OVA Installation Guide

Entrust provides a single virtual node in OVA format. You use this template to install Keysafe 5. See your selected hypervisors documentation for installation steps, as these may differ from those specified below.

Entrust recommends a deployment of three Keysafe 5 nodes for High Availability. Single-node deployments are feasible but they are only recommended for demos, not for production environments. Other node counts are not recommended.

Install Keysafe 5 from an OVA template

For instructions, see the documentation from the VM vendor.

Keysafe 5 prerequisites to using the OVA template

Make sure that:

  • You know the IP address and any required network connection information, such as the domain name and the DNS and gateway IP addresses, for the machine on which you are installing Keysafe 5.

    You must use an IPv4 address. Keysafe 5 does not support IPv6 addresses.

  • You have the required permissions to install software on the target system.

Creation time configuration requirements for the Keysafe 5 VM

You must enable VM host affinity, affinity groups, or equivalent for the Keysafe 5 VM to avoid Admin Key Recovery if for some reason you have to migrate the host in the future. For the specific feature to enable during VM creation and for instructions, see the documentation from the VM vendor.

Take into use the Keysafe 5 VM

  1. If you selected the large installation configuration earlier in this procedure, you need to manually change the disk size alloted to the VM from the standard 80 GB to 160 GB. The OVA template sets the appropriate number of CPUs and the memory allocation but it cannot automatically change the standard disk size.

  2. Power on the Keysafe 5 VM.

  3. Configure the node as needed. For details, see one of the following:

Configuring the First Keysafe 5 Node

This procedure explains how to configure this system as the first Keysafe 5 node in the system.

  1. Log into the system on which you installed the Keysafe 5 software. The Keysafe 5 installer will automatically start running as soon as the VM is powered on.

  2. Enter a password for the Keysafe 5 system administration account and press Enter. Password requirements are configured by a Keysafe 5 administrator in the System Settings.

    This password controls access to the Entrust Keysafe 5 System Console that allows users to perform some Keysafe 5 administration tasks. It does not permit a Keysafe 5 user to access the full OS.

    Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, Keysafe 5 does not provide a user-accessible password recovery mechanism.

    The installer configures Keysafe 5 and then starts the appropriate services. This process can take up to 30 minutes to complete. When the installer has finished, Keysafe 5 displays a confirmation dialog stating that the setup was completed successfully.

  3. Save the address of the Keysafe 5 UI (also known as the Management IP Address) from the confirmation dialog. You will need this address in the next step.

    When you are done, press Enter to finish the installation. Keysafe 5 displays the CentOS login prompt when the installation is complete.

  4. To initialize the Keysafe 5 UI and finish the configuration of the first node, do the following:

    1. Use a web browser to navigate to https://<node-ip-address>, where <node-ip-address> is the Management IP address.

    2. If prompted, add a security exception for the Keysafe 5 IP address and proceed to the Keysafe 5 Appliance Management UI.

      Keysafe 5 uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Keysafe 5 Certificates.

    3. On the Keysafe 5 Login page, enter secroot for both the username and password.

    4. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

    5. On the Welcome to Keysafe 5 screen, click Continue as a Standalone Node.

    6. On the Change Password page, enter a new password for the secroot account and click Update Password.

    7. On the Configure E-Mail and Mail Server Settings page, specify your email settings.

      If you specify an email address, Keysafe 5 sends an email with the Admin Key for the new node. It also sends system alerts to this email address.

      To disable alerts, select the Disable e-mail notifications checkbox. You can then download the Admin Key from the Settings tab in the Keysafe 5 Appliance Management UI.

    8. When you are done, click Continue.

    9. On the Download Admin Key page, click the Download button to save the admin key locally. Keep the admin key in a safe place for later use. When Keysafe 5 prompts for an admin key to recover your Keysafe 5 system, you must provide this admin key to proceed. If you do not have your admin key, you may lose your data.

      Whenever the admin key is regenerated, Keysafe 5 forces you to download the admin key.

    10. On the Authentication page, select either:

      1. Continue with Local Authentication which enables the use of locally authenticated user accounts for access control to the Keysafe 5 Appliance Management UI.

        Selecting this option means that the Keysafe 5 UI and its API will be unauthenticated. Entrust does not recommend this option.

      2. Setup Authentication which then presents the user with the ability to configure OpenID Connect Provider to protect the Keysafe 5 UI, its API and the Keysafe 5 Appliance Management UI. For more information, see the Configuring an OpenID Connect Provider section.

    11. When you are finished, you are presented with the following options:

      1. Continue to Appliance Management which will take you to the Keysafe 5 Appliance Management UI, for more information see Appliance Management Administration. From this point onwards access to the Keysafe 5 Appliance Management UI is via https://<node-ip-address>/appliance, where <node-ip-address> is the Management IP address.

      2. Continue to nShield Keysafe 5 which will take you to the Keysafe 5 dashboard. At this stage the dashboard will be empty, to finish configuring Keysafe 5, see KeySafe 5 Administration.

Adding a New Keysafe 5 Node to an Existing Cluster

Before You Begin

  1. Make sure you know the IP address of any Keysafe 5 node that is already part of the cluster you want to join.

  2. If Startup Authentication is enabled, you cannot add a new Keysafe 5 node. You must disable Startup Authentication on the existing Keysafe 5 node, add the new node, and then re-enable Startup Authentication.

Procedure

  1. Log into the VM on which you installed the Keysafe 5 software.

  2. Enter a password for the Keysafe 5 system administration account and press Enter. Password requirements are configured by a Keysafe 5 administrator in the System Settings.

    This password controls access to the Entrust Keysafe 5 System Console that allows users to perform some Keysafe 5 administration tasks. It does not permit a Keysafe 5 user to access the full OS.

    Make sure you keep this password in a secure place. If you lose the password, you will need to contact Entrust Support. For security reasons, Keysafe 5 does not provide a user-accessible password recovery mechanism.

  3. Use a web browser to navigate to https://<node-ip-address>, where <node-ip-address> is the Management IP address you specified during installation.

    If you do not know the Management IP address for the node, log into the system on which the node is installed as . Keysafe 5 displays the Entrust Keysafe 5 System Console. From the menu, select Manage Network Settings > Show Current Network Configuration.

  4. If prompted, add a security exception for the Keysafe 5 IP address and proceed to the Keysafe 5 Appliance Management UI.

    Keysafe 5 uses its own Root Certificate Authority to create its security certificate, which means that certificate will not be recognized by the browser. For details, see Keysafe 5 Certificates.

  5. On the Keysafe 5 Login page, enter secroot for both the username and password.

  6. Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.

  7. On the Welcome to Keysafe 5 screen, click Join an Existing Cluster.

    The Join Existing Cluster window displays.

  8. On the Get Started page, review the overview information to determine that you are ready to begin. This includes:

    1. Access to the cluster you are joining the node to. We recommend that you open the Keysafe 5 Appliance Management for the cluster in a different tab or browser window.

    2. Permissions on both this node and the cluster node so you can download and import the required certificates and files.

    3. A passphrase to use during the joining process. Passphrase requirements are configured by a Keysafe 5 administrator in the System Settings. This phrase is a temporary string used to encrypt the initial communication between this node and the existing Keysafe 5 cluster.

    4. Verifying that both this node and the cluster node are running the same Keysafe 5 version and build. The version number for the cluster node is on the Settings > System Upgrade page.

  9. Click Continue.

  10. On the Download CSR page, click Generate and Download CSR.

  11. Click Continue.

  12. Switch to one of the existing nodes in the cluster and navigate to the Cluster page.

  13. Select Actions > Add a Node.

  14. On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.

  15. Click Save and Download Bundle to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

  16. Click OK to close the Add a Node window.

  17. Return to the new node and click Continue.

  18. On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the IP address or hostname of any node in the existing cluster, and enter the passphrase that you selected.

  19. Click Join.

    1. During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.

    2. The cluster will automatically be placed in maintenance mode.

    3. The node will restart after the join is complete.

  20. When the node has successfully restarted, click Login.