Deploying and Connecting A Key Management Server to vCenter

Is it secure?  

This has to be one of the first things you consider with any technology solution or decision today.  So when I was lucky enough to receive a NFR license from HyTrust for their KeyControl Key Management System I was excited to get this into my lab so I can make use of VMware’s vSAN and VM Encryption.

In this post I will be going through the process of deploying a HyTrust Key Control appliance and creating a trust with vCenter.  It was surprisingly straight forward and I was up and running in no time at all!

Firstly, deploy the OVA to an ESXi Host or Cluster that isn’t going to be managed by the Key Control appliance.  You don’t want your encryption keys in the same place as the objects you are encrypting!  

Follow the OVF deployment wizard, providing the details as prompted, and once the appliance is online, complete the final configuration steps to finish the installation.

You will then be met with this screen – 

System setup has completed successful ly . 
System Conf iguration Sunmry : 
Hostnam: smt-lab-kms-al 
Phnagemnt IP Address: 1B . Zag . 15 . 15 
From your browser, please go to https ://IB .ZBB . 15 . 15

Now, browse to the web GUI and log in using the default credentials.  You will then be prompted to set your own, followed by SMTP and online monitoring configuration options.

Once this is done and you are logged in there are a few KMIP settings you need to adjust in order for it to be ready to connect to vCenter as a Key Provider – 

State = ENABLED

Protocol = Version 1.1

TRUST 
H 
SECURITY 
Actions • 
Host Name: 
port: 
State 
Basic 
Client Certificates 
Objects 
10.200.15.15 
5696 
ENABLED 
OFF 
Yes 
Version 1.1 
Detault 
OFF 
O Infinite 
CREATE-MODIFY 
DISABLED 
Connections Will use TLS 1.2 if set to Enabled 
AUDIT LOG 
v 
Auto-Reconnect 
Verity 
Protocol: 
Certificate Type: 
Nöio: 
Timeout: 
Log Level: 
Restnct TLS] 
Custom nex value

Below is a link to a HyTrust document with the details for vSphere 6.5.  I used this for deployment in my vSphere 7 environment. You can find it here.

You will also want to apply a license file.  This is done via; ‘Settings > License’, by way of uploading the license file you have been issued.

This completes a basic configuration that is now ready to connect to vCenter.  If you are deploying outside of a lab environment, you are going to want to review your installation appropriately for the environment it is intended for.

So over to the Web Client.  Select the vCenter Server object, select ‘Configure > Security > Key Providers’ and hit ‘Add Standard Key Provider’.

smt-lab-vcsa-01.smt-lab.local 
Summary Monitor 
Con figure 
Permissions 
Key Providers 
Settings 
General 
Licensing 
Message of the Day 
Advanced Settings 
Authentication Proxy 
vCenter HA 
Security 
Trust Authority 
Ke Providers 
Alarm Definitions 
Scheduled Tasks 
Storage Providers 
vSAN 
Update 
Internet Connectivity 
ACTIONS V 
Datacenters 
Hosts & Clusters 
V Ms 
Datastores 
Networks 
Linked vCenter Server Systems 
Extensions 
Updates 
ADD STANDARD KEY PROVIDER 
MAKE DEFAULT 
REMOVE

You will then want to give it a name, followed by the requested information.  Once done, click ‘Add Key Provider’

Add Standard Key Provider 
Name 
KMS 
smt-lab-kms-011 
ADD KMS 
HyTrust Key Control 
Address 
10_200.15.15 
Proxy configuration (optional) 
Password protection (optional) 
CANCEL 
5696 
ADD KEY PROVIDER

You will receive the following prompt to confirm you want to from the Key Provider you have entered. Click ‘Trust’

This will have now created a Key Provider, but will show that it is not connected and has a certificate issue.  So next we need to set up the trust.

This can be done by clicking ‘Establish Trust’ and selecting ‘Make KMS trust vCenter’

Key Providers 
ADD STANDARD KEY PROVIDER 
Key Provider 
HyTrust Key Control (default) 
Provider By Trust Key Control - 
ESTABLISH TRUST v 
KMS trust vCenter 
Make KMS trust vCenter 
Upload Signed CSR Certificate 
vcenter Trust KMS 
Make vCenter Trust KMS 
Upload KMS Certificate 
MAKE DEFAULT 
EDIT 
REMOVE 
T 
5696 
Connection Status 
1 KMS not connected 
Key Management Servers 
T 
Address 
Certificates 
1 certificate issue(s) 
vCenter Certificate 
Connection Status 
Client trusts server 
KMS Certificate 
@ Valid until: Dec 31, 2049 
items 
items

In my lab, I have gone with the option of creating a CSR and having the KMS issue a certificate – 

Make KMS trust 
vCenter 
1 Choose a method 
2 Estaalish Trust 
Choose a method 
Choose a method to make the KMS trust the vCenter based on the KMS vendor's 
requirements Once the trust is established, all replicas in the same KMS cluster will 
also trust the vCenter_ 
C) vCenter Root CA Certificate 
Download the vCenter root certificate and upload it to the KMS. All certificates 
signed by this root certificate will be trusted by the KMS 
C) vCenter Certificate 
Download the vCenter certificate and upload it to the KMS. 
C) KMS certificate and private key 
Upload the KMS certificate and private key to vCenter 
New Certificate Signing Request (CSR) 
Submit the vCenter-generated CSR to the KMS then upload the new KMS- 
signed certificate to vCenter. 
CANCEL 
NEXT
Make KMS trust 
vCenter 
1 Choose a method 
2 submit CSR to KMS 
Submit CSR to KMS 
Copy or download the CSR below, make it available to KMS, and have the KMS 
sign the certificate. 
..BEGIN CERTIFICATE REQUEST..... 
MllE5TCCAs0CAaAwczEhMB8GAIUEAmvYa21pcENsaWVudDlwMjAw0DA5MTAy0DMy 
MaswncaYDVOGGEwJVUzETMBEGAIUECAwK02FsaWZvcmspYTEPMAOGAIUECgwGV 
AOUAA41COwAwgglKAolCAODbUPS+jw9AG09pGOg2sgOdCa1n-mvJXVTA14xOSdrOV 
BFgu06A*CBRW61rsPSKaetu7x9mHlkogcscARfy9CEqkPHfntYp7RJNcJWEVBXb0 
WXKvS+Gfoex2jBNCASB/0kLuH+LWZwz6Kq0REmpeHDbHcsXNvjKN5x9DGckDUw 
ykgB9p2YuHom/lf6YiYMadA4C2kgPkeKGDSILJsvvmTG9PtxUlrhgatA400CD+cv 
FhT+tlgpUOV2MJFowadoFT6DgrWUgyg,'noWm10E9jicEm7dxxTNGVcNAmtynJRE 
xnlEYUhGGsNHyNb0GdA9RS2qjhDekNNRg7x6snZIC+pE/gaqNOJ5Zxx3X*lmalYE 
GENERATE NEW CSR 
copy 
DOWNLOAD 
@ The trust won't be established after you finish this wizard. Go to the 
KMS to upload the CSR, have the KMS sign the certificate, and upload 
it to the vCenter to establish the trust. 
CANCEL 
BACK 
DONE

Download the CSR using the option available.  This will be in the .pem format which is exactly what you need.

Now over to the HyTrust appliance, load the CSR we downloaded into the wizard, as well as a name, and hit create.  This is via the KMIP menu and selecting ‘Actions’ followed by ‘Create New Client Certificate’.

DASHBOARD 
Actions • 
TRUST 
H 
Valid From 
SECURITY 
Basic 
Client Certificates 
Objects 
AUDIT LOG 
Create a New Client Certificate 
Load File 
KMIP 
SETTINGS 
Certificate Name 
Expires In (day 
Certificate Name 
Certficate Name 
Certificate Expiration 
08/09/2021 
Certificate Signing Request (CSR) 
CSR needs to be in beseö4 encoded PKCS#IO 
Certificate Password 
Certificate Password 
Confirm Password 
Confirm Password 
Cancel

Once this is done, select the certificate and click ‘Actions’ and select the ‘Download Certificate’ option.  This again will come in the requested .pem format.

H 
TRUST 
Basic 
Client Certificates 
Object! 
Create Certificate 
Delete Certificate 
Delete All Certificates 
Download Certificate

Back to vCenter, we now need to upload the certificate using the ‘Establish Trust’ option and selecting ‘Upload Signed CSR Certificate’.

Provider By Trust Key Control - 
ESTABLISH TRUST v 
KMS trust vCenter 
Make KMS trust vCenter 
Upload Signed CSR Certificate 
vcenter Trust KMS 
Make vCenter Trust KMS 
Upload KMS Certificate 
Key Management Servers 
T 
Address 
5696 
Connection Status 
Client trusts server 
vCenter Certificate 
KMS Certificate 
@ Valid until: Dec 31, 2049

Once uploaded, you will see that the connection is now showing as connected and has a valid certificate.

Key Providers 
ADD STANDARD KEY PROVIDER 
Key Provider 
HyTrust Key Control (default) 
Provider By Trust Key Control - 
ESTABLISH TRUST s 
MAKE DEFAULT 
EDIT 
REMOVE 
T 
5696 
Connection Status 
@ Connected 
Certificates 
@ Valid 
items 
Key Management Servers 
T 
C) 
smt-lab-kms-01 
Address 
10200.15_15 
Connection Status 
@ Connected 
vCenter Certificate 
@ Valid until: Aug 9, 
2021 
KMS Certificate 
@ Valid until: Dec 31, 2049

This is now setup and ready to begin looking at VM and vSAN Encryption.  Check out the next post which will go into both these options in more detail.

Thanks for reading.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s