Tag Archives: vCenter 7

Deploying and Connecting A Key Management Server to vCenter

Posted on by 2 comments

Is it secure?  

This has to be one of the first things you consider with any technology solution or decision today.  So when I was lucky enough to receive a NFR license from HyTrust for their KeyControl Key Management System I was excited to get this into my lab so I can make use of VMware’s vSAN and VM Encryption.

In this post I will be going through the process of deploying a HyTrust Key Control appliance and creating a trust with vCenter.  It was surprisingly straight forward and I was up and running in no time at all!

Firstly, deploy the OVA to an ESXi Host or Cluster that isn’t going to be managed by the Key Control appliance.  You don’t want your encryption keys in the same place as the objects you are encrypting!  

Follow the OVF deployment wizard, providing the details as prompted, and once the appliance is online, complete the final configuration steps to finish the installation.

You will then be met with this screen – 

System setup has completed successful ly . System Conf iguration Sunmry : Hostnam: smt-lab-kms-al Phnagemnt IP Address: 1B . Zag . 15 . 15 From your browser, please go to https ://IB .ZBB . 15 . 15

Now, browse to the web GUI and log in using the default credentials.  You will then be prompted to set your own, followed by SMTP and online monitoring configuration options.

Once this is done and you are logged in there are a few KMIP settings you need to adjust in order for it to be ready to connect to vCenter as a Key Provider – 

State = ENABLED

Protocol = Version 1.1

TRUST H SECURITY Actions • Host Name: port: State Basic Client Certificates Objects 10.200.15.15 5696 ENABLED OFF Yes Version 1.1 Detault OFF O Infinite CREATE-MODIFY DISABLED Connections Will use TLS 1.2 if set to Enabled AUDIT LOG v Auto-Reconnect Verity Protocol: Certificate Type: Nöio: Timeout: Log Level: Restnct TLS] Custom nex value

Below is a link to a HyTrust document with the details for vSphere 6.5.  I used this for deployment in my vSphere 7 environment. You can find it here.

You will also want to apply a license file.  This is done via; ‘Settings > License’, by way of uploading the license file you have been issued.

This completes a basic configuration that is now ready to connect to vCenter.  If you are deploying outside of a lab environment, you are going to want to review your installation appropriately for the environment it is intended for.

So over to the Web Client.  Select the vCenter Server object, select ‘Configure > Security > Key Providers’ and hit ‘Add Standard Key Provider’.

smt-lab-vcsa-01.smt-lab.local Summary Monitor Con figure Permissions Key Providers Settings General Licensing Message of the Day Advanced Settings Authentication Proxy vCenter HA Security Trust Authority Ke Providers Alarm Definitions Scheduled Tasks Storage Providers vSAN Update Internet Connectivity ACTIONS V Datacenters Hosts & Clusters V Ms Datastores Networks Linked vCenter Server Systems Extensions Updates ADD STANDARD KEY PROVIDER MAKE DEFAULT REMOVE

You will then want to give it a name, followed by the requested information.  Once done, click ‘Add Key Provider’

Add Standard Key Provider Name KMS smt-lab-kms-011 ADD KMS HyTrust Key Control Address 10_200.15.15 Proxy configuration (optional) Password protection (optional) CANCEL 5696 ADD KEY PROVIDER

You will receive the following prompt to confirm you want to from the Key Provider you have entered. Click ‘Trust’

This will have now created a Key Provider, but will show that it is not connected and has a certificate issue.  So next we need to set up the trust.

This can be done by clicking ‘Establish Trust’ and selecting ‘Make KMS trust vCenter’

Key Providers ADD STANDARD KEY PROVIDER Key Provider HyTrust Key Control (default) Provider By Trust Key Control - ESTABLISH TRUST v KMS trust vCenter Make KMS trust vCenter Upload Signed CSR Certificate vcenter Trust KMS Make vCenter Trust KMS Upload KMS Certificate MAKE DEFAULT EDIT REMOVE T 5696 Connection Status 1 KMS not connected Key Management Servers T Address Certificates 1 certificate issue(s) vCenter Certificate Connection Status Client trusts server KMS Certificate @ Valid until: Dec 31, 2049 items items

In my lab, I have gone with the option of creating a CSR and having the KMS issue a certificate – 

Make KMS trust vCenter 1 Choose a method 2 Estaalish Trust Choose a method Choose a method to make the KMS trust the vCenter based on the KMS vendor's requirements Once the trust is established, all replicas in the same KMS cluster will also trust the vCenter_ C) vCenter Root CA Certificate Download the vCenter root certificate and upload it to the KMS. All certificates signed by this root certificate will be trusted by the KMS C) vCenter Certificate Download the vCenter certificate and upload it to the KMS. C) KMS certificate and private key Upload the KMS certificate and private key to vCenter New Certificate Signing Request (CSR) Submit the vCenter-generated CSR to the KMS then upload the new KMS- signed certificate to vCenter. CANCEL NEXT
Make KMS trust vCenter 1 Choose a method 2 submit CSR to KMS Submit CSR to KMS Copy or download the CSR below, make it available to KMS, and have the KMS sign the certificate. ..BEGIN CERTIFICATE REQUEST..... MllE5TCCAs0CAaAwczEhMB8GAIUEAmvYa21pcENsaWVudDlwMjAw0DA5MTAy0DMy MaswncaYDVOGGEwJVUzETMBEGAIUECAwK02FsaWZvcmspYTEPMAOGAIUECgwGV AOUAA41COwAwgglKAolCAODbUPS+jw9AG09pGOg2sgOdCa1n-mvJXVTA14xOSdrOV BFgu06A*CBRW61rsPSKaetu7x9mHlkogcscARfy9CEqkPHfntYp7RJNcJWEVBXb0 WXKvS+Gfoex2jBNCASB/0kLuH+LWZwz6Kq0REmpeHDbHcsXNvjKN5x9DGckDUw ykgB9p2YuHom/lf6YiYMadA4C2kgPkeKGDSILJsvvmTG9PtxUlrhgatA400CD+cv FhT+tlgpUOV2MJFowadoFT6DgrWUgyg,'noWm10E9jicEm7dxxTNGVcNAmtynJRE xnlEYUhGGsNHyNb0GdA9RS2qjhDekNNRg7x6snZIC+pE/gaqNOJ5Zxx3X*lmalYE GENERATE NEW CSR copy DOWNLOAD @ The trust won't be established after you finish this wizard. Go to the KMS to upload the CSR, have the KMS sign the certificate, and upload it to the vCenter to establish the trust. CANCEL BACK DONE

Download the CSR using the option available.  This will be in the .pem format which is exactly what you need.

Now over to the HyTrust appliance, load the CSR we downloaded into the wizard, as well as a name, and hit create.  This is via the KMIP menu and selecting ‘Actions’ followed by ‘Create New Client Certificate’.

DASHBOARD Actions • TRUST H Valid From SECURITY Basic Client Certificates Objects AUDIT LOG Create a New Client Certificate Load File KMIP SETTINGS Certificate Name Expires In (day Certificate Name Certficate Name Certificate Expiration 08/09/2021 Certificate Signing Request (CSR) CSR needs to be in beseö4 encoded PKCS#IO Certificate Password Certificate Password Confirm Password Confirm Password Cancel

Once this is done, select the certificate and click ‘Actions’ and select the ‘Download Certificate’ option.  This again will come in the requested .pem format.

H TRUST Basic Client Certificates Object! Create Certificate Delete Certificate Delete All Certificates Download Certificate

Back to vCenter, we now need to upload the certificate using the ‘Establish Trust’ option and selecting ‘Upload Signed CSR Certificate’.

Provider By Trust Key Control - ESTABLISH TRUST v KMS trust vCenter Make KMS trust vCenter Upload Signed CSR Certificate vcenter Trust KMS Make vCenter Trust KMS Upload KMS Certificate Key Management Servers T Address 5696 Connection Status Client trusts server vCenter Certificate KMS Certificate @ Valid until: Dec 31, 2049

Once uploaded, you will see that the connection is now showing as connected and has a valid certificate.

Key Providers ADD STANDARD KEY PROVIDER Key Provider HyTrust Key Control (default) Provider By Trust Key Control - ESTABLISH TRUST s MAKE DEFAULT EDIT REMOVE T 5696 Connection Status @ Connected Certificates @ Valid items Key Management Servers T C) smt-lab-kms-01 Address 10200.15_15 Connection Status @ Connected vCenter Certificate @ Valid until: Aug 9, 2021 KMS Certificate @ Valid until: Dec 31, 2049

This is now setup and ready to begin looking at VM and vSAN Encryption.  Check out the next post which will go into both these options in more detail.

Thanks for reading.