Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Add Entrust KeyControl as a key provider for VMware vSphere 7 with Oracle Cloud VMware Solution
Introduction
This tutorial provides an operational overview of how to configure the Entrust KeyControl 5.4 Solution as a Key Provider for VMware vSphere 7 on Oracle Cloud VMware Solution software defined data center (SDDC) cluster. The focus of this tutorial is to provide the available configuration and highlight the ‘How-to’ steps required for using Entrust KeyControl with Oracle Cloud VMware Solution.
In vSphere, a standard key provider gets encryption keys directly from a key server, and the vCenter Server distributes the keys to the required ESXi hosts in a data center.
Using a standard key provider in your VMware vSphere environment requires some preparation. After your environment is set up, you can create encrypted virtual machines and virtual disks and also encrypt existing virtual machines and disks.
Prerequisites
- Oracle Cloud VMware Solution deployment.
- Entrust KeyControl 5.x deployment running on Oracle Cloud VMware Solution.
- Verify that the key server is in the VMware Compatibility Guide for Key Management Server (KMS) and is Key Management Interoperability Protocol (KMIP) 1.1 compliant, and that it can be a symmetric key foundry and server.
- Verify that you have the required privileges: Cryptographic operations and Manage key servers.
- Ensure that the key server is highly available. Loss of connection to the key server, such as during a power outage or a disaster recovery event, renders encrypted virtual machines inaccessible.
Objective
Link Entrust KeyControl KMS solution as Oracle Cloud VMware Solution vCenter Key Provider to enable VM Encryption.
Task 1: Enable the KMIP server in Entrust KeyControl
-
Log in to the deployed Entrust KeyControl cluster and click the KMIP menu item.
-
In the KMIP Server Settings screen, you must update the following KMIP server settings.
2.1. For the State field, select Enabled.
2.2 For the Protocol field, select Version 1.1.
Note: VMware supports KMIP version 1.1 for Key Providers.
-
Click Apply.
-
A dialog to Overwrite all existing KMIP Server settings is displayed. Click Proceed.
Task 2: Create a Client Certificate
The communication between Entrust KeyControl and VMware vCenter is done via certificates. So, the next step in the process is to create a client certificate.
-
Click Client Certificates.
-
Click Actions, and then click Create Certificate.
-
Enter a name for the certificate in the Certificate Name field. You can adjust the expiration date.
IMPORTANT:
- DO NOT add a certificate password. Adding a password will prevent VMware vCenter from importing the certificate. If you use a password manager which has the ability to automatically fill in passwords in dialogs like this, you MUST make sure you clear the password fields that your password manager automatically filled in for you BEFORE you click the Create button.
-
Click Create.
-
You will see the new certificate in the WebUI. Click the certificate, then click the blue Action button and select Download Certificate.
Note: A zip file will be downloaded to your system. Unzip the contents of the file and note the location. You will require the certificate file in Task 4.
Task 3: Add a Key Provider
-
Log in to Oracle Cloud VMware Solution vCenter.
-
Click on the name of your vCenter.
-
Click Configure.
-
Click Key Providers in the Security section.
-
Click Add Standard Key Provider.
-
Enter a Name for the Key Provider. This is just a reference name. It doesn’t need to match any name you use in Entrust KeyControl.
-
Enter a name for the KMS Server and the IP Address or FQDN of the first Entrust KeyControl node. It is recommended to typically match the name of the KMS Server to the host name of the node you are adding. Click Add KMS and add the second KeyControl node.
IMPORTANT:
- Expand the Password Protection section and confirm that the password fields are blank.
- If you use a password manager which has the ability to automatically fill in passwords in dialogs like this, you MUST expand the Password Protection section and clear the password fields that your password manager automatically filled in for you BEFORE you click the Add Key Provider button.
-
Click Add Key Provider when you are ready.
-
Click Trust.
-
Select the radio button next to the Key Provider. This will list the Key Management Servers.
Task 4: Establish trust between the Entrust KeyControl clusters using the client certificate
-
Click one of the KMS servers, and then click Establish Trust.
-
Select Make KMS trust vCenter.
-
Click KMS certificate and private key, and then click Next.
-
Click the KMS Certificate Upload a File button.
- Navigate to the location where you unzipped the contents of the client certificate zip file in Task 2. You will see two .pem files. You can ignore the cacert.pem file. Select the second .pem file and click OK.
-
Repeat the last step for the KMS Private Key, then click Establish Trust.
-
At this point, all of the yellow triangles from the previous step display green circles with checkmarks in them.
Note: If you want to view more details, expand one of the KMS Server entries.
Next Steps
After your environment is set up for a standard key provider, you can use the VMware vSphere client to:
- Create encrypted virtual machines and virtual disks.
- Encrypt existing virtual machines and disks.
Related Links
- Oracle Cloud VMware Solution
- Oracle Cloud VMware Solution deployment
- VMware vSphere Trust Authority
- VMware vSphere standard key provider
- Use Encryption in Your vSphere Environment
- Entrust KeyControl capabilities
- Entrust KeyControl OVA v5.4 trial
Acknowledgments
- Author - Eran Maor (Principal Cloud Solution Architect)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Add Entrust KeyControl as a key provider for VMware vSphere 7 with Oracle Cloud VMware Solution
F58650-01
June 2022
Copyright © 2022, Oracle and/or its affiliates.