Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Configure Entrust KeyControl 5.4 with Oracle Cloud VMware Solution

Introduction

This tutorial provides an operational overview of how to deploy and configure the Entrust KeyControl 5.4 Solution with the Oracle Cloud VMware Solution software defined data center (SDDC) cluster. The focus of this tutorial is to provide the steps to deploy, configuration options and highlight the ‘how-to’ steps required for using Entrust KeyControl with Oracle Cloud VMware Solution.

Oracle and VMware have developed a fully certified and supported SDDC solution called Oracle Cloud VMware Solution. This solution uses Oracle Cloud Infrastructure (OCI) to host a highly available VMware SDDC. It also allows seamless migration of on-premises VMware SDDC workloads to OCI.

Encrypting workloads helps enterprises to ensure their data is protected, even if the data falls into the wrong hands. One of the challenges of workload encryption is to scale the management of tens of thousands of encryption keys for workloads that may even be hosted on different platforms.

About Entrust KeyControl

Entrust KeyControl enables enterprises to easily manage all their encryption keys securely and at scale, including how often they are rotated and shared. Entrust KeyControl capabilities include:

• VMware certified Key Management Server (KMS) for:
  • VMware vSphere 6.5, 6.7 and 7.0
  • VMware vSphere Trust Authority 7.0
• Universal key management for Key Management Interoperability Protocol (KMIP) compatible encryption agents
• Enterprise scalability and performance
• Can run in an active-active, high availability cluster
• FIPS 140-2 Level 1 validation
• Seamless integration with nShield® FIPS 140-2 Level 3 HSM for high level assurance
• Complete workload lifecycle encryption and policy based key management, role based access control and zero downtime encryption for product workloads
• Multicloud encryption solution for workloads

Prerequisites

• Entrust KeyControl OVA v5.4
• Oracle Cloud VMware Solution deployment running VMware vSphere 6.5 or higher
• 2 vCPU, 8GB RAM, 60GB disk per Entrust KeyControl node
• Network address information such as:
• IP address (one per node)
• Subnet mask
• Gateway address
• DNS server information
• DNS registered hostname for each node

Objective

Deploy and configure Entrust KeyControl 5.4 cluster with Oracle Cloud VMware Solution for using encryption within VMware workloads.

Task 1: Deploy the first Entrust KeyControl appliance

1. Log in to the Oracle Cloud VMware Solution Virtual Center Appliance (VCSA).

2. Right-click and select Deploy OVF Template.

   

3. Click Upload Files and navigate to the directory where you placed the Entrust KeyControl OVA, select it, and then click Open.

   

4. Click Next.

5. Enter a name for the Entrust KeyControl appliance, select a deployment location, and then click Next.

   

6. Select the VMware vSphere Cluster or host and then click Next.

   

7. Review the details and then click Next.

8. Accept the license agreement and then click Next.

9. Select the required configuration from the list and then click Next.

   

10. Select the appropriate storage and disk format for the appliance and then click Next.

    

11. Select the appropriate network and then click Next.

    

12. Provide the required information and then click Next.

    

13. Review the summary screen. If everything is correct, click Finish.

    

You have successfully deployed the first Entrust KeyControl node.

Task 2: Deploy the second Entrust KeyControl appliance

Note:

To be able to achieve Entrust KMS HA you will need to deploy second Keycontor Node to Configure HA Design for your KMS Solution. Please follow the same steps from Task 1 again and deploy a second Entrust KeyControl virtual appliance.

Task 3: Configure the first Entrust KeyControl appliance

1. Locate the newly deployed Entrust KeyControl appliance in VMware vCenter. Power it on and open a console to it.

2. Set the password for the command line interface (CLI) system console account user htadmin on the appliance.

3. Using the Tab key, move to OK and press Enter.

   Note:

   • This password controls access to the Entrust KeyControl System console, allowing users to perform some privileged Entrust KeyControl administrative tasks.
   • After pressing OK, the networking and other subsystems are configured. This can take several minutes.

   

4. After setup has completed, a window will display the management IP address of the appliance. Make a note of the management IP address because you will need it in the next step. Tab to OK and press Enter.

Task 4: Configure the first Entrust KeyControl appliance using the WebGUI

1. Launch a web browser and navigate to the IP Address or fully-qualified domain name of the management IP address of the first Entrust KeyControl appliance. Use the default secroot account user name and password.

2. Accept the EULA by clicking on I Agree.

3. Since this is the first KeyControl node, click Continue as a Standalone Node.

   

4. Enter a new password for the secroot account, making sure to follow the password complexity rules, then click Update Password.

   

5. Configure E-Mail and Mail Server Settings by entering the relevant information for your email address and email server. and then click Update Mail Settings.

   

6. In the Download Admin Key page, ensure you read the text and click Download.

   Warning: You MUST download the Admin Key and keep it in a safe place for later use. If you do not have the Admin Key, you cannot do any sort of recovery of the appliance if required later.

   

7. If you are running a trial of Entrust KeyControl Vitals, reporting cannot be disabled. Otherwise, you can disable Vitals Reporting after you apply a purchased license. Click Continue.

   

The main WebGUI is displayed. You have successfully finished configuring the first node of the Entrust KeyControl cluster. Move to the next step to add the second node to the cluster.

Task 5: Add the second Entrust KeyControl appliance to the cluster

1. Locate the second deployed Entrust KeyControl appliance in VMware vCenter. Power it on, then open a console to it.

   • Set the password for the command line interface (CLI) system console account, htadmin on the appliance.
   • After setup has completed, a window will display the management IP address of the appliance. Please make a note of the management IP address because you will need it in the next step.

2. Launch a web browser and navigate to the IP Address or fully-qualified domain name (FQDN) of the management IP address of the second appliance. Use the default secroot account user name and password.

3. Accept the EULA by clicking on I Agree.

4. Since this is the second Entrust KeyControl appliance, click Join an Existing Cluster.

   

5. You will notice the workflow for configuring the second node is quite different. Review the information and click Continue.

   

6. Click Generate and Download CSR. This will save a .csr.pem file in the Downloads directory. We will need this file in Step 10.

   

7. Click Continue.

   

8. At this point, you need to open a new browser window or a new tab and login to the first Entrust KeyControl node.

   

9. After logging into the first Entrust KeyControl node, click Cluster in the top menu. Next, click Actions and select Add a Node.

   

10. Click Load File and select the .csr.pem file from Step 6. Next, enter a passphrase that is at least 12 characters long. You will need this passphrase in Step 13.

    • Click Save and Download Bundle. A zip file is saved in the Downloads directory. The zip file contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.

      

11. Click OK and switch back to the browser window or browser tab of the second node, you are in the process of adding to the cluster.

    

12. Click Continue.

    

13. In the Node page:

    • Under Upload SSL Certificate, click Load File and select the encrypted SSL certificate. The SSL certificate is the file that does NOT have a .pem extension.

    • Under Upload CA Certificate, click Load File and select the CA certificate. This is the file that has a .pem file extension (cacert.pem).

    • Enter the passphrase that you created Step 9.

    • Click Join.

      

14. The joining progress will display the steps it takes to join the node to the cluster. The second node will be restarted during this process.

    

15. After the node has successfully restarted, click Login and login to the newly joined node. Use the new password you created during the configuration of the first Entrust KeyControl node.

    

Note: After logging into the second node, you will notice that the Cluster button in the top menu displays the number 2 with a green background. Click Cluster to see all nodes in the cluster.

You have successfully created a 2-node Entrust KeyControl KMS cluster.

Related Links

• Oracle Cloud VMware Solution
• Oracle Cloud VMware Solution deployment
• VMware vSphere Trust Authority
• Entrust KeyControl capabilities
• Entrust KeyControl OVA v5.4 trial
• Entrust KeyControl YouTube playlist

Acknowledgments

Author - Eran Maor (Principal Cloud Solution Architect)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configure Entrust KeyControl 5.4 with Oracle Cloud VMware Solution

F58578-01

June 2022

Copyright © 2022, Oracle and/or its affiliates.