IBM Cloud Docs
Managing Entrust KeyControl

Managing Entrust KeyControl

New installations of Entrust KeyControl™ (formerly HyTrust KeyControl) are not supported for new or existing deployments of VMware Cloud Foundation for Classic - Automated instances. You can still use or delete existing Entrust KeyControl installations on your existing instances.

To manage Entrust KeyControl, access the Entrust KeyControl web GUI from the IBM Cloud® for VMware Solutions console, or access the Entrust KeyControl console from the vSphere® Web Client.

Accessing the Entrust KeyControl web GUI in the VMware Solutions console

To log in to the WebGUI of the primary or secondary Entrust KeyControl appliance, use the WebGUI credentials that are found on the Entrust KeyControl service details page.

Accessing the Entrust KeyControl console from the vSphere Web Client

To access the Entrust KeyControl console from the vSphere Web Client, use the following procedure:

  1. In the vSphere Web Client, find the virtual machines (VMs) that start with the names KC1 and KC2 that have the matching IP address that is found on the Entrust KeyControl service details page.
  2. Right-click KC1 or KC2, and then click Open Console.
  3. Log in to the console by using the console credentials that you can find on the Entrust KeyControl service details page.

Enabling internet access for the Entrust KeyControl VMs

For Entrust KeyControl 4.3.2 and later, IBM Cloud for VMware Solutions provides automatic renewal support for Entrust licenses with the Call Home feature enabled. For VMware Cloud Foundation for Classic - Automated instances that are not private-only, Entrust KeyControl is deployed with firewall and SNAT (Source Network Address Translation) rules that are defined on the management services ESG mgmt-nsx-edge.

These rules enable internet access for the Entrust VMs. If internet access is not enabled, the license that is applied to your Entrust KeyControl installation will expire after a year.

For private-only vCenter Server environments, the VMware® NSX Edge Services Gateway (ESG) mgmt-nsx-edge is not added. Therefore, the firewall and SNAT rules are not defined. As a result, internet connectivity cannot be enabled for private-only instances and Entrust licenses expire annually.

Procedure to find the firewall and SNAT rules defined

  1. Log in to the VMware vSphere® Web Client (FLEX) and find the ESG mgmt-nsx-edge.
  2. Click Home > Networking & Security > NSX Edges.
  3. Double-click the ESG mgmt-nsx-edge and click the Manage tab.
  4. Go to the Firewall tab and find the Entrust rules. Note the source IP addresses, which are the IP addresses for the Entrust VMs.
  5. Go to the NAT tab and find the SNAT rules that are created for the Entrust VMs. The source IP addresses match the IP addresses that you noted in the previous step.

Procedure to enable internet connectivity for Entrust KeyControl

  1. Complete steps 1 - 3 in the previous procedure.
  2. Click Settings and then Interfaces. Note the IP address for the private uplink. This address is the new default gateway.
  3. Click Home > Hosts and Clusters and find the Entrust VMs. Right-click one of the VMs and click Open Console.
  4. Log in to the console by using the console credentials that you can find on the Entrust KeyControl service details page on the IBM Cloud for VMware Solutions console.
  5. To get the current default gateway IP address from the VM, click Manage Network Settings > Show Current Network Configuration. Note the IP address that is listed for Gateway. This address becomes the gateway that is used for the static route.
  6. To set a static route for the VM, click Manage Network Settings > Manage Static Routes > Add Static Route. Set the Network address to 10.0.0.0/8 and Gateway to the IP address noted in the previous step.
  7. To set the default gateway IP for the VM, click Manage Network Settings > Change Current Network Configuration. If you get a warning message, click OK, then click Custom Configuration. Set the Gateway field to the private uplink IP address noted in step 2 and click OK. Wait until the new network configuration is installed and the network services are restarted.
  8. If you see a message that asks for Entrust SecureOS reauthentication, click OK and enter the IP address of the other Entrust VM for this installation. If you are asked for a 16-character passphrase, press Enter to return to the main menu. Verify the current network configuration to ensure that your changes are applied.
  9. To confirm that the VM has access to the internet, ping a public IP address or website. Click Manage Network Settings > Network Diagnostic Tools > Test Inbound Ports of Another Server. Type a public website address, for example, www.ibm.com, click OK, type 80 443 for the ports (or any other ports you want to test). You must get an immediate response that shows the inbound ports with a message similar to 80 (OK) 443 (OK).
  10. Repeat steps 3 - 9 for the other Entrust VM.

Considerations when you delete Entrust KeyControl

Review the following considerations before you delete the service:

  • Before you delete Entrust KeyControl, decouple all clients from using Entrust KeyContol. After you delete the service, the keys might be deleted, and you might be locked out of your VMs.
  • If you installed the Entrust KeyControl service before VMware® Solutions v4.0 and you delete the service, you must manually remove the DNS entries. For more information, see Manually removing the DNS entries.