I’ve updated my KeyControl Quick Install Guide to be in line with the latest release of KeyControl 4.2.1. Quite frankly, this version is even easier to deploy than previous versions and those were easy to install, to begin with. This guide is intended to help you get KeyControl installed very quickly in your environments so that you can enable encryption on both vSphere 6.5 and vSAN 6.6 ENT and newer versions. Today, HyTrust already support both vSphere 6.7 U1 and vSAN 6.7 as well. You can find us on the VMware Compatibility Matrix.
Before starting, I would suggest you have the following prerequisites out of the way. It will just make the deployment go much more smoothly.
- The HyTrust KeyControl OVA already downloaded
- 2 IPs reserved and ready to go for a pair of KeyControl appliances.
- Forward and reverse DNS records completed for each KeyControl appliance.
Deploy A New HyTrust KeyControl Appliance
Log into your vCSA, and select Deploy OVF Template.
At the Deploy OVF Template window, click on Browse.
Navigate to the directory where you have downloaded the HyTrust KeyControl OVA, select it, then click Open.
Now that you have the HyTrust KeyControl OVA selected, Click on Next.
Provide a name for the HyTrust KeyControl appliance, select a deployment location, then click Next.
Select the vSphere cluster or host, then click Next.
Review the details, then click Next.
Select the appropriate configuration from the drop-down menu, then click Next.
Select the appropriate storage and disk format for the KeyControl appliance, then click Next.
Select the appropriate network, then click Next.
Provide the required information in the Customize template section, then click Next.
Review the summary screen, if everything is correct, click finish.
Configuring the HyTrust KeyControl Appliance
In vCenter\vCSA, power on the newly created HyTrust KeyControl appliance, open a console to the KeyControl appliance, set the system password, then click OK.
As this is the first KeyControl node, select No, then press enter on your keyboard.
Review and ensure that the appliance is displaying the correct IP. If correct, press Enter on your keyboard.
Select 8 and press Enter on your keyboard to log out.
NOTE: You will repeat the steps above to deploy a second KeyControl appliance so that you can cluster KeyControl in a High Availability (HA) cluster. This will be covered in the last section of this post.
Configuring the HyTrust KeyControl WebGUI
Launch a web browser and navigate to the IP or FQDN of the KeyControl WebGUI. Use the following credentials to initially log in:
Username: secroot
Password: secroot
Upon logging in, read and accept the EULA by clicking on I Agree at the bottom of the agreement.
Enter a new password for the secroot account, then click Update Password.
Configure E-mail and Mail Server Settings by entering the relevant information. You can disable e-mail notifications and configure this at a later time in the WebGUI. If disabling, skip to the next step.
If opting to skip and set up E-mail and Mail Server settings later, place a check next to Disable e-mail notification, then click Continue.
Place a check next to the option you would like. For lab environments, we recommend disabling this feature. Then click Save & Continue.
Click the KMIP button on the toolbar, Enable KMIP by changing the state from disabled to ENABLED, then from the Protocol drop-down menu, select Version 1.1, then click Apply.
TIP: Jot down the port number. You will need this when you establish trust between KeyControl and vCenter later.
Click Proceed to overwrite all existing KMIP Server settings.
Click on the Actions button and select Create Certificate from the drop-down menu.
Provide the certificate a name and a Certificate Expiration date, then click Create. By default, the certificate is set to expire in one year.
NOTE: Do NOT specify a password here. It will conflict later when establishing the trust between vCenter\vCSA and KeyControl.
Highlight the newly created certificate, then click the Actions button and select Download Certificate from the drop-down menu. This will download the certificate created in the previous step. A zip file containing the certificate required will be downloaded.
Establish Trust Between KeyControl & vCenter
Log into the vCSA, highlight the vCenter on the left-hand pane, click on the Configure tab in the right-hand pane, click on Key Management Servers, then click the Add KMS button.
Supply a Cluster name, Server Alias, Fully Qualified Domain Name (FQDN) of the KeyControl appliance, and the port number. Leave the other fields as default or blank, then click OK.
Click on Yes to set to set this as the default KMS cluster. In this example, the default cluster will be HyTrust.
Click on Trust to add the certificate and KeyControl to the KMS servers list.
Establish the trust relationship between vCenter\vCSA and HyTrust KeyControl. Highlight the KeyControl appliance, click on All Actions, then click on Establish trust with KMS.
Select the Upload certificate and private key option, then click OK.
Click on the Upload file button.
Navigate to where the certificate\pem file was previously downloaded, select the “vCenter”.pem file, then click Open.
Repeat the process for the private key by clicking on the second Upload file button.
Select the “vCenter”.pem file once again, then click Open.
Verify that both fields are populated with the same file, then click OK.
Success! You will now see that the Connection Status is shown as Normal indicating that trust has been established. HyTrust KeyControl is now set up as the Key Management Server (KMS) for vCenter. You can now start to encrypt virtual machines in your vSphere 6.5 and 6.7 environments. If this is a vSAN 6.6 or 6.7 Ent cluster, you can now move over to vCenter\vCSA and enable encryption for vSAN there as well.
Now that you have deployed the primary KeyControl appliance and have established the trust between vCenter\vCSA and KeyControl, you can begin to configure KeyControl in an HA cluster. In reality, you can configure KeyControl in an HA cluster at any time. It’s not a hard requirement to wait until trust has been established with vCenter. Click the following link to see how KeyControl is configured for HA: Configure KeyControl for HA