Integrate Entrust KeyControl with NetApp ONTAP

The following steps summarize the integration of Entrust KeyControl with NetApp ONTAP.

Install the Entrust KeyControl client bundle into NetApp ONTAP
Setup Entrust KeyControl as the external KMIP server

Install the Entrust KeyControl client bundle into NetApp ONTAP

Open a command window and remote login into the NetApp ONTAP Cluster Management.

>ssh admin@xxx.xxx.xxx.xxx
Password:

Last login time: 4/11/2024 19:44:22
mycluster::>

Run the following command. Paste the certificate section from the entrust-keycontrol.pem file from section deploy-entrust-kc.adoc#create-client-cert-bundle when prompted. Paste the private key section when prompted.

mycluster::> security certificate install -vserver mycluster -type client -subtype kmip-cert

Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIEbzCCA1egAwIBAgIFANedlIcwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMC
VVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5jLjExMC8GA1UEAxMoSHlUcnVzdCBLZXlD
b250cm9sIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yNDA0MTIxNzM3MjFaFw0y
NTA0MTIxNzM3MjFaMEExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxIeVRydXN0IElu
Yy4xGzAZBgNVBAMTEmVudHJ1c3Qta2V5Y29udHJvbDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAM4hA5shy2Hg/hGohHbPKXnFoMOmb8pg1fdOQJkbYgeE
XXdsI7flIYazFM0zW4EzBMtvt334hYFWzVLcnYLSLqveA2Z0cfnTuTQxjooUccKU
O/cXUJEo4DLgm38GQYo6lqQ6I53ULDLc+Ru13qvgzEBBZH1QogWOawp2r/RtxMOO
8IuukNht24pCrR8TKebVqws1ZFxqBCC1FDdxJwj3ICzCcN5f0b9ilZ6bfQWJaZNH
IJuAwzEFGm+hnXyKa6rru1HuYLe+I55StcmpDTMsrGgG7wdWccz6aDCov6fb8+7s
FpWnhLfcl71B59fFZ0vivCBZc52gBNjqiZ1LOBeImFeFxG9wWGw0KTuaSsqXs1a2
bksH04d41ypZwTKESD6pVm2OG4ZJcOx31dlarZ5bYHfA/omy7nor6X5aZeneVz3X
jcJ1Zq1cNfsoDKBdVZMN+9vK45NJwBMKVv3kX9kRj4K1Om11K23ft3EAz9dHVn8m
Rvkese3EWiVSPdJ+dmCowPAExgziFLkP4Fu81QKg8j8MMMkflV6kM3GRHDD2SR3Z
RMBVXlYKZ3dRtBI8tBRqygUBvEjof7U3ipz3Ud7yfiLTcbndV/Grx1+L3SlyR23n
gmVT8lNN9xyMPL+aynLEOIdf+4rZtJpr2v/dVgeQ2TZKwfTWGK32q3cjbc8XxeVZ
AgMBAAGjWDBWMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLIzJE8cOJBHq9c4KXv4GrNS
eg1tMB8GA1UdIwQYMBaAFHeHQXWETJvG04kYPw0AdMOwEPnfMAkGA1UdEQQCMAAw
DQYJKoZIhvcNAQELBQADggEBAE93rfmybwGfMd1pIQuoz00t/zY9qgaGfAQKKMr7
WSwJanuQTOH2R8yBpNWl+M7dEggB9ooiRxzSkqV8Xp9e52aonkg3pKgkEJCpuQVc
cY1M/CY+G1FD+V/TrUkxM3jI8NohdynWrQBa9XHxiwkHYFB+PBvpz+RYKnaI9G2o
AHh+maljHIY3xnrvfRNN6XKZXqX+TCbw/TC77Eki+vYsh/0NmCpPX78MdARdB3Pg
D3TO9gFlwJCaMgljsaUxpNI14jHi3nW3oY2x2OZfOtrj9+nzH617h5X5NPyib2SX
CLg8cOSNe6pNUusdeH4Z3JvxVWBWGwBbxevIyt49G2BpQic=
-----END CERTIFICATE-----


Please enter Private Key: Press <Enter> when done
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDOIQObIcth4P4R
qIR2zyl5xaDDpm/KYNX3TkCZG2IHhF13bCO35SGGsxTNM1uBMwTLb7d9+IWBVs1S
3J2C0i6r3gNmdHH507k0MY6KFHHClDv3F1CRKOAy4Jt/BkGKOpakOiOd1Cwy3Pkb
td6r4MxAQWR9UKIFjmsKdq/0bcTDjvCLrpDYbduKQq0fEynm1asLNWRcagQgtRQ3
cScI9yAswnDeX9G/YpWem30FiWmTRyCbgMMxBRpvoZ18imuq67tR7mC3viOeUrXJ
qQ0zLKxoBu8HVnHM+mgwqL+n2/Pu7BaVp4S33Je9QefXxWdL4rwgWXOdoATY6omd
SzgXiJhXhcRvcFhsNCk7mkrKl7NWtm5LB9OHeNcqWcEyhEg+qVZtjhuGSXDsd9XZ
Wq2eW2B3wP6Jsu56K+l+WmXp3lc9143CdWatXDX7KAygXVWTDfvbyuOTScATClb9
5F/ZEY+CtTptdStt37dxAM/XR1Z/Jkb5HrHtxFolUj3SfnZgqMDwBMYM4hS5D+Bb
vNUCoPI/DDDJH5VepDNxkRww9kkd2UTAVV5WCmd3UbQSPLQUasoFAbxI6H+1N4qc
91He8n4i03G53Vfxq8dfi90pckdt54JlU/JTTfccjDy/mspyxDiHX/uK2bSaa9r/
3VYHkNk2SsH01hit9qt3I23PF8XlWQIDAQABAoICACCxB7tg3rrFTkZKrceSD4fq
mhatnOlB9m1kkcY2m5OJoLFCC2AtDOYqHNB2prqU9tu0+isWcUYUGDheGPUYlKJZ
cbycFz+CHstyWKL5nxk3HVOQ9QwwqW4oRUEeIuLja+Tb+64aanAer7t/WrNz0bEX
LfLaCPhMoBlmvX1Ms3o4f1oH85z/v2PsMzzMc0bS+G+spiAqCEGPtoccgQ5g809l
/zSlicSKxCQFkQyBwKbFDxzajRqHLqwpu6p24aCYBnt2DQzXMRr5Dy/OifNl0Gon
P12wjhfuVvvwp4Td05A/DU3q5Zerer1faH/GJR3Z9fBDf5yuNlaYy/6QYXMKDO77
rYxG/+a8woYx5tpnc+lLiCkLu9f44LtIka07XGSSrrz5mK0hVllpAt9yoN6J/lz6
mLii/v7XGZSG/Y9cBANy8efQeA7ogK6x0v7/NV1OF8/W11FtpwQ1C+SAXB7gXf/m
qa/OIbZtf7igANcYm7EQgC1BQxeFA09vVwmy3X+3XdwGyqwA+LL7DodVvNYhVeLh
3Kxepf/qSpn8Zr9S+6VyoJ4lwOfs3HXa6u3GT0NN2vWOIaDSnQGdMh2nh4vFDcXN
YwWjs68xhQXdXWJyoYYw2uS/kc7Rag/iJ8SBNN+zluXWDAJfakBEj0qVxEICL0lg
YRSeYDG8zFEAhoUuFe8BAoIBAQDwVYAGdywul0+7WJO4jMxpXA0khtlJabJ2zoqj
z98ze1lbX5nh0SZ7kDN2mSHSOF1P+vG8WqCYWiPD/JWuQSgiYQnpwEsseyiLL687
RODMLHInB0r1GJA+XNVevMSJH4ffklNYjRFJfpafJbrRXDqKdukNfPg9g8m8eGuw
wR/lHYa/OIoCwEhvhBXVSEy5FbNzid1mWSfaMQ+1xN7yPKuiCti7pVlam8W6xKT7
IfKj8rZMQCfkj+Y8W1OYGHrP5TmtluTmedSch294rPKmp7fmK7Y2OtFtgl3bhKFI
zTnK6YKtDdV1lJ89NKiyh8Pm37OQ3FmVZ6kymeJSqxRzbTVxAoIBAQDbkLplsD5h
QnFaUInEcb2X9Wkwd35vcn0gDgx84Jth356CfkhF2FqRIFj12tMQGseDvWsLuAKb
Yb/AegTkGEPwQJpXJI05pBWw9+ptxIdqOXgnzB5vvGZ4oNAxrx5GNiSXDvGTcZI/
3feAHq47fNAbHf8vZOsUyCj61tzt8XuO8QJnCCWiLo+RM2DXu7UDyoLVmLp7KNdd
7AMCFws8rDt7ZjgIFiTjT7DRF09GqxEM4ZFhBoYW20MH5nXpOAd2vkcB4BPNHMxk
gxfd6IvqNuqazbQ6RgEugpqgkh+Tt1nE4dMrkW+ORoJ6LMo16uOyN+Iy3b/qOLmS
agGoVKRcpZppAoIBAQDC5tO4apTuA8+pQyApHiX3m6sc4C7+ljUgnEdaqY19Fp9U
tqb4tsDanArgNzdyYDtsTToVYfmzFAbFPeW1NynxF3kOk99i503t8nHNQwJ7EeBR
PlzPf2ga6vYuqi9IdMWfze7BdUV7sKk9zz894emnuN8vDRXT7TiBG7dZ1ISlLdjE
4nkp2f3kUd3S5ZsyziKFpFxkUBE9pWP0KQAUupcGBn3VTzazgHhOCoMxFkrMIl0s
YSr49KnmcLnOMqwGRQMNf72KG2sMtdj0qGzwMju08eYG/JQylvK+v0R84dHoeI59
AScG/8xTuozEm82HQgtBgzEzNKnGW31rRUqEgSBBAoIBAA1G7C6YAL2q4eXfNuV9
J0TYHztCDpA4sR5OGy01+89oUVJ8xmwK0Dc0aIy9ZcP0ipoJyz5TKz0wJQNDnaYZ
XYparbqVSEDzDii8ZR2sI7Alt4FYk4KYNu4Wc2B9wWvnfEDyM2OCG6DnED9cG5cX
ThJFtxerl5eTHv9EHOn6j0kug8GtOXFcNWxHWhTRkfmftleqO6SU7KkOS4RF1nUd
yR8GKF88z5A7UmriaPXSBF7uCPeACH27VotUwU6QB8uDaBHR9gCSPD3bu4a8uDE6
juc7hyl68DlaxnTtQSGSlcgVC8r3qXJGCz/OE5A9GvW88V24ERHdykLzTBRcwe+k
R/kCggEBAIBWtqHNRYbeKPn96HB7O6TSbOH8eP4oLrhUpVb+BjwREG+AwJPniyY7
bOz7VlIDwUKHH8DhKzw8QLq+Xz7mTaFlmaV4DrV32UeM2buKrG9EIPGpx08C/okI
AZq+OvLqovMO1HyBedbSy6Tkni66wb27/NJJBzPDYsZVkgv3Klp5rSSHmCI2z0vS
wnBz+9T8b1XO9cVEKKoiHW3nGmtxb4gUJMn2LzJQcJrNZLji4qqVDA4OecKh+nRq
xjNHGtEs8NXdjDDLqK75zldB/aj2uaJkGdbow08K2AAmYB52A/v6e4fPfpYWJ0Hg
jbRmQvfbnH4ZSxPkISFXplaFY27gYYI=
-----END PRIVATE KEY-----


Enter certificates of certification authorities (CA) which form the certificate chain of the client certificate. This
starts with the issuing CA certificate of the client certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: n

You should keep a copy of the private key and the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: HyTrust KeyControl Certificate Authority
serial: D79D9487

The certificate's generated name for reference: entrust-keycontrol_D79D9487

Note the certificate’s generated name above, e.g. entrust-keycontrol_D79D9487. It will be needed in section Setup Entrust KeyControl as the external KMIP server.

Setup Entrust KeyControl as the external KMIP server

Open a command window and remote login into the NetApp ONTAP Cluster Management.
Enable the external KMIP server. The argument of -client-cert is the certificate’s generated name from section Install the Entrust KeyControl client bundle into NetApp ONTAP. The argument of -server-ca-certs is the certificate’s generated name from section Deploy NetApp Simulate ONTAP.
Notice the IP of both nodes in the Entrust KeyControl cluster.
mycluster::> security key-manager external enable -key-servers 10.194.148.215:5696,10.194.148.216:5696 -client-cert entrust-keycontrol_D79D9487 -server-ca-certs interop-CONTROLLER-CA-4

Verify the external key-management is configured.

mycluster::> security key-manager external show-status

Node  Vserver  Primary Key Server                                 Status
----  -------  -------------------------------------------------  ------------
mycluster-01
      mycluster
               10.194.148.215:5696                                available
               10.194.148.216:5696                                available
2 entries were displayed.