Install and configure the Entrust KeyControl server

Install the KeyControl server

The Entrust KeyControl server is a software solution deployed from an OVA or ISO image. Entrust recommends that you read the Entrust KeyControl Installation Overview online documentation to fully understand the KeyControl server deployment.

To configure a KeyControl cluster (active-active configuration is recommended), Entrust recommends the use of the OVA installation method, as described in the Entrust KeyControl OVA Installation online documentation.

After the KeyControl server is deployed, configure the first KeyControl node as described in the Entrust Configuring the First KeyControl Node (OVA Install) online documentation.

After completing this procedure, add the second node as described in the Entrust Adding a New KeyControl Node to an Existing Cluster (OVA Install) online documentation to create the recommended active-active cluster.

Although an active-active cluster is not a requirement, and a single KeyControl node can be deployed to perform the functions of KMIP, Entrust strongly recommends deploying the solution with a minimum of four nodes in an active-active cluster solution.

Your KeyControl license determines how many KeyControl nodes you can have in a cluster. For full information about the KeyControl licensing, see the Entrust Managing the KeyControl License online documentation.

Configure the KeyControl Server

After the Entrust KeyControl server is deployed and the initial installation is complete, you can configure the network settings, e-mail server preferences, and certificate configuration. For these procedures, see the KeyControl System Configuration admin guide.

Configure the KeyControl Server as a KMIP server

To use external key management, applications require an external key management server such as the Entrust KeyControl server. The KeyControl server is the KMIP server and the application is the KMIP client.

To configure the KeyControl server as a KMIP server, see the Entrust Configuring a KeyControl KMIP Server section of the admin guide online documentation.

  1. Log into the KeyControl web user interface using an account with Security Admin privileges.

  2. In the top menu bar, select the KMIP icon and then select the Settings tab.

    kckmipsetup fresh

  3. In the Settings tab:

    1. For State, select ENABLED.

    2. For Port, accept the default 5696.

    3. For Auto-Reconnect, select OFF.

    4. For Verify, select Yes.

    5. For Certificate Type, select Default.

    6. For Non-Blocking I/O, select No.

    7. For Timeout, select Infinite.

    8. For Log Level, select CREATE-MODIFY.

    9. For Restrict TLS, select DISABLED.

    10. For SSL/TLS Ciphers, accept the defaults.

  4. Select Apply.

Create a KMIP tenant

For multi tenancy, you must create a tenant before setting up any KMIP services.

To create a KMIP tenant:

  1. Log into the KeyControl web user interface using an account with Security Admin privileges.

  2. In the top menu bar, select KMIP and then select the Tenants tab.

  3. Select Actions > Create a KMIP tenant.

    The Create a KMIP Tenant dialog appears.

  4. In the About tab, enter the Name of the tenant and a Description.

    The tenant name cannot be changed after the tenant is created.

  5. Select Next.

  6. In the Authentication tab, for Authentication Type, select Local User Authentication.

    If you want to use Managed Authentication, this will require an external IDP or an Active Directory server. For the purpose of this guide, Local User Authentication is used. Refer to the KeyControl Online documentation for more information on how to use Managed Authentication. Refer to the Entrust KMIP Tenant Authentication online documentation.

  7. Select Next.

  8. In the Admin tab, enter the Administrator information:

    1. For User Name, enter the Administrator user name.

    2. For Full Name, enter the Administrator full name.

    3. For Email, enter the Administrator email.

    4. For Password, set the Administrator password.

    5. For Password Expiration, set the date when you want the password to expire.

  9. Select Create. This will create the tenant in KeyControl. Once it is created, it will be listed under the Tenants tab.

  10. Select the newly created tenant. Information about the tenant is displayed. For example:

    kc tenantdetail

  11. Test the tenant. To do this, select the Tenant Login URL and attempt to log in as the user specified during the tenant configuration. If successful, the tenant is ready to create the certificate bundle for the client application.

    The Tenant Login URL is used later to [enable-kmip-key-wrapping] and to Establish trust between the KeyControl Server and the Client Application.

Establish trust between the KeyControl Server and the Client Application

Certificates are required to facilitate all KMIP communications between the KeyControl Server and the Client Application.

  1. Log into the KeyControl web user interface using the Tenant Login URL.

    The Tenant Login URL was displayed at the end of the Create a KMIP tenant procedure and is different from the standard KeyControl web user interface URL.

    For example:

    kc tenantlogin

  2. Select Security, then select Client Certificates.

    kc securityclientcert

    The Manage Client Certificate tab appears.

  3. Select the + icon on the right to create a new certificate.

  4. In the Create Client Certificate dialog:

    1. For Certificate Name, enter a name.

    2. For Certificate Expiration, set the date on which you want the certificate to expire.

    3. Accept the defaults for remaining properties. For example:

      kc createclientcertificate

    4. Select Create.

  5. After it is created, select the new certificate and select Download.

    A zip file downloads, which contains:

    • A <cert_name>.pem file that includes both the client certificate and private key.

      The client certificate section of the <cert_name>.pem file includes the lines “-----BEGIN CERTIFICATE-----" and “-----END CERTIFICATE-----" and all text between them.

      The private key section of the <cert_name>.pem file includes the lines “-----BEGIN PRIVATE KEY-----" and “-----END PRIVATE KEY-----" and all text in between them.

    • A cacert.pem file, which is the root certificate for the KMS cluster. It is always named cacert.pem.

      These files will be used at the Client Application to establish trust between KeyControl and the Client Application.

For more information on how to create a certificate bundle, refer to the Entrust Establishing a Trusted Connection with a KeyControl-Generated CSR online documentation.