Changing a KeyControl Mapping

  1. Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
  2. In the top menu bar, click Workloads.
  3. Click the Mappings tab.
  4. Select the Mapping you want to change in the list.

  5. If you want to change the Mapping name, associated Cloud Admin Group, or description, do the following:

    1. In the Details tab below the table, click the text in the field you want to change.
    2. Make your changes and click Save.

  6. If you want to change the KeyControl Vault for VM Encryption nodes in the Mapping or the order of the node in the Mapping, do the following:

    1. Select Actions > Edit Mapping.

    2. If you want to add a new IP address, click the + (Plus sign) on the right-hand side of the dialog box to add a new row, then enter the following information:

      Field Description
      External IP

      The externally-visible hostname or IP address to which this node should be mapped. Each node in the cluster can be associated with one and only one externally-visible IP address.

      Note: If the VMs will be communicating with the KeyControl Vault for VM Encryption node through a firewall or in an environment like Amazon Web Services or Microsoft Azure, the externally-visible IP address may not be the same as the internal KeyControl Vault for VM Encryption node IP address. Make sure that all VMs that will use this Mapping can communicate with the KeyControl Vault for VM Encryption node via the specified IP address/port number combination.

      Port The port number for the specified Hostname or IP address. The default is 443.

      KeyControl Server

      Select the appropriate KeyControl Vault for VM Encryption node in the drop-down list. You can only have one entry for each KeyControl Vault for VM Encryption node.

      State

      Select Enabled if the node is available to the VMs associated with this KeyControl Mapping. If you want to use this as a placeholder until you bring the node online, select Disabled. The default is Enabled.
      Description Enter a description for this node that lets you distinguish it from other nodes in the KeyControl Mapping.
    3. If you want to delete an existing entry, click the (Minus sign) at the end of the row you want to delete.

    4. When you are done changing the list of nodes, make sure that the order is correct because the order of the IP addresses in the list determines the order of precedence. The first node in a KeyControl Mapping is considered the preferred node, and all VMs will use that node as long as it is available. If the preferred node is offline when a VM heartbeats, the VM will try the other IP addresses in the Mapping, starting with the second IP address in the list and working downwards. Once the VM finds an available KeyControl Vault for VM Encryption node, it will use that node to complete the current heartbeat, and it will continue to use that node until the cluster returns to a healthy state. After the cluster becomes healthy, the VM will resume using the preferred node at its next heartbeat.

      If you need to change the order, click and hold on the arrow icon at the beginning of the line to drag the entry to the proper position. Release the mouse to drop the entry in the new location.

      You can view the Preferred Node in the Details section of the selected mapping.

    5. When you are done, click Update. KeyControl Vault for VM Encryption communicates the changes to the associated VMs on their next heartbeat.