Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

VMware

Integration of VMware vSAN

search

Integration of VMware vSAN

This section lists the steps to integrate VMware vSphere with CipherTrust Manager.

Prerequisites

This section provides the prerequisites for integration of VMware vSAN with CipherTrust Manager.

  • Ensure that the CipherTrust Manager is installed and configured. For more details, refer to the CipherTrust Manager Documentation.

  • VMware vSAN communicates with the CipherTrust Manager using the KMIP interface. Ensure that the KMIP interface is configured on the CipherTrust Manager.

  • IP address of the CipherTrust Manager and port of the KMIP interface must be accessible from the VMware vSAN system.

  • CipherTrust Manager recognizes only registered KMIP clients. Ensure that each node of the VMware vSAN cluster is registered as a KMIP client on the CipherTrust Manager. Refer to KMIP Client Registration for more details.

Configuration on CipherTrust Manager

To configure the CipherTrust Manager, you need to perform the following steps:

  1. Creating a Domain (optional)

  2. Creating a User

  3. Assigning User to a Group

  4. Creating or Adding a CA (optional)

  5. Registering a KMIP Client

  6. Configuring the KMIP Interface

Creating a Domain (Optional)

Perform the following steps to be performed on CipherTrust Manager:

  1. Navigate to Admin Settings > Domains.

  2. Click Add Domain. The Add Domain page appears.

  3. Specify the following information:

    • Name - Enter the domain name.

    • Admins - Select the admins (one or more) from the list available in the drop down. For example, admin.

    • Parent CA - Select parent CA as root CA.

    • Allow Subdomain User Management - Select this check box if you want to enable the sub-domain user management through this domain.

  4. Click Save.

  5. Switch to the newly created domain by clicking the top right on the current Domain Name.

Creating a User

To create a user, perform the following steps:

  1. Log on to the CipherTrust Manager GUI.

  2. Open the Keys & Access Management application.

  3. On the left pane, click Users. The Users page is displayed.

  4. On the Users page, click Create New User.

  5. On the Create a New User screen provide the following details:

    • Enter Username.

    • Enter Password.

  6. Click Create. The newly created user is listed on the Users page.

Note

To create a user in sub-domain, you must enable Allow Subdomain User management.

To create a user, perform the following steps:

  1. Log on to the CipherTrust Manager GUI with the User you created within the sub-domain.

  2. Open the Keys & Access Management application.

  3. On the left pane, click Users. The Users page is displayed.

  4. On the Users page, click Create New User.

  5. On the Create a New User screen provide the following details:

    • Enter Username.

    • Enter Password.

  6. Click Create. The newly created user is listed on the Users page.

Assigning User to a Group

Perform the following steps to add user to a group:

  1. Click the ellipsis button (...) corresponding to the user that you created in the previous step.

  2. Click Edit.

  3. Click Group Memberships > Add Group.

  4. In the search bar, type Key Admins and select the check box corresponding to it .

  5. Click Add Group.

Creating or Adding a CA (Optional)

To create/add a Self-signed local CA, perform the following steps:

  1. Navigate to CA > Local. Select Add Local CA, the Add Local CA page appears.

  2. Provide the required information and click Add Local CA. The created Local CA will appear under Pending CAs section.

  3. Click the ellipsis against the Local CA that you created and select the option Self-sign.

  4. Select a valid duration for the Local CA. Click Save.

To add an external CA, perform the following steps:

  1. Navigate to CA > External. Select Add External CA, the Add External Certificate page appears.

  2. Provide the required information.

  3. If you want to upload the external CA, select the File Upload option and click Upload Certificate. Browse and select the required External CA.

    OR

    Select Text and paste the contents of External Certificate

  4. Click Add External CA.

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Create a Registration Token using the following steps:

    1. Log on to the CipherTrust Manager in root domain.

    2. Go to Access Management > Registration Tokens.

    3. Click Create New Registration Token.

    Copy the Registration Token once it is created.

  2. Turn ON Auto Registration using the following steps:

    1. Go to Admin Settings > Interfaces.

    2. Click the ellipsis button (...) corresponding to the kmip interface.

    3. Click Edit.

    4. Under Configure KMIP window, select Auto Registration.

    5. Paste the Registration Token.

    6. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    7. Click Update.

  1. Log on to the CipherTrust Manager.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Click Certificate Details.

    5. Paste the content of client.csr.

    6. Click Save.

  4. Create Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on what you are using.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

    If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.

  5. Go to Registered Clients and click Add Client.

    • Specify client name and paste the Registration Token generated in the above step.

      If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    • Click Save to save the client certificate.

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Create a Registration Token in the sub-domain using the following steps:

    1. Log on to the CipherTrust Manager in your specified sub-domain.

    2. Go to Access Management > Registration Tokens.

    3. Click Add Registration Token > Begin.

    4. Add a Name Prefix.

    5. Specify a Token Lifetime value along with the Client Capacity for the token.

    6. Copy the value of the Registration Token once it is created.

    7. Switch to Root Domain.

  2. Turn ON Auto Registration using the following steps:

    1. Log on to the CipherTrust Manager in the root domain.

    2. Go to Admin Settings > Interfaces.

    3. Click the ellipsis button (...) corresponding to the kmip interface.

    4. Click Edit.

    5. Under Configure KMIP window, select Auto Registration.

    6. Paste the Registration Token.

    7. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    8. Click Update.

  1. Log on to the CipherTrust Manager into your domain.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Expand the Certificate Details section.

    5. You can either paste the content of a generated client.csr or you can create one, by filling in the details.

      For domain, the format to enter the Common Name field of the cert is always: domainName||domainUser

    6. Click Save.

  4. Create a Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on what you are using.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

  5. If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.

  6. Go to Registered Clients and click Add Client.

    1. Specify client name and paste the Registration Token generated in the above step.

      If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    2. Click Save to save the client certificate.

Configuring the KMIP Interface

The KMIP interface can be configured through:

  1. Go to Admin Settings > Interfaces.

  2. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  3. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, the Auto Registration is disabled.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  6. Select the CA according to your preference:

    • If you are using External CA then select the CA under External Trusted CAs

    • If you are using Local CA then select the CA under Local Trusted CAs

  7. If you are using an External CA, expand the Upload Certificate section:

    • In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.

    • Select certificate Format as PEM.

    • Password field is optional and can be skipped.

    • Click Update.

  1. Switch to Root Domain.

  2. Go to Admin Settings > Interfaces.

  3. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  4. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, the Auto Registration is disabled.

  5. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  6. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  7. Select the CA according to your preference.

    1. Login to your sub-domain. Go to CA > Local. Click the ellipsis (...) and copy the contents of your CA Certificate.

    2. Logout of your sub-domain and now login to the root domain.

    3. Go to CA > External > Add External CA.

    4. Enter a name for this Domain CA and select the text radio button and paste the certificate contents.

    5. Click Add External CA.

    6. Go to Admin Settings > Interfaces.

    7. Click the Add icon to add the External CA.

    8. Click Update.

    Note

    If you are using an External CA in the root Domain, you need to add the CA as an External CA in both the root domain as well as the sub-domain and modify the interface accordingly.

    1. Go to Admin Settings > Interfaces.

    2. Click the Add icon to add the External CA.

    3. Click Update.

    4. On the KMIP interface, click the ellipsis (...) > Certificate Options > Upload New Certificate > Ok.

    5. Select the Certificate Chain option and click Build Certificate Chain.

    6. Click on Text and paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space, character or symbol between the contents of these files.

    7. Select certificate Format as PEM.

    8. Click on Upload Certificate.

Further, You need to perform the following configuration on CipherTrust Manager specific to VMware:

  1. Creating a Client Certificate

  2. Configuring NTP Server (optional)

Creating a Client Certificate

Note

This section is applicable to KMIP clients registered using Auto Registration.

  1. Log on to the CipherTrust Manager.

  2. Navigate to the CA > Local CA and click on the name of the CA certificate you need to issue the certificate from.

  3. Click on Issue Certificate.

  4. Enter the Display Name, followed by Common Name.

    Note

    The common Name of the certificate should be the same as the name of the user you created on CipherTrust Manager. Refer to Creating a User section.
    For more information on the format of common name of the certificate, refer to LDAP and Multi-Domain Client Usernames in KMIP Certificates.

  5. Select the Algorithm and Size, and click Issue Certificate.

  6. Save the Private Key and the CSR.

  7. Select the Certificate Purpose as client, specify the validity of the certificate in days, and click Issue Certificate.

  8. Download a copy of this certificate by clicking the ellipsis next to the certificate name.

Creating a Local CA

  1. Log on to the CipherTrust Manager.

  2. Navigate to the CA > Local CA > Add Local CA.

  3. Fill in the certificate name, common name, and the algorithm

  4. Click on Add Local CA.

  5. From the list of Pending CAs, click on the ellipsis (...) corresponding to the cert that you just created.

  6. From the pop-up, select Self-sign.

Configuring NTP Server (optional)

Based on your deployment strategy, you may need to configure an NTP (Network Time Protocol) server. Use either of the following commands to add an NTP server:

Command 1:

ksctl ntp servers add --host time.nist.gov

Command 2:

ksctl ntp servers add --host ntp-b.nist.gov --key secret

Configuration on VMware

Add KMS to the vCenter Server

To add KMS, perform the following steps on the vCenter UI.

  1. Log in to the vCenter Server.

  2. Browse the inventory list and select the vCenter Server instance.

  3. Click Configure and under Security, click Key Providers.

  4. Click Add Standard Key Provider, enter key provider information, and click Add Key Provider. You can click Add KMS to add more Key Management Servers.

  5. Click Trust. vCenter Server adds the key provider and displays the status as Connected.

Uploading Client Certificate and Private Key onto vSphere

Perform the following steps to upload Client Certificate and Private Key:

  1. Log in to the vSphere Web Client, and select a vCenter Server system.

  2. Click Configure and select Key Management Servers.

  3. Select the KMS instance with which you want to establish a trusted connection.

  4. Select Upload a File and upload copies of the client certificate and private key and click Establish Trust.

    Alternatively, you can paste the certificate that you received from the KMS vendor into the top text box or click Upload File to upload the certificate file. Paste the key file into the bottom text box or click Upload File to upload the key file.

  5. Click OK.

You can enable the following encryptions:

To enable vSAN encryption:

  1. Navigate to the KMS cluster created in vCenter.

  2. Right-click the cluster and select Settings. The Configure tab is displayed.

  3. Expand the vSAN section and click General.

  4. Click Edit. Edit vSan Settings window is displayed.

  5. Enable Encryption and select the previously created KMS cluster.

  6. Click OK.

VMWare has added a new feature named vSphere Trust Authority in 7.0 release onwards and CipherTrust Manager supports this feature. To configure vSphere Trust Authority, refer to the VMWare documentation.

To connect Key Provider Service to KMS, you need to configure the trust setup.

Example:

Set-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp8 -CertificateFilePath <path/to/certfile.pem> -PrivateKeyFilePath <path/to/privatekey.pem>

  1. Connect to vCenter Server by using the vSphere Client.

  2. Right-click the virtual machine that you want to encrypt and select VM Policies > Edit VM Storage Policies.

  3. Select the storage policy.

  4. To encrypt the VM and its hard disks, select an encryption storage policy and click OK.

  5. To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click OK.

  6. If you prefer, you can encrypt the virtual machine, or both virtual machine and disks, from the Edit Settings menu in the vSphere Client.

  7. Right-click the virtual machine and select Edit Settings.

  8. Select the VM Options tab, and open Encryption. Choose an encryption policy. If you deselect all disks, only the VM home is encrypted.

  9. Click OK.

The integration is now complete and you are ready to encrypt virtual machines.

Once the integration is successful, you will be able to view the keys on the CipherTrust Manager.

On this page