Joining or Re-joining a KeyControl Cluster

When you install KeyControl, you can specify whether you want to configure the node as the first node in the system or add it to an existing cluster.

If you ever need to change the node's cluster assignment, or you need to re-join a node with its previous cluster, you can do so using the KeyControl System Console Menu TUI (Text-based User Interface) installed on the node. You do not need to re-install the KeyControl software.

Warning:

When a node is added to a cluster, any existing configuration data and encryption keys are permanently deleted and cannot be restored. If this node was previously part of a different cluster or was used in standalone mode, make sure you do not need the encryption keys stored on this node before you add it to the new cluster.

Before You Begin

Make sure you know the IP address of any KeyControl node that is already part of the cluster you want to join.
If the node is currently part of a different cluster, you should remove the node from the original cluster so that the original cluster does not become degraded. For details, see Removing a KeyControl Node from a Cluster.

Procedure

Log in as root on the server hosting the KeyControl node.

KeyControl displays the System Console Menu TUI (Text-based User Interface).
From the main System Console Menu, select Join or Re-join a KeyControl Cluster and press Enter.
KeyControl displays a prompt explaining that you will need the IP address of one of the nodes in the cluster. Press Enter to acknowledge the message and continue.
On the Description screen, type a description for the node and press Enter. The description is displayed in the KeyControl webGUI and allows you to quickly distinguish between the various nodes in the cluster.
Type the IP address of any KeyControl node already in the cluster and press Enter.
If this node:
- Was previously a part of the selected cluster, KeyControl displays a prompt stating this fact and asking if you want to clear the existing data and re-join the cluster. Select Yes and press Enter.
- Was a member of a different cluster, or was originally configured as the only node in the cluster, KeyControl prompts you that all data will be destroyed on the current node if you continue. Select Yes and press Enter, then press Enter again to confirm the action at the next prompt.
Type a one-time passphrase for this KeyControl node and press Enter.

The passphrase must contain at least 16 characters. It is a temporary string used to encrypt the initial communication between this node and the existing KeyControl cluster. When you authenticate the new node with the existing cluster, you will specify this passphrase in the KeyControl webGUI so that the existing node can decrypt the communication and verify that the join request is valid.

If the wizard can connect to the designated KeyControl node, it displays the Authentication screen informing you that the node is now part of the cluster but must be authenticated in the KeyControl webGUI before it can be used by the system.
Authenticate the node in the KeyControl webGUI as described in .

The Authentication screen displays a series of messages beginning with Successfully Authenticated and ending with Cluster Setup Complete after you begin the authorization process in the webGUI.
Once the authentication process is finished, KeyControl displays the HyTrust SecureOS Appliance Configuration screen with a message stating that the node was successfully added to the cluster and showing the IP address for the node. Press Enter to acknowledge the message.

What to Do Next

If necessary, update the list of KeyControl IP addresses on the VMs associated with this cluster. If you are maintaining the list of IP addresses on the VMs, see Updating KeyControl IP Addresses on a VM. If you are using KeyControl Mappings, see Changing a KeyControl Mapping.

Open topic with navigation