I’m back in the lab this week, looking at some of the newer features around vSAN. As part of this, I needed vSAN Encryption enabled, so I downloaded the latest HyTrust KeyControl appliance as this has an easy to use KMIP Server. This new version is 4.2.1, and it has a few new steps compared to the previous versions I used, which were a little confusing to begin with. First I deployed the OVA, supplied the password, logged into the web interface, and enabled KMIP as before. However, that is where things are now a little different to before.
The next step that I followed in the past was to create a user. In the KMIP view now, there is no option to create a new user. If I right-click on the Actions button, there is now only a single drop-down option, and that is to reset the KMIP server, as shown below.
In earlier versions of the client, I would create a user here, and then download the user’s certificate in order to establish trust between vCenter and the KMS. In fact, the QuickStart guide that came with the OVA still directs you to do this step (sorry for the blurriness of the images, but this is how they appear in the docs).
So how do I create a user and generate a certificate to establish trust between vCenter and the KMS? The solution now is to go to the ‘Client Certificates’ tab and from the Actions tab, create a new certificate (that is not associated with any user).
The only piece of information that I needed to provide was the name of the certificate. I did not provide any passwords. My understanding is that there are some issues with vSphere supporting passwords on certificates.
Once the certificate has been created, you can download it from the Actions menu seen above, and this can then be added to the KMS server setup on vSphere to complete the trust between vCenter and the KMS server. The downloaded zip will contain 2 pem files, one called cacert.pem and another with the name of the certificate that you provided when creating the certificate in the first place. The second pem file contains both the certificate and the private key so the same pem file is used to populate both the cert and private key when establishing trust between vCenter and the HyTrust KMS.
I’ve pinged the HyTrust team to see if they can get their documentation updated.