KeyControl Installation on Amazon Web Services Contents Introduction Deploying an initial KeyControl Server Deploying an Elastic Load Balancer (ELB) Adding a KeyControl node to a cluster in the same availability zone Adding a KeyControl node to a cluster in a different availability zone Adding a KeyControl node to a cluster in a different region Introduction This document provides you with detailed steps to deploy the full range of KeyControl instances in Amazon Web Services (AWS). If you are already familiar with AWS, setting up a Virtual Private Cloud (VPC), and so on, you may want to go directly to the Quick Start Guide - HyTrust KeyControl v2.6 on AWS. Deploying a KeyControl server into Amazon Web Services (AWS) requires setting up several components depending on the type of the deployment. The following sections provide step-by-step directions for each of the deployment types. Deploying an Initial KeyControl server Deploying an Elastic Load Balancer (ELB) Adding a KeyControl node to a cluster in the same availability zone Adding a KeyControl node to a cluster in a different availability zone Adding a KeyControl node to a cluster in a different region Deploying an initial KeyControl server To begin with, you need to have an existing account on Amazon Web Services. You will start by logging on to that account. Log on to Amazon Web Services with an existing account Point your browser at: https://aws.amazon.com/ On the menu bar, click My Account from the My Account / Console drop-down menu. Your company name should already be filled in. Enter the User Name and Password that your security administrator supplied to you. Note that your User Name does not have a domain (@companyname.com, for example). The Services menu appears. Click Services > EC2. Select a region Log on to your EC2 account. Navigate to the EC2 Console Dashboard. At the top right of the EC2 Dashboard, click your deployment region from the drop-down list. In the example below, US West (Oregon) is HyTrust KeyControl Installation on Amazon Web Services Page 1
chosen, but you should choose based on your needs. Create a Key Pair From the EC2 Dashboard, click Key Pairs from the navigation panel. Click Create a Key Pair. Create a name for the Key Pair. Click Create. The private key file is created and you may get the option to Open it or Save it. Choose Save File if you have that option. The likelier case is that it is downloaded automatically. The screen shot below shows the Firefox download dialog box. HyTrust KeyControl Installation on Amazon Web Services Page 2
The Key Pair is automatically downloaded by your browser as a.pem file into the default download location for your system. Save your.pem file. The base file name is the name you specified as the name of your Key Pair, and the file name extension is.pem. Save the private key file in a safe place; you will refer to it at various points in your interaction with your system. Create a VPC Navigate to Console Home (yellow cube) at top left of the Dashboard. Under Compute & Networking, click VPC (Isolated Cloud Resources). From the VPC Dashboard, click Start VPC Wizard. Click Select to set up VPC with a Single Public Subnet. By default, when a VPC is created, an Internet Gateway is automatically assigned to it. If the assigned gateway and/or IP block is insufficient, you can modify the IP block and subnet information according to your needs. You can also create a new Internet Gateway and assign it to your VPC. Note: In order for two VPCs to communicate, there should not be any overlapping IP addresses between the two VPCs. A good example is 50.0.0.0/16 and 100.0.0.0/16. Give your VPC a name. HyTrust KeyControl Installation on Amazon Web Services Page 3
Click Create VPC, and then click OK. Note the VPC ID. Create a Security Group As part of VPC creation a default Security Group is assigned to your VPC. For KeyControl communication, it is recommended to create a Security Group that only enables certain inbound services/ports. From the VPC Dashboard, click Security Groups. Click Create Security Group. Create a Name and Description for the Security Group. Select the VPC ID from the drop-down list, selecting the VPC that was just created above. Make sure No VPC is NOT selected. Click Yes, Create. Add rules to your Security Group In the Security Group page, click the Security Group that was just created. Click the Inbound Rules tab. HyTrust KeyControl Installation on Amazon Web Services Page 4
Click Edit. The Edit inbound rules dialog box appears. Click SSH from the drop-down Type menu. For Source, enter 0.0.0.0/0 Click Add another rule. Click HTTPS from the drop-down Type menu. For Source, enter 0.0.0.0/0 Click Add another rule. Click Custom TCP rule from the drop-down Type menu. Type 6666 as the Port Range. For Source, enter 0.0.0.0/0 Click Add another rule. Click Custom UDP Rule. Type 123 as the Port Range. For Source, enter 0.0.0.0/0 Click Save. The end result should look like this: If this KeyControl instance will be deployed in a cluster, the following rules must be implemented in addition to the above list: ICMP Echo Reply ICMP Echo Request TCP port 2525 TCP port 2526 The final result should look like this: HyTrust KeyControl Installation on Amazon Web Services Page 5
NOTE: The above is an example of inbound traffic rules for an AWS Security Group. These ports are open to the world, as indicated by their 0.0.0.0/0 CIDR notation, merely for demonstration purposes. Important : It is the responsibility of the administrator to open these ports only to the IP addresses that are absolutely necessary to connect to the KeyControl instance. Create an EIP address AWS has two separate pools for Elastic IP (EIP) addresses: one pool is for EC2-Classic, and the other for EC2-VPC. It is crucial to allocate the EIP for KeyControl from the EC2-VPC pool. From the VPC Dashboard (Services > VPC ), click Elastic IPs. Click Allocate New Address. It should display that the EIP is for VPC usage and not EC2. This appears in the Scope column. Click Yes, Allocate. Make a note of the allocated EIP. Launch an instance From VPC Dashboard, click Launch EC2 Instances. Click HyTrust AMI from AWS Marketplace. The Choose an Instance Type dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 6
From the list of Instance Types, click m3.large or whatever best fits the bandwidth/latency requirements you desire. Click Next: Configure Instance Details. The Configure Instance Details dialog box appears. Click your VPC ID as the Network used for launch. Number of instances should be 1. Make sure Auto-assign Public IP is NOT set. Click Disable. Click Next: Add Storage. The Add Storage dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 7
Root device with all defaults works fine. There is no need to change anything. Click Next: Tag Instance. The Tag Instance dialog box appears. If you wish to add key-value tags to your instance, do so. Click Next: Configure Security Group. The Configure Security Group dialog box appears. In Assign a Security Group click Select an existing Security Group. Select the Security Group you created above. Click Review and Launch. The Boot from General Purpose (SSD) dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 8
Click on your choice of boot volume for this instance, and then click Next. The Review and Launch dialog box appears. Review your settings, paying particular attention to the IP address ranges you have open to external browsers. Your current settings, set at 0.0.0.0/0, are "open to the world." When you are satisfied with your settings, click Launch. The Select an existing key pair or create a new key pair dialog box appears: When asked to click a Key Pair, click Choose an existing Key Pair. Select the Key Pair that you created earlier. Click the checkbox acknowledgement that you have access to this Key Pair. Click Launch instances. Associate the EIP address to the instance Once the newly launched instance is in initializing state, note its Instance ID. HyTrust KeyControl Installation on Amazon Web Services Page 9
From the VPC Dashboard, in the center of the screen, click Elastic IPs. The Allocate New Address dialog box appears. Click Allocate New Address. You are asked to confirm. Click Yes, Allocate. The Allocate New Address appears again, but this time with a new address filled in. Click Associate Address. The Associate Address dialog box appears. In the instance drop-down box, click the instance ID that was launched above. Click Yes, Associate. Click Instances from the EC2 Dashboard. Click the Instance ID. HyTrust KeyControl Installation on Amazon Web Services Page 10
When the Elastic IP of the instance appears, it indicates that the EIP is now associated with the instance. Note that the public IP has the same address, which you will use after completing the next steps in the KeyControl system menus. Connect to the KeyControl system menus Use ssh to log into the new KeyControl menu system. You will use the key pair associated with the VPC and the EIP associated with the instance. Use the login ID sysmenus. The initial password is sysmenus. Issue the following command from your UNIX shell: ssh -i <my_key> -l sysmenus <my_eip> You will first be prompted to change the KeyControl menu system's password (you cannot continue to use the initial sysmenus password): You will be required to enter the password twice. Passwords must be a minimum of eight characters. The menus to which the root/password combination enables access are where diagnostics and settings can be manipulated for this system during its lifetime. Without the password, access to the system for these tasks is impossible. It is critical that the password be stored safely somewhere. Note that this is not a general login account. Since this is a secure appliance, you cannot get a shell prompt, and only have access to a basic menu system that allows for hardware change, network setup and general debugging capabilities. We cover these topics later. The last step in configuration is choosing whether you are going to add this new KeyControl instance as a new node to an existing cluster: HyTrust KeyControl Installation on Amazon Web Services Page 11
If you choose to add this new KeyControl instance as a new node in an existing cluster, follow the directions here: Joining a KeyControl Cluster. If this is your first KeyControl system and you respond No to this prompt, your system is fully configured and you will see the last of these post-install menus pointing you to the webgui interface: After this, you are brought to the main menu for the system menuing. At this point you can choose to log out. Remember that further access to the system menus requires the password that you just set up. The next step: the webgui Further configuration takes place in the webgui. Instructions appear here: Logging onto the webgui for the First Time. You will use the IP address of your instance. Note on upgrading : HyTrust is building in functionality for future upgrades to the AWS installation. You will read elsewhere of upgrading using an ISO image. That form of upgrade is not available for AWS installations. Deploying an Elastic Load Balancer (ELB) An Elastic Load Balancer (ELB) enables you to share the impact of virtual machines on multiple KeyControl nodes in a KeyControl Cluster. It does this without your intervention after the initial setup phase. This material walks you through setting up your ELB. Requirements for deploying an ELB The following components are required prior to placing an Elastic Load Balancer (ELB) in front of a new KeyControl cluster: Two or more running KeyControl instances. A Security Group of KeyControl nodes. Log on and select your region Take the following steps: Log on to you EC2 account. HyTrust KeyControl Installation on Amazon Web Services Page 12
Navigate to EC2 Console Dashboard. At the top right of EC2 Dashboard, select the region in which your existing KeyControl server/cluster resides. Create your Load Balancer From EC2 Dashboard under NETWORK & SECURITY, select Load Balancers from the navigation panel. Click Create Load Balancer. HyTrust KeyControl Installation on Amazon Web Services Page 13
Define your Load Balancer In the Load Balancer wizard specify a name for the load balancer. Note that the name must be only alphanumeric. Hyphens are OK; spaces are not. From the drop-down menu in Create LB Inside select the VPC in which the two KeyControl instances reside. In this instance the objective is to create an Internet-facing load balancer, so that your KeyControl cluster can be accessed from outside the AWS network. Given that, do NOT check Create an internal load balancer. In addition, Leave Advanced VPC configuration unchecked. Under Listener Configuration, make the following selections: Select HTTPS (Secure HTTP) for Load Balancer Protocol. Select HTTPS (Secure HTTP) for Instance Protocol. Click Continue. HyTrust KeyControl Installation on Amazon Web Services Page 14
Select a Certificate for your Load Balancer If you have already uploaded a certificate, you may use any of your existing certificates. Take the following steps: Click Choose an existing SSL Certificate as Certificate Type. Select your certificate from the drop-down menu of existing certificates. If you wish to assign a new certificate for your ELB, take the following steps: Click Upload a new SSL Certificate as Certificate Type. Enter the name of the certificate in Certificate name. Copy and paste the pem-encoded private key of your certificate into the Private Key box. Copy and paste the pem-encoded public key of your certificate into the Public Key Certificate box. If applicable, copy and paste the pem-encoded certificate chain into the Certificate Chain box. Click Continue. HyTrust KeyControl Installation on Amazon Web Services Page 15
Select a cipher for your Load Balancer You have the capability to customize the ELB's Security Policy at your discretion, or you can pick a predefined Security Policy from the dropdown menu. We recommend that you select ELBSecurityPolicy-2014-10 from the set listed in Predefined Security Policy. Click Continue. HyTrust KeyControl Installation on Amazon Web Services Page 16
Provide a Backend Certificate (optional) If you wish to provide a certificate for the backend instances, you may do so, Otherwise, check Proceed without backend authentication then click Continue., and Configure a health check for your Load Balancer Take the following steps: Accept HTTPS for Ping Protocol. Accept 443 for Ping port. Update Ping Path to be: /doc/admin_guide/admin_guide.html. HyTrust KeyControl Installation on Amazon Web Services Page 17
You may modify the parameters displayed under Advanced Details later, if there is a need for it. Accept the defaults, and then click Continue. Assign a Security Group Take the following steps: Click Select an existing Security Group. Select the Security Group that you have created for your KeyControl instances. Click Continue. HyTrust KeyControl Installation on Amazon Web Services Page 18
Add EC2 Instances Take the following steps: From the list of instances, select all KeyControl instances that are to be used by this ELB. Accept the defaults for Availability Zone Distribution. Click Continue. HyTrust KeyControl Installation on Amazon Web Services Page 19
Add Tags to your Load Balancer (optional) You may add as many tags as you wish to your ELB at this point. When you are finished, click Continue. Preview your Load Balancer settings Review the options you have chosen, edit and modify them if needed. HyTrust KeyControl Installation on Amazon Web Services Page 20
Click Create. Click Close, after the load balancer is created. Enable Stickiness in your Load Balancer On the Load Balancer page, select the newly created Load Balancer and then take the following steps: Click the Description tab in the Load Balancerdetails section of your ELB. In the Port Configuration section, next to Stickiness: Disabled, click the Edit link. Select Enable Load Balancer Cookie Stickiness. Leave Expiration Period blank. Click Save. HyTrust KeyControl Installation on Amazon Web Services Page 21
Run a Health Check on your new Load Balancer Take the following steps: Click the Instances tab in the Load Balancerdetails section of your ELB. If any of the instance's status shows OutOfService, there could be up to a several minute delay before the load balancer marks the instances as being InService (Healthy). Once all of backend instances are marked InService, your load balancer is fully operational. Logging on to your KeyControl cluster through the Load Balancer Take the following steps to see your Load Balancer in action: Click the Description tab in the Load Balancerdetails section of your ELB. Copy the DNS name of the ELB, excluding (A Record). HyTrust KeyControl Installation on Amazon Web Services Page 22
Open your browser, and in the navigation/address bar type https:// followed by ELB DNS name. After a pause, you should see the login page of one of your KeyControl instances. Log on with your user name and password. If your logon is successful, you have set up your Load Balancer successfully. Adding a KeyControl node to a cluster in the same availability zone The following components are required prior to adding a new KeyControl node to an existing KeyControl cluster. One or more running KeyControl servers. ID of the VPC where the existing KeyControl server runs. ID of the Security Group of the existing KeyControl server. Key Pair of the existing KeyControl node/cluster. Internal IP address of a KeyControl server in the existing cluster. Log on to Amazon Web Services with an existing account HyTrust KeyControl Installation on Amazon Web Services Page 23
To begin with, you need to have an existing account on Amazon Web Services. You will start by logging on to that account. For details, see Log on to Amazon Web Services with an existing account Select the region where your existing KeyControl node resides Log on to your EC2 account. Navigate to the EC2 Console Dashboard. At the top right of the EC2 Dashboard, click your deployment region from the drop-down list. In the example below, US West (Oregon) is chosen, but you should choose based on the location of your existing KeyControl Node. Modify your Security Group In order to allow communication between KeyControl servers, certain rules must be added to the Security Group of the existing KeyControl cluster. From the VPC Dashboard, click Security Groups. From the list of Security Groups in the table, click the Security Group of the existing KeyControl server. Click the Inbound tab, and review the rules that exist. If they do not look like the following image, add more rules, as shown below. HyTrust KeyControl Installation on Amazon Web Services Page 24
If there is no Custom ICMP rule with Echo Reply in the Port Range column in the rules table on the right, create one, as follows: Click Edit. Click Add Rule. Click Custom ICMP Rule from the drop down menu. Click Echo Reply as Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom ICMP rule with a Port Range of Echo Request in the rules table on the right, create one, as follows: Click Add Rule. Click Custom ICP Rule from the drop down menu. Click Echo Request as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom TCP rule with a Port Range of 2525 in the rules table on the right, create one, as follows: Click Add Rule. Click Custom TCP rule from the drop down menu. Click 2525 as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom TCP rule with a Port Range of 2526 in the rules table on the right, create one, as follows: Click Add Rule. Click Custom TCP rule from the drop down menu. Click 2526 as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom TCP rule with a Port Range of 6666 in the rules table on the right, create one, as follows. Click Add Rule. Click Custom TCP rule from the drop down menu. Click 6666 as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. Click Save, and review your end result to ensure that it looks like this: NOTE: The above is an example of inbound traffic rules for an AWS Security Group. These ports are open to the world, as indicated by their 0.0.0.0/0 CIDR notation, merely for demonstration purposes. Important : It is the responsibility of the administrator to open these ports only to the IP addresses that are absolutely necessary to connect to the KeyControl instance. When restricting inbound network traffic for security purposes and your KeyControl nodes do not reside in the same VPC (that is, if they reside in different availability zones, or different regions, or on a different VPC in the same availability zone) you must add rules to your Security Group so that each node allows inbound network traffic from the VPC subnet of other KeyControl nodes. For example if your KeyControl_Node1 resides in a VPC with subnet 172.31.68.0/24 and KeyControl_Node2 resides in another VPC with subnet 90.232.96.0/24, then the Security Group rule for KeyControl_Node1 must allow: Inbound network traffic from 90.232.96.0/24 (or a range containing KeyControl_Node2 ) for protocols/ports TCP/2525, TCP/2526, ICMP/Echo Request, and ICMP/Echo Reply. Similarly, KeyControl_Node2 must allow inbound network traffic from 172.31.68.0/24 (or a range containing KeyControl_Node1 ). Create an EIP address For step-by-step details, see Create an EIP address. Launch an instance From the VPC Dashboard, click Launch EC2 Instances. HyTrust KeyControl Installation on Amazon Web Services Page 25
Click HyTrust AMI from AWS Marketplace. The Choose an Instance Type dialog box appears. From the list of Instance Types, click m3.large or whatever best fits the bandwidth/latency requirements you desire. Click Next: Configure Instance Details. The Configure Instance Details dialog box appears. Click your VPC ID as the Network used for launch. Number of instances should be 1. Make sure Auto-assign Public IP is NOT set. Click Disable. Click Next: Add Storage. The Add Storage dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 26
Root device with all defaults works fine. There is no need to change anything. Click Next: Tag Instance. The Tag Instance dialog box appears. If you wish to add key-value tags to your instance, do so. Click Next: Configure Security Group. The Configure Security Group dialog box appears. In Assign a Security Group click Select an existing Security Group. Select the Security Group of the existing KeyControl node. Click Review and Launch. The Boot from General Purpose (SSD) dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 27
Click on your choice of boot volume for this instance, and then click Next. The Review and Launch dialog box appears. Review your settings, paying particular attention to the IP address ranges you have open to external browsers. Your current settings, set at 0.0.0.0/0, are "open to the world." When you are satisfied with your settings, click Launch. The Select an existing key pair or create a new key pair dialog box appears: When asked to click a Key Pair, click Choose an existing Key Pair. Select the Key Pair used for the existing KeyControl node. Click the checkbox acknowledgement that you have access to this Key Pair. Click Launch instances. Associate the EIP to the instance Once the newly launched instance is in initializing state, note its Instance ID. HyTrust KeyControl Installation on Amazon Web Services Page 28
From the VPC Dashboard, in the center of the screen, click Elastic IPs. Click Associate Address. The Associate Address dialog box appears. In the instance drop-down box, click the instance ID of the new KeyControl node. Click Yes, Associate. Click Instances from the EC2 Dashboard. Click the Instance ID. When the Elastic IP of the instance appears, it indicates that the EIP is now associated with the instance. Note that the public IP has the same address, which you will use after completing the next steps in the KeyControl system menus. Connect to the Instance console and install Use ssh to log into the new KeyControl menu system. You will use the key pair associated with the VPC and the EIP associated with the instance. Use the login ID sysmenus. The initial password is sysmenus. Issue the following command from your UNIX shell: ssh -i <my_key> -l sysmenus <my_eip> You will first be prompted to change the KeyControl menu system's password (you cannot continue to use the initial sysmenus password): HyTrust KeyControl Installation on Amazon Web Services Page 29
You will be required to enter the password twice. Passwords must be a minimum of eight characters. The menus to which the root/password combination enables access are where diagnostics and settings can be manipulated for this system during its lifetime. Without the password, access to the system for these tasks is impossible. It is critical that the password be stored safely somewhere. Note that this is not a general login account. Since this is a secure appliance, you cannot get a shell prompt, and only have access to a basic menu system that allows for hardware change, network setup and general debugging capabilities. We cover these topics later. The last step in configuration is choosing whether you are going to add this new KeyControl instance as a new node to an existing cluster: You do want to add this system as a new node in an existing cluster, so you should click Yes, and follow the directions here: Joining a KeyControl Cluster. Connect to GUI of first KeyControl node/cluster and authenticat e the new KeyControl node At this point you need to log on to the webgui of first KeyControl node/cluster with Domain Administration privileges. The new KeyControl appliance will automatically appear as an unauthenticated appliance in the KeyControl cluster, as shown below: HyTrust KeyControl Installation on Amazon Web Services Page 30
To authenticate this new appliance, click the padlock icon. This will take you to the authentication screen shown below. The hint typed during installation is shown and you are prompted to enter the Authentication Passphrase. Once authentication completes, the KeyControl appliance is listed as Authenticated but Unreachable until cluster synchronization completes and the cluster is ready for use. This should not take more than a minute or two. Once the KeyControl appliance is available, the status will automatically move to Online and the cluster status at the top right of the screen HyTrust KeyControl Installation on Amazon Web Services Page 31
will change back to Healthy. At this point, the new cluster/appliance is ready to use. Adding a KeyControl node to a cluster in a different availabili ty zone The following components are required prior to adding a new KeyControl node to an existing KeyControl cluster in a different availability zone: One or more running KeyControl servers The CIDR block of the VPC or the VPC ID of a running KeyControl server The internal IP address of the running KeyControl server Log on to Amazon Web Services with an existing account To begin with, you need to have an existing account on Amazon Web Services. You will start by logging on to that account. For details, see Log on to Amazon Web Services with an existing account Connect to the same region as your existing KeyControl server Log on to your EC2 account. Navigate to the EC2 Console Dashboard. At the top right of the EC2 Dashboard, click your deployment region from the drop-down list. In the example below, US West (Oregon) is chosen, but you should choose based on the location of your existing KeyControl cluster. Virtual Private Cloud (VPC) Navigate to Console Home (yellow cube) at top left of the Dashboard. Under Compute & Networking, click VPC (Isolated Cloud Resources). From the VPC Dashboard, click Start VPC Wizard. Click Select to set up VPC with a Single Public Subnet. HyTrust KeyControl Installation on Amazon Web Services Page 32
By default, when a VPC is created, an Internet Gateway is automatically assigned to it. If the assigned gateway and/or IP block is insufficient, you can modify the IP block and subnet information according to your needs. You can also create a new Internet Gateway and assign it to your VPC. Note: In order for two VPCs to communicate, there should not be any overlapping IP addresses between the two VPCs. A good example is 50.0.0.0/16 and 100.0.0.0/16. Give your VPC a name. Click Create VPC, and then click OK. Note the VPC ID. Use VPC Peering to connect the two VPCs Navigate to Peering Connections in the VPC Dashboard in the target AWS account. If both VPCs belong to the same account, stay in the existing account. HyTrust KeyControl Installation on Amazon Web Services Page 33
Click Create VPC Peering Connection. The Create VPC Peering Connection dialog box appears. Give your Peering Connection a name, and click Create. The Peering connection should indicate that it is pending acceptance. Click OK, and then click Accept request. The state of the peering connection changes to Active. Modify the routing tables of the VPCs Modify the main routing table of both VPCs to route the network traffic to the peering connection ID. In the running KeyControl VPC (10.0.0.0/16), navigate to its routing table. HyTrust KeyControl Installation on Amazon Web Services Page 34
Click the Route table entry. Click Edit. A line opens up in the entry. In the Destination field, enter the CIDR block of the new VPC (172.31.0.0/16). In the Target field, click the ID of the VPC peering connection. Click Save. Your first routing entry is complete. Next, in the newly created VPC (172.31.0.0/16), navigate to its route table. HyTrust KeyControl Installation on Amazon Web Services Page 35
Click the Route table entry. Click Edit. A line opens up in the entry. In the Destination field enter the CIDR block of the running KeyControl VPC (10.0.0.0/16). In the Target field, click the ID of the VPC peering connection. Click Save. Your second routing entry is complete Create a Key Pair, if one does not exist For step-by-step details, see Create a Key Pair. Create a Security Group, if one does not exist As part of VPC creation a default Security Group is assigned to your VPC. For KeyControl communication, it is recommended to create a Security Group that only enables certain inbound services/ports. For step-by-step details, see Create a Security Group. Add rules to the Security Group, if rules are not present In order to allow communication between KeyControl servers, certain rules must be added to the Security Group of the existing KeyControl cluster. HyTrust KeyControl Installation on Amazon Web Services Page 36
For step-by-step details, see Add rules to the Security Group. Create an EIP address For step-by-step details, see Create an EIP address. Launch an instance From the VPC Dashboard, click Launch EC2 Instances. Click HyTrust AMI from AWS Marketplace. The Choose an Instance Type dialog box appears. From the list of Instance Types, click m3.large or whatever best fits the bandwidth/latency requirements you desire. Click Next: Configure Instance Details. The Configure Instance Details dialog box appears. Click your VPC ID as the Network used for launch. Number of instances should be 1. Make sure Auto-assign Public IP is NOT set. Click Disable. Click Next: Add Storage. The Add Storage dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 37
Root device with all defaults works fine. There is no need to change anything. Click Next: Tag Instance. The Tag Instance dialog box appears. If you wish to add key-value tags to your instance, do so. Click Next: Configure Security Group. The Configure Security Group dialog box appears. In Assign a Security Group click Select an existing Security Group. Select the Security Group of the existing KeyControl node. Click Review and Launch. The Boot from General Purpose (SSD) dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 38
Click on your choice of boot volume for this instance, and then click Next. The Review and Launch dialog box appears. Review your settings, paying particular attention to the IP address ranges you have open to external browsers. Your current settings, set at 0.0.0.0/0, are "open to the world." When you are satisfied with your settings, click Launch. The Select an existing key pair or create a new key pair dialog box appears: When asked to click a Key Pair, click Choose an existing Key Pair. Select the Key Pair used for the existing KeyControl node. Click the checkbox acknowledgement that you have access to this Key Pair. Click Launch instances. Associate the EIP to the instance Once the newly launched instance is in initializing state, note its Instance ID. HyTrust KeyControl Installation on Amazon Web Services Page 39
From the VPC Dashboard, in the center of the screen, click Elastic IPs. Click Associate Address. The Associate Address dialog box appears. In the instance drop-down box, click the instance ID of the new KeyControl node. Click Yes, Associate. Click Instances from the EC2 Dashboard. Click the Instance ID. When the Elastic IP of the instance appears, it indicates that the EIP is now associated with the instance. Note that the public IP has the same address, which you will use after completing the next steps in the KeyControl system menus. Connect to the Instance console and install Use ssh to log into the new KeyControl menu system. You will use the key pair associated with the VPC and the EIP associated with the instance. Use the login ID sysmenus. The initial password is sysmenus. Issue the following command from your UNIX shell: ssh -i <ltmy_key> -l sysmenus <ltmy_eip> You will first be prompted to change the KeyControl menu system's password (you cannot continue to use the initial sysmenus password): HyTrust KeyControl Installation on Amazon Web Services Page 40
You will be required to enter the password twice. Passwords must be a minimum of eight characters. The menus to which the root/password combination enables access are where diagnostics and settings can be manipulated for this system during its lifetime. Without the password, access to the system for these tasks is impossible. It is critical that the password be stored safely somewhere. Note that this is not a general login account. Since this is a secure appliance, you cannot get a shell prompt, and only have access to a basic menu system that allows for hardware change, network setup and general debugging capabilities. We cover these topics later. The last step in configuration is choosing whether you are going to add this new KeyControl instance as a new node to an existing cluster: You do want to add this system as a new node in an existing cluster, so you should click Yes, and follow the directions here: Joining a KeyControl Cluster. Connect to the GUI of the first KeyControl node and authenticat e the new KeyControl node At this point you need to log on to the webgui of first KeyControl node/cluster with Domain Administration privileges. The new KeyControl appliance will automatically appear as an unauthenticated appliance in the KeyControl cluster, as shown below: HyTrust KeyControl Installation on Amazon Web Services Page 41
To authenticate this new appliance, click the padlock icon. This will take you to the authentication screen shown below. The hint typed during installation is shown and you are prompted to enter the Authentication Passphrase. Once authentication completes, the KeyControl appliance is listed as Authenticated but Unreachable until cluster synchronization completes and the cluster is ready for use. This should not take more than a minute or two. Once the KeyControl appliance is available, the status will automatically move to Online and the cluster status at the top right of the screen HyTrust KeyControl Installation on Amazon Web Services Page 42
will change back to Healthy. At this point, the new cluster/appliance is ready to use. Adding a KeyControl node to a cluster in a different Region The following components are required prior to adding a new KeyControl node to an existing KeyControl cluster in a different Region: One or more running KeyControl servers in a different region. A new region with at least two available Elastic IP addresses. Internal IP address of a KeyControl server in in different region. Log on to Amazon Web Services with an existing account To begin with, you need to have an existing account on Amazon Web Services. You will start by logging on to that account. For details, see Log on to Amazon Web Services with an existing account Connect to a different region from your existing KeyControl ser ver Log on to your EC2 account. Navigate to the EC2 Console Dashboard. At the top right of the EC2 Dashboard, click your deployment region from the drop-down list. In the example below, US West (Oregon) is chosen, but you should choose based on the location of your existing server. You should choose a region in which your existing KeyControl server/cluster does NOT reside. Note: Make sure that the newly selected region has at least two available Elastic IP addresses. Create a Virtual Private Cloud (VPC) Navigate to Console Home (yellow cube) at top left of the Dashboard. Under Compute & Networking, click VPC (Isolated Cloud Resources). From the VPC Dashboard, click Start VPC Wizard. Click Select to set up VPC with a Single Public Subnet. HyTrust KeyControl Installation on Amazon Web Services Page 43
By default, when a VPC is created, an Internet Gateway is automatically assigned to it. If the assigned gateway and/or IP block is insufficient, you can modify the IP block and subnet information according to your needs. You can also create a new Internet Gateway and assign it to your VPC. Note: In order for two VPCs to communicate, there should not be any overlapping IP addresses between the two VPCs. A good example is 50.0.0.0/16 and 100.0.0.0/16. Give your VPC a name. Click Create VPC, and then click OK. Note the VPC ID. Create two VPN instances in each VPC In order for two VPCs in different regions to communicate, a VPN instance on each VPC must be deployed. Amazon provides documentation for creating and configuring VPN instances using SSL or IPS. Follow the steps indicated in these links: http://media.amazonwebservices.com/aws_amazon_vpc_connectivity_options.pdf http://aws.amazon.com/articles/5472675506466066 http://aws.amazon.com/articles/0639686206802544 After VPN instances in both regions are up and running, verify that the VPN instances can ping each other by their private IP address. The Security Group of the VPN instances in each region must allow all network traffic (protocols and ports) required by the KeyControl Security Group to go through. Create a Key Pair, if one does not exist For step-by-step details, see Create a Key Pair. Create a Security Group As part of VPC creation a default Security Group is assigned to your VPC. For KeyControl communication, it is recommended to create a HyTrust KeyControl Installation on Amazon Web Services Page 44
Security Group that only enables certain inbound services/ports. For step-by-step details, see: Creating a Security Group Add rules to the Security Group, if the rules are not present In order to allow communication between KeyControl servers, certain rules must be added to the Security Group of the existing KeyControl cluster. From the VPC Dashboard, click Security Groups. From the list of Security Group s in the table, click the Security Group of the existing KeyControl server. Click the Inbound tab, and review the rules that exist. If they do not look like the following image, add more rules, as shown below. If there is no Custom ICMP rule with a Port Range of Echo Reply in the rules table on the right, create one, as follows: Click Add Rule. Click Custom ICP Rule from the drop down menu. Click Echo Reply as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom ICMP rule with a Port Range of Echo Request in the rules table on the right, create one, as follows: Click Add Rule. Click Custom ICP Rule from the drop down menu. Click Echo Request as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom TCP rule with a Port Range of 2525 in the rules table on the right, create one, as follows: Click Add Rule. Click Custom TCP rule from the drop down menu. Click 2525 as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom TCP rule with a Port Range of 2526 in the rules table on the right, create one, as follows: Click Add Rule. Click Custom TCP rule from the drop down menu. Click 2526 as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. If there is no Custom TCP rule with a Port Range of 6666 in the rules table on the right, create one, as follows. Click Add Rule. Click Custom TCP rule from the drop down menu. Click 6666 as the Port Range. Select a Source of Anywhere or enter an IP range that includes all members of the cluster. Click Save, and review your end result to ensure that it looks like this: HyTrust KeyControl Installation on Amazon Web Services Page 45
NOTE: The above is an example of inbound traffic rules for an AWS Security Group. These ports are open to the world, as indicated by their 0.0.0.0/0 CIDR notation, merely for demonstration purposes. Important : It is the responsibility of the administrator to open these ports only to the IP addresses that are absolutely necessary to connect to the KeyControl instance. When restricting inbound network traffic for security purposes and your KeyControl nodes do not reside in the same VPC (that is, if they reside in different availability zones, or different regions, or on a different VPC in the same availability zone) you must add rules to your Security Group so that each node allows inbound network traffic from the VPC subnet of other KeyControl nodes. For example if your KeyControl_Node1 resides in a VPC with subnet 172.31.68.0/24 and KeyControl_Node2 resides in another VPC with subnet 90.232.96.0/24, then the Security Group rule for KeyControl_Node1 must allow: Inbound network traffic from 90.232.96.0/24 (or a range containing KeyControl_Node2 ) for protocols/ports TCP/2525, TCP/2526, ICMP/Echo Request, and ICMP/Echo Reply. Similarly, KeyControl_Node2 must allow inbound network traffic from 172.31.68.0/24 (or a range containing KeyControl_Node1 ). Create an EIP address For step-by-step details, see Create an EIP address. Launch an instance From the VPC Dashboard, click Launch EC2 Instances. Click HyTrust AMI from AWS Marketplace. The Choose an Instance Type dialog box appears. From the list of Instance Types, click m3.large or whatever best fits the bandwidth/latency requirements you desire. Click Next: Configure Instance Details. The Configure Instance Details dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 46
Click your VPC ID as the Network used for launch. Number of instances should be 1. Make sure Auto-assign Public IP is NOT set. Click Disable. Click Next: Add Storage. The Add Storage dialog box appears. Root device with all defaults works fine. There is no need to change anything. Click Next: Tag Instance. The Tag Instance dialog box appears. If you wish to add key-value tags to your instance, do so. Click Next: Configure Security Group. The Configure Security Group dialog box appears. HyTrust KeyControl Installation on Amazon Web Services Page 47
In Assign a Security Group click Select an existing Security Group. Select the Security Group of the existing KeyControl node. Click Review and Launch. The Boot from General Purpose (SSD) dialog box appears. Click on your choice of boot volume for this instance, and then click Next. The Review and Launch dialog box appears. Review your settings, paying particular attention to the IP address ranges you have open to external browsers. Your current settings, set at 0.0.0.0/0, are "open to the world." When you are satisfied with your settings, click Launch. The Select an existing key pair or create a new key pair dialog box appears: HyTrust KeyControl Installation on Amazon Web Services Page 48
When asked to click a Key Pair, click Choose an existing Key Pair. Select the Key Pair used for the existing KeyControl node. Click the checkbox acknowledgement that you have access to this Key Pair. Click Launch instances. Connect to the Instance console and install Use ssh to log into the new KeyControl menu system. You will use the key pair associated with the VPC and the EIP associated with the instance. Use the login ID sysmenus. The initial password is sysmenus. Issue the following command from your UNIX shell: ssh -i <ltmy_key> -l sysmenus <ltmy_eip> You will first be prompted to change the KeyControl menu system's password (you cannot continue to use the initial sysmenus password): You will be required to enter the password twice. Passwords must be a minimum of eight characters. The menus to which the root/password combination enables access are where diagnostics and settings can be manipulated for this system during its lifetime. Without the password, access to the system for these tasks is impossible. It is critical that the password be stored safely somewhere. Note that this is not a general login account. Since this is a secure appliance, you cannot get a shell prompt, and only have access to a basic menu system that allows for hardware change, network setup and general debugging capabilities. We cover these topics later. The last step in configuration is choosing whether you are going to add this new KeyControl instance as a new node to an existing cluster: Your answer should be Yes. HyTrust KeyControl Installation on Amazon Web Services Page 49
Follow the instructions onscreen by providing the IP address of the existing KeyControl server and a passphrase. Click the following link: Joining a KeyControl Cluster. Connect to the GUI of the first KeyControl node/cluster and aut henticate the new KeyControl node At this point you need to log on to the webgui of the first KeyControl node with Domain Administration privileges. The new KeyControl appliance will automatically appear as an unauthenticated appliance in the KeyControl cluster, as shown below: To authenticate this new appliance, click the padlock icon. This will take you to the authentication screen shown below. The hint typed during installation is shown and you are prompted to enter the Authentication Passphrase. HyTrust KeyControl Installation on Amazon Web Services Page 50
Once authentication completes, the KeyControl appliance is listed as Authenticated but Unreachable until cluster synchronization completes and the cluster is ready for use. This should not take more than a minute or two. Once the KeyControl appliance is available, the status will automatically move to Online and the cluster status at the top right of the screen will change back to Healthy. At this point, the new cluster/appliance is ready to use. Copyright HyTrust Inc. 2011-2014 HyTrust KeyControl Installation on Amazon Web Services Page 51