • Inbound rules with cluster deployed

NOTE: The above is an example of inbound traffic rules for an AWS Security Group. These ports are open to the world, as indicated by their 0.0.0.0/0 CIDR notation, merely for demonstration purposes. Important: It is the responsibility of the administrator to open these ports only to the IP addresses that are absolutely necessary to connect to the KeyControl instance. When restricting inbound network traffic for security purposes and your KeyControl nodes do not reside in the same VPC (that is, if they reside in different availability zones, or different regions, or on a different VPC in the same availability zone) you must add rules to your Security Group so that each node allows inbound network traffic from the VPC subnet of other KeyControl nodes.

  • For example if your KeyControl_Node1 resides in a VPC with subnet 172.31.68.0/24 and KeyControl_Node2 resides in another VPC with subnet 90.232.96.0/24, then the Security Group rule for KeyControl_Node1 must allow:
    • Inbound network traffic from 90.232.96.0/24 (or a range containing KeyControl_Node2) for protocols/ports TCP/2525, TCP/2526, ICMP/Echo Request, and ICMP/Echo Reply.
    • Similarly, KeyControl_Node2 must allow inbound network traffic from 172.31.68.0/24 (or a range containing KeyControl_Node1).

Create an EIP Address

For step-by-step details, see Create an EIP address, elsewhere in this guide.

Launch an instance

  • From the VPC Dashboard, click Launch EC2 Instances.
    • Launch EC2

  • From Step 1: Choose an Amazon Machine Image (AMI) dialog box, click AWS Marketplace, and type HyTrust in the search box. Press Enter:



    • A list of HyTrust DataControl AMIs appears. Read the descriptions, and pick one by clicking Select. For this tutorial, we clicked the first one listed, HyTrust DataControl for AWS 5VM.


  • The Step 2: Choose an Instance Type dialog box appears.Configure instance type
  • From the list of Instance Types, click m3.large or whatever best fits the bandwidth/latency requirements you desire.
  • Click Next: Configure Instance Details.
  • The Step 3: Configure Instance Details dialog box appears.

    • Select your VPC
  • Click your VPC ID as the Network used for launch.
  • Number of instances should be 1.
  • Make sure Auto-assign Public IP is NOT set. Click Disable.
  • Click Next: Add Storage.
  • The Step 4: Add Storage dialog box appears.
    • Add storage
  • Root device with all defaults works fine. There is no need to change anything.
  • Click Next: Tag Instance.
  • The Step 5: Tag Instance dialog box appears.
    • Tag instance
  • If you wish to add key-value tags to your instance, do so.
  • Click Next: Configure Security Group.

The Step 6: Configure Security Group dialog box appears.

    Configure Security Group
  • In Assign a Security Group click Select an existing Security Group.
  • Select the Security Group of the existing KeyControl node.
  • Click Review and Launch.
  • The Boot from General Purpose (SSD) dialog box appears.

    • Choose boot volume
  • Click on your choice of boot volume for this instance, and then click Next.
  • The Review and Launch dialog box appears.
    • Review and launch
  • Review your settings, paying particular attention to the IP address ranges you have open to external browsers. Your current settings, set at 0.0.0.0/0, are "open to the world."
  • When you are satisfied with your settings, click Launch.
  • The Select an existing key pair or create a new key pair dialog box appears:

    • Select a key pair
  • When asked to click a Key Pair, click Choose an existing Key Pair.
  • Select the Key Pair used for the existing KeyControl node.
  • Click the checkbox acknowledgment that you have access to this Key Pair.
  • Click Launch instances.

Associate the EIP to the Instance

  • Once the newly launched instance is in initializing state, note its Instance ID.
    • Note instance ID
  • From the VPC Dashboard, in the center of the screen, click Elastic IPs.
    • Click Elastic IPs
  • Click Associate Address.
  • The Associate Address dialog box appears.
    • Associate new address
  • In the instance drop-down box, click the instance ID of the new KeyControl node.
  • Click Yes, Associate.
  • Click Instances from the EC2 Dashboard.
  • Click the Instance ID.
    • EIP associated with Instance
  • When the Elastic IP of the instance appears, it indicates that the EIP is now associated with the instance. Note that the public IP has the same address, which you will use after completing the next steps in the KeyControl system menus.

Connect to the Instance Console and Install

Use ssh to log into the new KeyControl menu system. You will use the key pair associated with the VPC and the EIP associated with the instance. Use the login ID sysmenus. The initial password is sysmenus. Issue the following command from your UNIX shell:

  • # ssh -i <my_key> -l sysmenus <my_EIP>
  • You will first be prompted to change the KeyControl menu system's password (you cannot continue to use the initial sysmenus password). You will be required to enter the password twice. Passwords must be a minimum of eight characters.

    Install Change Password1

  • The menus to which the root/password combination enables access are where diagnostics and settings can be manipulated for this system during its lifetime. Without the password, access to the system for these tasks is impossible. It is critical that the password be stored safely somewhere.
  • Note that this is not a general login account. Since this is a secure node, you cannot get a shell prompt, and only have access to a basic menu system that allows for hardware change, network setup and general debugging capabilities. We cover these topics later.
  • The last step in configuration is choosing whether you are going to add this new KeyControl instance as a new node to an existing cluster:

    • Add as new node to existing cluster?
  • You do want to add this system as a new node in an existing cluster, so you should click Yes, and follow the directions here: Joining a KeyControl Cluster

Connect to the GUI of the First KeyControl Node and Authenticate the New KeyControl Node

At this point you need to log on to the webGUI of first KeyControl node/cluster with Domain Administration privileges. The new KeyControl node will automatically appear as an unauthenticated node in the KeyControl cluster, as shown below:

 

Domain Kps Waiting Auth

To authenticate this new node, click the Actions Button and then click Authenticate. This will take you to the authentication screen shown below. You are prompted to enter the Authentication Passphrase.

Domain Kps Type Passphrase

Once authentication completes, the KeyControl node is listed as Authenticated but Unreachable until cluster synchronization completes and the cluster is ready for use. This should not take more than a minute or two.

Once the KeyControl node is available, the status will automatically move to Online and the cluster icon will change from a red lightning bolt to a green heart with the number 2 inside of it, to indicate that there are two KeyControl nodes:

At this point, the new node is ready to use.

Open topic with navigation