Deploy and configure Entrust KeyControl

Deploy a Entrust KeyControl cluster

This deployment consists of two nodes.

  1. Download the Entrust KeyControl software from Entrust TrustedCare. This software is available both as an OVA or ISO image. The OVA installation method in VMware is used in this guide for simplicity.

  2. Install Entrust KeyControl as described in Entrust KeyControl OVA Installation.

  3. Configure the first Entrust KeyControl node as described in Configuring the First Entrust KeyControl Node (OVA Install).

  4. Add second Entrust KeyControl node to cluster as described in Adding a New Entrust KeyControl Node to an Existing Cluster (OVA Install).

    Both nodes need access to an NTP server, otherwise the above operation will fail. Log in the console to change the default NTP server if required.

    keycontrol cluster

  5. Install the Entrust KeyControl license as described in Managing the Entrust KeyControl License.

Additional Entrust KeyControl cluster configuration

After the Entrust KeyControl cluster is deployed, additional system configuration can be done as described in Entrust KeyControl System Configuration.

Authentication

For simplicity, local account authentication is used in this integration. For AD-managed Security groups, configure the LDAP/AD Authentication Server as described in Specifying an LDAP/AD Authentication Server.

Create DNS record for Entrust KeyControl cluster

  1. Create a single DNS record named EntrustKeyControl in the domain.

  2. Assign this record as many IPs as nodes in the cluster created above, two in this integration.

Create a KMIP Vault in the Entrust KeyControl

The Entrust KeyControl Vault appliance supports different type of vaults that can be used by all type of applications. This section describes how to create a KMIP Vault in the Entrust KeyControl Vault Server.

Refer to the Creating a Vault section of the admin guide for more details about it.

  1. Sign in to the Entrust KeyControl Vault Server web user interface:

    1. Use your browser to access the IP address of the server.

    2. Sign in using the secroot credentials.

  2. Select the user’s dropdown menu and select Vault Management.

    vault usersmenu

  3. In the Entrust KeyControl Vault Management interface, select Create Vault.

    vault interface

    Entrust KeyControl Vault supports the following types of vaults:

    • Cloud Key Management - Vault for cloud keys such as BYOK and HYOK.

    • KMIP - Vault for KMIP Objects.

    • PASM - Vault for objects such as passwords, files, SSH keys, and so on.

    • Database - Vault for database keys.

    • Tokenization - Vault for tokenization policies.

    • VM Encryption - Vault for encrypting VMs.

  4. In the Create Vault page, create a KMIP Vault:

    Field Value

    Type

    KMIP

    Name

    Vault name

    Description

    Vault description

    Admin Name

    Vault administrator username

    Admin Email

    Vault administrator email

    For example:

    kc create kmip vault 9000

  5. Select Create Vault. Then select Close.

    vault created successfully 9000

    The newly created vault URL and login credentials will be emailed to the administrator’s email address entered above. In closed gap environments where email is not available, the URL and login credentials are displayed at this time.

    Example email:

    login email

  6. Bookmark the URL and save the credentials. Then select Close if the URL and login credentials are displayed.

  7. The newly created Vault is added to the Vault Management dashboard.

    For example:

    vault dashboard 9000

  8. Sign in through the URL provided above with the temporary password. Change the initial password when prompted. Sign in again to verify.

    For example:

    vault login

  9. Notice the new vault.

    For example:

    vault new 9000

View the KMIP Vault details

  1. Hover over the Vault and select View Details.

    For example:

    vault details 9000

  2. Select Close when done.

Edit the KMIP Vault

  1. Select Edit when you hover over the Vault.

    For example:

    vault edit 9000

  2. Select Apply when done.

Add KMIP Vault Administrators

It is important to have other administrators set up on the Vault for recovery purposes. Add one or more admins to the Vault.

  1. Select Security > Users.

    security users

  2. In the Manage Users dashboard:

    1. Select the + icon to add one or more users.

    2. Add the user by providing the information requested in the Add User dialog.

      For example:

      add user

    3. Select Add.

      After the user is added, a window appears which requests selection of the policy to be used by this user.

  3. Select Add to Existing Policy.

    user policy

  4. On the Add User to Access Policy dialog, select the KMIP Admin Policy and select Apply. The new user is added as an administrator to the Vault.

    For example:

    user access policy