Configuring a HyTrust KeyControl KMS with vCenter 6.7
=====================================================
In this blog post, we will discuss the process of configuring a HyTrust KeyControl KMS with vCenter 6.7. We will go over the steps required to enable the KMS, create a client certificate for the KMS server, and make both the KMS and vCenter servers trust each other.
Enabling the KMS
—————
To begin, we need to log into the HyTrust KeyControl web client with the default root account “SECROOT”. We will change the “State” of the KMS from DISABLED to ENABLED by clicking on the KMIP Section and applying the changes.
Creating a Client Certificate
—————————–
Since we do not have any client certificates, we will need to create one for the KMS server to trust the vCenter server. We will go to Client Certificates > Actions > Create Certificate, enter the certificate name “vCenterCert”, and select the certificate expiration. We will leave the Certificate Password blank and select “Create”.
Downloading the Certificate
—————————-
Once the certificate is created, we can select the certificate and download it locally as a ZIP file. Extracting this ZIP file shows us the CA certificate, and the vCenter leaf certificate. This leaf certificate will be used on the vCenter side.
Configuring vCenter
———————
We head to the vCenter vSphere Client to complete the configuration on the vCenter side. At the Hosts and Clusters level, we will select the vCenter > Configure > Key Management Servers > Add. In this dialogue box, we can add a New Cluster Name, which we will call “HyTust_Cluster”, provide the Server name and IP address of the HyTrust KMS, and provide the Server port – For HyTrust KeyControl, the default port is 5696. We are not using a Proxy, or a specific Username and password, so we will leave those fields blank, and finally click on “ADD”.
Reviewing the Details
———————-
Following that, we see a pop-up with the title “Make vCenter Trust KMS” – Here we can review all the details of the KMS Server Certificate and once we verify that, we can click on “TRUST” to make the vCenter server trust the KMS Server.
Making the KMS Trust vCenter
——————————
At this point, we see that the KeyControl KMS is added to vCenter, and that vCenter trusts the KMS. The next step is to Make the KMS Trust the vCenter server. So we click on the “Make KMS Trust vCenter” button. As per HyTrust KeyControl documentation, we have to select option 3 for the trust method and click Next:KMS certificate and private keyUpload the KMS certificate and private key to vCenter Here we are going to click on “Upload a File” and select the “vCenterCert.pem” certificate that we had downloaded and extracted earlier. Note that we use the same PEM file for both the KMS Certificate and the KMS Private Key, since that PEM certificate has the Certificate and the Private key combined.
Completing the Configuration
——————————
Finally, we click on the Establish Trust button to complete the KMS configuration process for encryption use.
Important Notes
—————-
Please note that the specifics of process of configuring the KMS and how it trusts vCenter, and/or vCenter trusts it depends on the KMS vendor. So, we always need to leverage the vendor documentation for the exact steps on how to configure a particular KMS.
Update: The process that is described here in this post of configuring a KMS with vCenter in only applicable for versions 6.5 and 6.7. For 7.0, this process changes due to the usage of an Attestation Cluster. I will have a blog post about it when I configure it in my lab.
Laraib Kazi is an expert in Virtualization and is multi-year VMware Certified Implementation Expert and vExpert.