Note:

Add Entrust KeyControl as a key provider for VMware vSphere 7 with Oracle Cloud VMware Solution

Introduction

This tutorial provides an operational overview of how to configure the Entrust KeyControl 5.4 Solution as a Key Provider for VMware vSphere 7 on Oracle Cloud VMware Solution software defined data center (SDDC) cluster. The focus of this tutorial is to provide the available configuration and highlight the ‘How-to’ steps required for using Entrust KeyControl with Oracle Cloud VMware Solution.

In vSphere, a standard key provider gets encryption keys directly from a key server, and the vCenter Server distributes the keys to the required ESXi hosts in a data center.

Using a standard key provider in your VMware vSphere environment requires some preparation. After your environment is set up, you can create encrypted virtual machines and virtual disks and also encrypt existing virtual machines and disks.

Prerequisites

Objective

Link Entrust KeyControl KMS solution as Oracle Cloud VMware Solution vCenter Key Provider to enable VM Encryption.

Task 1: Enable the KMIP server in Entrust KeyControl

  1. Log in to the deployed Entrust KeyControl cluster and click the KMIP menu item.

    KMIP SERVER SETTINGS

  2. In the KMIP Server Settings screen, you must update the following KMIP server settings.

    2.1. For the State field, select Enabled.

    2.2 For the Protocol field, select Version 1.1.

    Note: VMware supports KMIP version 1.1 for Key Providers.

    CONFIGURED KMIP OPTIONS

  3. Click Apply.

  4. A dialog to Overwrite all existing KMIP Server settings is displayed. Click Proceed.

Task 2: Create a Client Certificate

The communication between Entrust KeyControl and VMware vCenter is done via certificates. So, the next step in the process is to create a client certificate.

  1. Click Client Certificates.

    CREATE A CLIENT CERTIFICATE

  2. Click Actions, and then click Create Certificate.

  3. Enter a name for the certificate in the Certificate Name field. You can adjust the expiration date.

    IMPORTANT:

    • DO NOT add a certificate password. Adding a password will prevent VMware vCenter from importing the certificate. If you use a password manager which has the ability to automatically fill in passwords in dialogs like this, you MUST make sure you clear the password fields that your password manager automatically filled in for you BEFORE you click the Create button.

    CREATE NEW CLIENT CERTIFICATE SCREEN

  4. Click Create.

  5. You will see the new certificate in the WebUI. Click the certificate, then click the blue Action button and select Download Certificate.

Note: A zip file will be downloaded to your system. Unzip the contents of the file and note the location. You will require the certificate file in Task 4.

Task 3: Add a Key Provider

  1. Log in to Oracle Cloud VMware Solution vCenter.

  2. Click on the name of your vCenter.

  3. Click Configure.

  4. Click Key Providers in the Security section.

  5. Click Add Standard Key Provider.

    CREATE NEW CLIENT CERTIFICATE SCREEN

  6. Enter a Name for the Key Provider. This is just a reference name. It doesn’t need to match any name you use in Entrust KeyControl.

    STANDARD KEY PROVIDER DETAILS SCREEN

  7. Enter a name for the KMS Server and the IP Address or FQDN of the first Entrust KeyControl node. It is recommended to typically match the name of the KMS Server to the host name of the node you are adding. Click Add KMS and add the second KeyControl node.

    IMPORTANT:

    • Expand the Password Protection section and confirm that the password fields are blank.
    • If you use a password manager which has the ability to automatically fill in passwords in dialogs like this, you MUST expand the Password Protection section and clear the password fields that your password manager automatically filled in for you BEFORE you click the Add Key Provider button.
  8. Click Add Key Provider when you are ready.

  9. Click Trust.

    CREATE NEW CLIENT CERTIFICATE SCREEN

  10. Select the radio button next to the Key Provider. This will list the Key Management Servers.

    CREATE NEW CLIENT CERTIFICATE SCREEN

Task 4: Establish trust between the Entrust KeyControl clusters using the client certificate

  1. Click one of the KMS servers, and then click Establish Trust.

    MAKE KMS TRUST VCENTER

  2. Select Make KMS trust vCenter.

  3. Click KMS certificate and private key, and then click Next.

    CHOOSE A TRUST METHOD

  4. Click the KMS Certificate Upload a File button.

    • Navigate to the location where you unzipped the contents of the client certificate zip file in Task 2. You will see two .pem files. You can ignore the cacert.pem file. Select the second .pem file and click OK.
  5. Repeat the last step for the KMS Private Key, then click Establish Trust.

    UPLOAD KMS CREDENTIALS

  6. At this point, all of the yellow triangles from the previous step display green circles with checkmarks in them.

    TRUSTED KMS SERVERS

    Note: If you want to view more details, expand one of the KMS Server entries.

    KMS SERVER TRUST DETAILS

Next Steps

After your environment is set up for a standard key provider, you can use the VMware vSphere client to:

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.