KeyControl Network Requirements

All KeyControl IP addresses must use IPv4. KeyControl does not support IPv6 addresses.

For KeyControl to KeyControl, KeyControl to KeyControl Compliance Manager, and Policy Agent to KeyControl, the following ports need to be open:

  • Internal protocol—The KeyControl nodes must be able to communicate on TCP/443, TCP/8443, and TCP/5432. If you have a firewall between one or more nodes, you need to make sure that these ports are open.

  • KeyControl Compliance Manager—The KeyControl nodes must be able to communicate on TCP/443 outbound to KeyControl Compliance Manager.

  • KeyControl webGUI—Inbound TCP/443 to administrator systems from any KeyControl server in the cluster.
  • KeyControl support-level access—Inbound TCP/22 from administrator systems to any KeyControl server in the cluster.
  • Policy Agent to KeyControl—Inbound TCP/443 from the Policy Agent to each of the KeyControl nodes in the cluster.

For KeyControl infrastructure services, the following ports need to be open:

  • DNS—Outbound UDP/53

  • SMTP—Outbound mail server, typically TCP/25.

    Note: If you disable SMTPS, and the server supports StartTLS, then when the connection is made StartTLS will be used. SMTPS is not compatible with StartTLS, and only one can be used.

  • SYSLOG—An outbound TCP/UDP between 25 and 65535 if you want to use a remote syslog server. KeyControl supports both TCP and UDP for syslog.

  • Backup and Restore via NFS—If you want to access the KeyControl-generated backup files via NFS, you need to open the following ports: 2046 (lockd), 2047 (rpc statd), 2048 (rcp mountd), and 2049 (default NFS port).

    If you need to check the port status, you can run one of the following commands:  
    rcpinfo <KeyControl_Vault_IP_Address> or rcpinfo <KeyControl_Vault_Name>

  • NTP—Outbound NTP servers, typically UDP/123 or TCP/123

Note: The network ports indicated for SMTP, syslog, and NTP are the typical ports for these services. If you need to change those ports, consult with the administrators of these services.

If you want to configure KeyControl as a KMIP server, you need to open the port that you plan to use for it. The default KMIP port is 5696.