Deploy Entrust KeyControl

Deploy a Entrust KeyControl cluster

For the purpose of this integration, a two-node cluster was deployed.

  1. Download the Entrust KeyControl software from Entrust TrustedCare. This software is available both as an OVA or ISO image. The OVA installation method in VMware is used in this deployment.

  2. Install Entrust KeyControl as described in Entrust KeyControl OVA Installation.

  3. Configure the first Entrust KeyControl node as described in Configuring the First Entrust KeyControl Node (OVA Install).

  4. Add second Entrust KeyControl node to cluster as described in Adding a New Entrust KeyControl Node to an Existing Cluster (OVA Install).

    Both nodes need access to an NTP server. Sign in to the console to change the default NTP server if required.

    keycontrol cluster

  5. Install the Entrust KeyControl license as described in Managing the Entrust KeyControl License.

  6. Add a record in your DNS server for the Entrust KeyControl cluster. Associate all KeyControl Cluster node IPs to the one record.

  7. Install a signed certificate from your local root CA. See Appendix A - Install a signed certificate from your local root CA in the Entrust KeyControl cluster

Create a KMIP Vault in Entrust KeyControl

The Entrust KeyControl Vault appliance supports different type of vaults that can be used by all type of applications. This section describes how to create a KMIP Vault in the Entrust KeyControl Vault Server.

Refer to the Creating a Vault section of the admin guide for more details.

  1. Sign in to the Entrust KeyControl Vault Server web user interface:

    1. Use your browser to access the IP address of the server.

    2. Sign in using the secroot credentials.

  2. From the user’s dropdown menu, select Vault Management.

    vault usersmenu

  3. In the Entrust KeyControl Vault Management interface, select Create Vault.

    vault interface

    Entrust KeyControl Vault supports the following types of vaults:

    • Cloud Key Management - Vault for cloud keys such as BYOK and HYOK.

    • KMIP - Vault for KMIP Objects.

    • PASM - Vault for objects such as passwords, files, SSH keys, and so on.

    • Database - Vault for database keys.

    • Tokenization - Vault for tokenization policies.

    • VM Encryption - Vault for encrypting VMs.

  4. In the Create Vault page, create a KMIP Vault:

    Field Value

    Type

    KMIP

    Name

    Vault name

    Description

    Vault description

    Admin Name

    Vault administrator username

    Admin Email

    Vault administrator email

    For example:

    kc create kmip vault netapp

  5. Select Create Vault. Then select Close.

    vault created successfully netapp

    The new vault’s URL and sign-in credentials will be emailed to the administrator’s email address entered above. In closed gap environments where email is not available, the URL and sign-in credentials are displayed at this time.

    Example email:

    login email

  6. Bookmark the URL.

  7. The newly created Vault is added to the Vault Management dashboard.

    For example:

    vault dashboard netapp

  8. Sign in to the URL provided above with the temporary password. Change the initial password when prompted. Sign in again to verify.

    For example:

    vault login

  9. Notice the new vault.

    For example:

    vault new netapp

Create the Entrust KeyControl client certificate bundle

Certificates are required to facilitate the KMIP communications from the Entrust KeyControl KMIP Vault and NetApp ONTAP application and conversely. The built-in capabilities in Entrust KeyControl are used to create and publish the certificate.

  1. Login to the KMIP Vault with the URL and credentials from Create a KMIP Vault in Entrust KeyControl.

  2. Select Security, then Client Certificates.

    kc securityclientcert

  3. In the Manage Client Certificate page, select the + icon on the right to create a new certificate. The Create Client Certificate dialog box appears.

  4. In the Create Client Certificate dialog box:

    1. Enter the username.

    2. Enter the expiration date.

    3. Leave Certificate Signing Request (CSR) field as default.

    4. Select Create.

      For example:

      kc create certificate

      The new certificates are added to the Manage Client Certificate pane.

    kc new certificate

  5. Select the certificate and select the Download icon to download the certificate.

  6. Unzip the downloaded file. It contains the following:

    • A certname.pem file that includes both the client certificate and private key. In this example, this file is called entrust-keycontrol.pem.

      The client certificate section of the certname.pem file includes the lines “-----BEGIN CERTIFICATE-----" and “-----END CERTIFICATE-----" and all text between them.

      The private key section of the certname.pem file includes the lines “-----BEGIN PRIVATE KEY-----" and “-----END PRIVATE KEY-----" and all text in between them.

    • A cacert.pem file which is the root certificate for the KMS cluster. It is always named cacert.pem.

    kc new certificate unzipped