Configuring Additional KeyControl Nodes

After the AWS instance is deployed, you need to configure the KeyControl node using SSH. The following procedure describes how to configure the node as part of an existing KeyControl cluster. If you want to configure this node as the first node in the KeyControl cluster, see Configuring the First KeyControl Node.

Before You Begin 

Make sure that the new KeyControl node can communicate with the KeyControl nodes in the existing KeyControl cluster. For details, see your AWS documentation.

Make sure you have the following information:

  • The Amazon instance ID for the new KeyControl instance.
  • The Elastic (Public) IP address associated with the new instance.

  • The private key file (in pem format) that was used when the new instance was created.

    Tip: To find this information, select Instances from the Amazon Management Console EC2 Dashboard, then select the KeyControl instance in the table. In the Description tab, look at the Instance ID, IPv4 Public IP, and Key pair name fields.

  • The private IP address of one of the existing KeyControl nodes in the cluster.

    Tip: To find this IP address, log into the KeyControl webGUI on one of the existing nodes and click Cluster in the top menu bar. Go to the Servers tab and look at the IP address in the table.

Procedure 

  1. Use a web browser to navigate to https://<Elastic-IP-addy>, where <Elastic-IP-addy> is the Elastic IP address associated with the KeyControl AWS instance. For security reasons, you must explicitly specify https:// in the URL.

  2. If prompted, add a security exception for the KeyControl IP address and proceed to the KeyControl webGUI.

    KeyControl uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see KeyControl Certificates.

  3. On the HyTrust KeyControl Login page, enter secroot for the username and the AWS instance ID as the password.
  4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

  5. On the Welcome to KeyControl screen, click Join an Existing Cluster.

    The Join Existing Cluster window displays.

  6. On the Get Started page, review the overview information to determine that you are ready to begin. This includes: 

    • Access to the cluster you are joining the node to. We recommend that you open the webGUI for the cluster in a different tab or browser window.
    • Permissions on both this node and the cluster node so you can download and import the required certificates and files.
    • A passphrase to use during the joining process. Passphrase requirements are configured by a KeyControl administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing KeyControl cluster.
    • Verifying that both this node and the cluster node are running the same KeyControl version and build. The version number for the cluster node is on the Settings > System Upgrade page.
  7. Click Continue.
  8. On the Download CSR page, click Generate and Download CSR.
  9. Click Continue.
  10. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
  11. Select Actions > Add a Node.

  12. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

  13. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

  14. Click OK to close the Add a Node window.
  15. Return to the new node and click Continue.

  16. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the private IP address of any node in the existing cluster, and enter the passphrase that you selected.

    Note: KeyControl uses the private IP address of its cluster members for cluster communication, such as heartbeat and object store synchronization.

  17. Click Join.

    During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    The cluster will automatically be placed in maintenance mode.

    The node will restart after the join is complete.

  18. When the node has successfully restarted, click Login.

  19. Optional. Log into the htadmin account on the keycontrol System Console using the private key file. For example: 

    ssh -i <key-file>.pem htadmin@<Elastic-IP-addy>

    The password is the Amazon instance ID.

    After logging in, you can change this password. The change applies only to the htadmin login on this node.