Open topic with navigation

Creating the KMS Cluster in vSphere

Note: The following procedure is based on vCenter Web Client in vSphere 6.5. If your version of the vCenter Web Client is different from what is described below, please see your vCenter documentation to determine how to add the KMS cluster.
  1. Launch the vSphere Web Client and log into the vCenter server that you want to add to HyTrust KeyControl.
  2. Select the vCenter Server in the Global Inventory Lists.
  3. Click Configure.
  4. Select Key Management Servers.

  5. Click Add KMS and set the following configuration options:

    Option Description

    KMS cluster

    		 Select <Create new cluster>.

    Cluster name and Server alias

    Enter a name and alias for the cluster. These names are local to vSphere and are not used by KeyControl.

    Server address

    The IP address for the HyTrust KMIP server. This IP address must match the KeyControl KMPI server Host Name shown in the KeyControl webGUI.

    Server port

    The port number for the HyTrust KMIP server. The KMIP standard port is 5696.

    Proxy address and Proxy port

    Enter this information if required by your network administrator.

    User name and Password.
    Important: Do not enter a user name or password for the KMS cluster.

    For example:

  6. Click OK.
  7. When prompted, click Yes to make this the default KMS cluster.

  8. In the Trust Certificate dialog box, click Trust.

    This adds the KMS cluster to vCenter but the connection status will be "Cannot establish trust connection".

  9. To establish a trusted connection, select the KMS in the list then select All Actions > Establish Trust with KMS.
  10. In the Establish Trust with KMS dialog box, select Upload certificate and private key then click OK.
  11. In the Upload Certificate and Private Key dialog box, you need to upload the <username>.pem file you created twice, once for the KMS certificate and once for the private key. To do so:
    1. Click Upload file under the KMS certificate text box.
    2. Select the <username>.pem file and click Open.
    3. Click Upload file under the private key text box.
    4. Select the <username>.pem file again and click Open.
    5. Click OK.

      The following illustration shows a certificate called KMIPUser.pem being uploaded to vSphere:

  12. After <username>.pem has been uploaded, click OK.
    Note: If the certificate is not accepted, make sure that you did not enter a password when you created the KMIP server user. Due to a vSphere limitation, you cannot upload encrypted certificates. For details, see Creating a User for VMware Encryption.
  13. Wait until vCenter reports that the connection status for the KMS cluster has changed to "Normal".
  14. If you want to add additional HyTrust KMIP servers in the same KMS cluster:
    1. Select the HyTrust KMS you created.
    2. Click Add KMS.
    3. In the KMS Cluster field, make sure the HyTrustKMS cluster is selected.
    4. Enter the server alias, address, and port for the additional KeyControl KMIP server.
    5. Click OK.
    6. In the Trust Certificate dialog box, click Trust.

The following illustration shows a HyTrust KMS with three KMIP servers:

HyTrust KMS Cluster in vSphere

The critical information is the Connection Status for each KMIP server in the cluster and the Certificate Status for the overall KMS cluster. The certificate status for the individual KMIP servers in the cluster can be ignored.

Open topic with navigation