Deploy KeyControl

Deploy a KeyControl cluster

For the purpose of this integration, a two-node cluster was deployed.

Follow the installation and setup instructions in the KeyControl nShield HSM Integration Guide. You can access it from the Entrust Document Library and from the nShield Product Documentation website.

Make sure the KeyControl KMIP Vault gets created and certificates are generated for NetApp ONTAP. These certificates are used in the configuration of the KMS described below.

Also add a record in your DNS server for the KeyControl cluster. Associate all KeyControl Cluster node IPs to the one record.

The following sections describe how to create the KeyControl KMIP Vault and certificates.

Create a KMIP Vault in KeyControl

The KeyControl Vault appliance supports different type of vaults that can be used by all type of applications. This section describes how to create a KMIP Vault in the KeyControl Vault Server.

Refer to the Creating a Vault section of the admin guide for more details.

  1. Sign in to the KeyControl Vault Server web user interface:

    1. Use your browser to access the IP address of the server.

    2. Sign in using the secroot credentials.

  2. If not in the Vault Management interface, in the top menu bar, on the right side, select Switch to: Manage Vaults.

    kc top menu

  3. In the KeyControl Vault Management interface, select Create Vault.

    kc create vault button

  4. In the Create Vault page, create a KMIP Vault:

    Field Value

    Type

    KMIP

    Name

    Vault name

    Description

    Vault description

    Email Notifications

    Enable it if using email to communicate with Vault administrators

    Admin Name

    Vault administrator username

    Admin Email

    Vault administrator email

    For example:

    kc create vault form

  5. Select Create Vault.

    kc vault created

    The new vault’s URL and sign-in credentials will be emailed to the administrator’s email address entered above. This is the password that will be used to sign in for the first time to the KMIP vault’s space in KeyControl. In closed gap environments where email is not available, the URL and sign-in credentials are displayed at this time. That can be copied and sent to the user.
  6. Bookmark the KMIP Vault URL.

  7. Select Close.

  8. The newly created Vault is added to the Vault Management dashboard and the KMIP server settings on the appliance are enabled.

    For example:

    kc vault dashboard

  9. Sign in to the URL provided above with the temporary password. Change the initial password when prompted. Sign in again to verify.

KMIP server settings

The KMIP server settings are set at the KeyControl appliance level and apply to all the KMIP vaults in the appliance. After a KMIP vault is created, it is automatically set to ENABLED.

To use external key management and configure the KeyControl Vault KMIP settings, refer to the KeyControl Vault for KMIP section of the admin guide.

When you are using external key management, as is the case in this solution, the KeyControl server is the KMIP server and the NetApp server is the KMIP client.

  1. Log into the KeyControl server vault management UI as secroot.

  2. Select the Settings icon on the top right to view/change the KMIP settings.

    The defaults settings are appropriate for most applications but you can change settings to suit your environment.

    kmip settings

  3. Select Apply.

Install a signed certificate from your local root CA in the KeyControl cluster

You can use any CA for this integration. This guide describes an integration in which a Microsoft Windows CA was configured as a local root CA.

Create a CSR

  1. Log into the KeyControl server vault management UI as secroot.

  2. In the Vault Management dashboard, select the Settings icon on the top right.

  3. Select the Action icon pull-down menu. Then select Generate CSR.

  4. Enter your information.

    Include the FQDN and / or IP of all the KeyControl nodes in the Subject Alternative Names.

    For example:

    kc generate csr form

  5. Select Submit.

  6. Once Submitted, Select Download. The CSR pem file is downloaded to your downloads folder.

  7. Store the file so it can be signed in the next section.

Sign the certificate

  1. Log into your local root CA with Administrator privileges.

  2. Transfer the CSR created above to a local folder in your local root CA server. (Downloads folder)

  3. Launch the Certificate Authority application.

  4. Right-click on the <certification authority name> in the left pane and select All Tasks / Submit new request…​.

  5. Select the copied CSR.

  6. Select certification authority name / Pending Request in the left pane.

  7. Right-click on the request in the right pane and select All Tasks / Issue.

  8. Select certification authority name / Issued Certificates in the left pane.

  9. Select the certificate.

    For example:

    kc cert

  10. Select the Details tab / Copy to File…​. Follow the instructions, selecting Base-64 encoded X.509 in Export File Format. Save as keycontrolvault in the Downloads folder.

  11. Export the local root CA certificate in pem format.

    C:\Users\Administrator>certutil -ca.cert C:\Users\Administrator\Downloads\rootcacert.cer
    CA cert[0]: 3 -- Valid
    CA cert[0]:
    -----BEGIN CERTIFICATE-----
    MIIDFTCaaa2gAwbbbgIQepb3APptdddOv11kVoDg1jANBgkqhkiG9w0BAQsFADAd
    .
    .
    .
    18BAfZuJ/givxxk05ukP52FD3iVYMGoxWQ==
    -----END CERTIFICATE-----
    
    CertUtil: -ca.cert command completed successfully.

    Now make it in pem format:

    C:\Users\Administrator>certutil -encode C:\Users\Administrator\Downloads\rootcacert.cer C:\Users\Administrator\Downloads\rootcacert.pem.cer
    Input Length = 793
    Output Length = 1150
    CertUtil: -encode command completed successfully.
  12. Copy the keycontrolvault.cer certificate and the rootcacert.pem.cer to a location accessible by the KeyControl server.

Install certificate

  1. Log into the KeyControl server vault management UI as secroot.

  2. In the Vault Management dashboard, select the Settings icon on the top right.

  3. Select Custom radio button in Certificate Types.

  4. Browse and select the certificate as shown.

    kc server root certs

  5. The other defaults settings are appropriate for most applications. Make any changes necessary.

  6. Select Apply.

Create the KeyControl client certificate bundle

Certificates are required to facilitate the KMIP communications from the KeyControl KMIP Vault and NetApp ONTAP application and conversely. The built-in capabilities in KeyControl are used to create and publish the certificate.

  1. Login to the KMIP Vault with the URL and credentials from Create a KMIP Vault in KeyControl.

  2. Select Security, then Client Certificates.

    kc securityclientcert

  3. In the Manage Client Certificate page, select the + icon on the right to create a new certificate. The Create Client Certificate dialog box appears.

  4. In the Create Client Certificate dialog box:

    1. Enter the certificate name.

    2. Enter the expiration date.

    3. Leave Certificate Signing Request (CSR) field as default.

    4. Select Create.

      For example:

      kc create certificate

      The new certificates are added to the Manage Client Certificate pane.

    kc new certificate

  5. Select the certificate and select the Download icon to download the certificate.

  6. Unzip the downloaded file.

     unzip NetApp-ONTAP_2025-01-13-17-37-32.zip
    Archive:  NetApp-ONTAP_2025-01-13-17-37-32.zip
      inflating: NetApp-ONTAP.pem
      inflating: cacert.pem

    It contains the following:

    • A certname.pem file that includes both the client certificate and private key. In this example, this file is called NetApp-ONTAP.pem.

      The client certificate section of the certname.pem file includes the lines “-----BEGIN CERTIFICATE-----" and “-----END CERTIFICATE-----" and all text between them.

      The private key section of the certname.pem file includes the lines “-----BEGIN PRIVATE KEY-----" and “-----END PRIVATE KEY-----" and all text in between them.

    • A cacert.pem file which is the root certificate for the KMS cluster. It is always named cacert.pem.

  7. These files will be used to establish trust between KeyControl and NetApp.

For more information on how to create a certificate bundle, see Establishing a Trusted Connection with a KeyControl-Generated CSR.