Procedures

Prerequisites

Before integrating Entrust KeyControl Vault server and AWS External Key Store (XKS), ensure the following:

  • Entrust KeyControl Vault server is deployed and configured. For details, see KeyControl Installation.

  • Entrust KeyControl Compliance Manager is deployed and configured.

For this integration, the KeyControl Vault servers were deployed using AWS EC2 instances. To learn more about deploying KeyControl Vault in Amazon Web Services, refer to Creating KC Cluster AWS.

However, KeyControl Vault servers can also be deployed outside of AWS EC2, provided they fulfill the requirements outlined in [requirements].

Adding an Elastic Load Balancer

After cluster set-up is complete, you must use AWS elastic load balancing for the KeyControl load balancing.

For more information on AWS ELB, refer to AWS ELB Documentation.

Configure target group

To configure the target group:

  1. Sign in the Amazon EC2 console.

  2. In the navigation pane, under Load Balancing, select Target Groups.

  3. Select Create target group.

  4. Under Basic configuration:

    1. Select Instances as target type.

    2. For Target group name, enter a name for the new target group.

    3. For Protocol, select HTTPS.

    4. For Port, select 443.

    5. Select the VPC containing your instances.

    6. For Protocol version, retain the default.

    target group 1

  5. Under Health checks:

    1. For Health check protocol, select HTTPS.

    2. Retain the default settings for other properties.

    target group 2

  6. Select Next.

  7. On the Register Targets page, complete the following steps. This is an optional step for creating the load balancer. However, you must register this target if you want to test your load balancer and ensure that it is routing traffic to this target.

    1. For Available instances, select the two KeyControl instances.

    2. For Port for the selected instances, enter 443, and select Include as pending below.

    3. Select Create target group.

    Target group 3

Create an Elastic Load Balancer

To create an Elastic Load Balancer:

  1. Sign in to the Amazon EC2 console.

  2. On the navigation bar, select a region for your load balancer. You must select the same region that you used for your EC2 instances.

  3. In the navigation pane, under Load Balancing, select Load Balancers.

  4. Select Create Load Balancer.

  5. Select Application Load Balancer, select Create.

    create elb 1

  6. Under Basic configuration:

    1. For Load balancer name, enter a name for your load balancer.

    2. For Scheme, select Internet-facing.

    3. Retain the IP address type default.

    create elb 2

  7. Under Network mapping:

    1. For VPC, select the VPC that you used for your EC2 instances.

    2. For Mappings, select at least two Availability Zones and one subnet per zone.

    3. For each Availability Zone that you used to launch your EC2 instances, select the Availability Zone and then select one public subnet for that Availability Zone.

    4. You must select at least one Availability Zone that was used when launching your instances.

    create elb 2a

  8. Under Security groups:

    1. For Security group, select the default security group for the VPC that you selected in the previous step. Alternatively, you can select a different security group.

    2. Ensure that the security group includes rules that allow the load balancer to communicate with registered targets on both the listener port and the health check port.

    3. You must include the VPC source in the inbound rule to allow access to all ports or the port you are using as a listener.

    Create ELB 3

  9. Under Listeners and routing:

    1. For Protocol, retain the default setting.

    2. For Port, retain the default setting.

    3. For Default action, select the Forward to action and select the target group that you created and registered.

    4. Keep the Add-on services and Load balancer tags unchecked and left as default.

    This configures a listener that accepts HTTP traffic on port 80 and forwards traffic to the selected target group by default.

    Create ELB 3a

  10. Review your configuration and select Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer.

  11. Select Create load balancer.

    Create ELB 4

After you receive the notification confirming the successful creation of your load balancer, follow the steps below to verify the status of your instances and test the load balancer.

elb 1

  1. After you are notified that your load balancer was created successfully, select Close.

  2. In the navigation pane, under Load Balancing, select Target Groups.

  3. Select the newly created target group.

  4. Select Targets and verify that your instances are ready.

    If the status of an instance is Initial, the instance is either in the process of being registered or has not passed the minimum number of health checks to be considered healthy. Wait until the status of at least one instance is Healthy. For example:

    elb 2

Configure certificates and DNS

For the successful set-up of AWS External Key Store (XKS), note that the DNS record and TLS certificate relate to the Fully Qualified Domain Name (FQDN) of the load-balanced endpoint utilized for accessing the service. This is distinct from the KeyControl instances.

Ensure the KeyControl Vault server possesses a publicly accessible IP address and that a DNS record is in place for the designated common name within the public DNS server.

Amazon recommends a round-trip time latency of under 35 milliseconds between the AWS region and the KeyControl.

You must obtain a TLS certificate issued by a public certificate authority supported for external key stores. For a list, see https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities

To ensure seamless access across the cluster nodes, you must install the TLS certificate on all nodes of the cluster, especially if users plan to access the cluster through other nodes. If an Elastic Load Balancer (ELB) is part of the set-up, the certificate handling process will differ. When using an ELB, the TLS certificate must be managed according to ELB requirements.

  1. In the KeyControl Appliance Management:

    1. Navigate to Cluster > Servers.

    2. Select the server to install the certificate.

    3. Select Actions > Install Certificate. The Install Custom SSL Certificate dialog appears.

    4. Locate and select the SSL Certificate file.

    5. Locate and select the CA certificate chain file.

    6. Select External for the Web server.

    7. Select Install Certificate.

    install certificate 8

  2. After installation, restart the Web service

    install certificate 9

  3. Confirm the installation. The External Web server will now show as Custom for the certificate.

    install certificate 10

  4. You can validate the certificate using https://entrust.ssllabs.com/ or a similar tool. For example:

    sslvalidation
    If you are not able to verify the server hostname, ensure that any firewalls between AWS KMS and the external key store proxy allow traffic to and from port 443 on the proxy.

Key Administrators - AWS IAM user

To enable the integration, you must designate an IAM user as a Key Administrator. This user is required to generate an access key that will be used in a later step.

This user must have permissions to manage and use the KMS key for cryptographic operations.

  1. Sign in to the AWS Management Console.

  2. Search for the Identity and Access Management (IAM) service and select it.

  3. In the IAM console, select Access Management in the left tab and then select Users.

  4. Create a new user or use an existing user to generate an access key. In this example integration, a new user named xks-user is created as the Key Administrator.

    IAM user 1

  5. In the user settings, select Create access key and select third-party service.

    create access key 1

  6. Create the access key.

    create access key 2
    Ensure that you securely store the Access ID and Secret Access Key, as they are required for accessing and managing your AWS resources.

Create a Cloud Key Management Vault

The KeyControl Vault appliance supports the following types of vaults:

  • Cloud Key Management - Vault for cloud keys such as BYOK and HYOK.

  • KMIP Vault - Vault for KMIP Objects.

  • PASM - Vault for objects such as passwords, files, SSH keys, and so on.

  • Database - Vault for database keys.

  • Tokenization - Vault for tokenization policies.

  • VM Encryption - Vault for encrypting VMs.

To create a Cloud Key Management Vault:

  1. Sign in to the KeyControl Vault Server Appliance Manager.

  2. Open the drop-down menu and select Vault Management.

    vault usersmenu

    The KeyControl Vault Management interface appears.

    vault interface

  3. Select Create Vault.

    The Create Vault page appears.

  4. On the Create Vault page:

    1. For Type, select Cloud Key Management.

    2. Enter a Name for the vault.

    3. Provide a Description for the vault.

  5. Under Administration:

    1. Enter the Admin Name who will be responsible for the vault.

    2. Enter a valid Admin Email address.

    vault create

  6. Select Create Vault.

    If you set up an administrator email address when you logged in for the first time, a temporary password is mailed to that address. This is the password you must use when you sign in for the first time to Vaults space in KeyControl.

    If you did not set up an email configuration when you logged in for the first time, a password is shown in the Vault Details when you create a Vault for the first time. You must make a note of the password at this time, as it will not be included in the Vault Details afterwards.

  7. Select Close.

    The newly created vault is displayed in the Vaults dashboard.

    vault creation

  8. To view the details of a vault, hover over the vault and select View Details.

    vault details

To edit the details of a vault:

  1. Hover over the vault and select Edit.

  2. Make the required changes and select Apply.

    vault edit

Create a CSP Account in the Cloud Key Management Vault

To create a CSP Account in the Cloud Key Management Vault:

  1. Sign into the newly created vault.

  2. Select Cloud Keys > CSP Accounts > Actions > Add CSP Account.

    Add CSP account

    The Add CSP Account dialog appears.

  3. In the Details page:

    1. For Name, enter a name for the CSP account.

    2. Add a Description.

    3. For Admin Group select Cloud Admin Group.

    4. For Type select AWS.

    5. Enter the AWS Access Key ID and AWS Secret Access Key from earlier.

    6. Select the target region as the default region.

    7. Select Continue.

    create csp account

  4. In the Schedule page:

    1. Select the required Rotation Schedule.

    2. Select Apply.

    create csp account2

Create the Key Set

To create the Key Set:

  1. Under CloudKeys, select Key Sets > Create a Key Set Now.

    Create Key Set

  2. Select AWS Key for the type of keys in key set.

    create key set 2

    The Create Key Set dialog appears.

  3. In the Details page:

    1. Enter a Name.

    2. Enter a Description.

    3. For Admin Group, select Cloud Admin Group.

    4. Select Continue.

    create key set 3

  4. In the CSP Account page:

    1. For CSP Account, select the aws_csp account created earlier.

    2. Select Use as External Key Store.

    3. Make a note of the XKS credentials, as these are required later.

    4. Select Continue.

    create key set 4

  5. In the HSM page:

    1. Optionally select Enable HSM.

    2. Select Continue.

      create key set 5
      To set up an HSM linked to KeyControl, follow the installation and set-up instructions in the Entrust KeyControl nShield HSM Integration Guide.

  6. In the Schedule page:

    1. For Rotation Schedule, select your required CloudKey rotation.

    2. Select Apply.

    create key set 6

Create an External Key Store in AWS

To create an External Key Store in AWS:

  1. Sign in to the AWS console and navigate to Key Management Service (KMS).

  2. In the left panel, select Custom key stores > External key stores.

  3. For Key store name, enter the required name.

  4. Select Create external key store.

    AWS XKS Set Up 1

    The Create external key store page appears.

  5. Under Custom key store name, provide a descriptive name for the external key store.

  6. Under Proxy connectivity:

    1. Select Public endpoint.

    2. For Proxy URI endpoint, enter the Proxy URI endpoint in the following format:

      https://<FQDN of Load Balanced Endpoint>

      Substitute <FQDN of Load Balanced Endpoint> with the fully qualified domain name of the load-balanced endpoint utilized for accessing the service, distinct from any of the KeyControl instances.

    aws xks setup 2

  7. Under Proxy configuration:

    1. Leave Proxy URI path prefix empty.

    2. For Proxy credential: Access key ID, enter the previously-saved proxy access key ID.

    3. For Proxy credential: Secret access key, enter the previously-saved proxy secret access key.

    4. Select Create external key store.

    aws xks setup 3

    A details page for the new external key store appears.

    AWS XKS Set Up 4

  8. Select External key stores to view all external key stores.

  9. Select Key store actions > Connect to connect to the external key store.

    AWS XKS Set Up 5

  10. Wait for the Connection state to display as Connected.

    AWS XKS Set Up 6

  11. Return to KeyControl Cloud Key Management Vault and select CLOUDKEYS > CloudKeys.

  12. Select the Key Set created earlier along with the Region.

    AWS XKS Set Up 7

  13. Select Actions > Create CloudKey.

    The Create CloudKey dialog appears.

  14. In the Details page:

    1. For Name, enter a name for the CloudKey.

    2. Enter a Description.

    3. Select Continue

    create cloudkey 1

  15. In the Access page:

    1. For Administrators, select AWS IAM users who will have administrative rights.

    2. For Users, select AWS IAM users who will be able to use the key to encrypt/decrypt.

    3. Select Continue.

    create cloudkey 2

  16. In the Schedule page:

    1. For Rotation Schedule, select a rotation schedule for the CloudKey.

    2. For Expiration, select the required condition.

    3. Select Apply to finish the process.

    create cloudkey 3

    After the XKS CloudKey is created in KeyControl, a KMS key pointer is automatically created in AWS KMS with a key alias that matches the KeyControl CloudKey name. This KMS key pointer can be utilized by AWS services to encrypt or decrypt user objects.

  17. Return to AWS KMS > Customer managed keys to find the created CloudKey.

    AWS XKS Set Up 11

  18. Select either the Aliases or Key ID hyperlink for the CloudKey.

    A details page for the CloudKey appears.

  19. Select Cryptographic configuration.

    Note that under Custom key store, the Custom key store name appears and the Custom key store type as listed as External.

  20. Under General configuration, copy the AWS KMS ARN for a later step.

    AWS XKS Set Up 12

Test the integration

To test the integration:

  1. Sign in to the AWS Console and access S3 services.

  2. From the left panel, select Buckets and then select Create bucket.

    Create Bucket 1

    The Create bucket page appears.

  3. Under General configuration:

    1. For Bucket name, enter the required name for the bucket.

    2. Select an appropriate AWS Region.

    create bucket 2

  4. Under Object Ownership, select ACLs disabled.

    create bucket 3

  5. Under Bucket Versioning, set Bucket Versioning to Disable.

    create bucket 4

  6. Under Default encryption:

    1. For Encryption type, select Server-side encryption with AWS Key Management Service keys (SSE-KMS).

    2. For AWS KMS key:

      1. Select Enter AWS KMS key ARN.

      2. Paste the AWS KMS ARN from the previously created CloudKey.

    3. For Bucket Key, select Enable.

    4. Select Create bucket to complete the process.

    create bucket 5

    The bucket is created.

    Create Bucket 6

  7. Select the hyperlink for the bucket.

    A details page for the bucket appears.

  8. Select Objects.

  9. To test the encryption, select Upload.

    Upload Image 1

    The Upload dialog appears.

  10. Select Add files.

    upload image 2

  11. Locate and select an image to upload.

    The file is added to the list of available images.

  12. Select the check box for the image file and select Upload.

    upload image 3

    In this example, the Entrust-Image.png file was added and can be selected and uploaded.

    The newly uploaded image is listed within the bucket.

    Upload Image 4

  13. Select the new image and select Open to view it.

    Upload Image 5

    The image starts in a browser window.

    upload image 6

  14. Return to KeyControl Cloud Key Management Vault and select CLOUDKEYS > CloudKeys.

  15. Select the CloudKey and then select Actions > Disable CloudKey.

    Upload Image 7

    The CloudKey is disabled.

    Upload Image 8

  16. Return to the AWS S3 bucket and attempt to open the uploaded image.

    The image is not viewable as the CloudKey was disabled.

    Upload Image 9

  17. Re-enable the CloudKey in the KeyControl CloudKey Management Vault.

    upload image 10

  18. Return to the AWS S3 bucket.

  19. Open the uploaded image again. It is now viewable.

    upload image 6

This concludes the integration process.