HPE Alletra 9000 Storage Array KeyControl® Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
- Product configurations
- Requirements
Procedures
Integrating with an HSM

Introduction

This document describes the integration of the Hewlett Packard Enterprise (HPE) Alletra 9000 Storage Array (referred to as Alletra in this guide) with the Entrust KeyControl 10.0 (formerly HyTrust KeyControl) key management solution using the open standard KMIP protocol. Entrust KeyControl (referred to as KeyControl in this guide) serves as a key manager for encryption keys by using various protocols, including KMIP.

Product configurations

Entrust has successfully tested the integration of KeyControl with HPE Alletra 9000 in the following configurations:

System	Version
Entrust KeyControl	10.0

System

Version

Entrust KeyControl

10.0

Requirements

Before starting the integration process, familiarize yourself with:

The documentation and set-up process for the HPE Alletra family of products in the HPE Alletra online documentation.
The documentation and set-up process for Entrust KeyControl, see Entrust KeyControl Product Documentation.
Also see Entrust KeyControl 10.0 Online Documentation Set.

Note	Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Procedures

Follow these steps to install and configure KeyControl:

Deploy a KeyControl cluster
Additional KeyControl cluster configuration
Authentication
Create DNS record for KeyControl cluster
Enable KMIP
Create tenant
Create the HPE Alletra certificate request
Create the tenant client certificate bundle
Import tenant client certificate into Alletra
Register the Entrust KeyControl KMS
Execute tests

Deploy a KeyControl cluster

This deployment consists of two nodes.

Download the KeyControl software from https://my.hytrust.com/s/software-downloads. This software is available both as an OVA or ISO image. The OVA installation method in VMware is used in this guide for simplicity.
Install KeyControl as described in KeyControl OVA Installation.
Configure the first KeyControl node as described in Configuring the First KeyControl Node (OVA Install).
Add second KeyControl node to cluster as described in Adding a New KeyControl Node to an Existing Cluster (OVA Install).

Note
Both nodes need access to an NTP server, otherwise the above operation will fail. Log in the console to change the default NTP server if required.
Install the KeyControl license as described in Managing the KeyControl License.

Additional KeyControl cluster configuration

After the Entrust KeyControl cluster is deployed, additional system configuration can be done as described in KeyControl System Configuration.

Authentication

For simplicity, local account authentication is used in this integration. For AD-managed Security groups, configure the LDAP/AD Authentication Server as described in Specifying an LDAP/AD Authentication Server.

Create DNS record for KeyControl cluster

Create a single DNS record named EntrustKeyControl in the domain.
Assign this record as many IPs as nodes in the cluster created above, two in this integration.

Enable KMIP

Log into the KeyControl webGUI using an account with Security Admin privileges.
Select KMIP in the menu bar in the KeyControl webGUI. Then select the Settings tab.
For State, select Enable. Take the default for the other parameters. Then select Apply.
In the Overwrite all existing KMIP Server settings? pop-up window, select Proceed.

Create tenant

Entrust KeyControl 10.0 supports multi-tenancy. Therefore, a tenant must be created before setting up any KMIP services.

Log into the KeyControl webGUI using an account with Security Admin privileges.
Select KMIP in the menu bar in the KeyControl webGUI. Then select the Tenants tab.
Select Actions > Create a KMIP Tenant. The Create a KMIP Tenant dialog appears
On the About tab, enter the name and description. Then select Next.

Note
The tenant name cannot be changed after the tenant is created.
On the Authentication tab, select Local User Authentication. See Authentication for reason. Then select Next.
On the Admin tab, enter the Administrator information. Then select Create.
Select the newly created tenant and scroll down to see the tenant information. Test the tenant by selecting the Tenant Login URL, and log in with the credentials above.

Note
The Tenant Login URL is used later, to [enable-kmip-key-wrapping] and [establish-trust-alletra-keycontrol]

See the following link for additional information Creating a KMIP Tenant.

Create the HPE Alletra certificate request

Log into the Alletra 9060 webGUI using an account with Security Admin privileges.
Select Settings in the toolbar. Then select Array certificates.
Select the + icon to add a certificate.
Select Create a certificate signing request for the Certificate type.
Select ekm-client for Array service and enter the Common name and other information. Then confirm the checkbox to proceed and select Add.
Select the certificate created.
Copy the PEM in the newly created certificate window.
Create a csr file type with a text editor containing the copied certificate request. May need to rename the file using the Windows CLI to get the correct file type extension if using Notepad text editor.

Create the tenant client certificate bundle

Log into the KeyControl webGUI using an account with Security Admin privileges.
Select KMIP in the menu bar in the KeyControl webGUI. Then select the Tenants tab.
Highlight the desired tenant. Scroll down and select the link on Tenant Login. A new tab in the browser opens.
Log in with the tenant credentials.
Select Security > Client Certificates.
Select the + icon on right top corner to create new client certificate.
Check Add Authentication for Certificate in the Create Client Certificate pop-up window.
Enter the authentication credentials and Certificate Expiration date. Upload the csr file created in Create the HPE Alletra certificate request. Then select Create.
Select the certificate bundle created and select Download.
Extract the two files from the zip bundle.

See the following link for additional information KMIP Tenant Client Certificates.

Import tenant client certificate into Alletra

Log into the Alletra 9060 webGUI using an account with Security Admin privileges.
Select Settings in the toolbar. Then select Array certificates.
Select the certificate that was created in Create the HPE Alletra certificate request. In this case HPEAlletra9060User and select Import Signed CSR in the Actions tab.
Paste the content of the extracted cacert.pem file from Create the tenant client certificate bundle in the Authority chain text box. When pasting the content, only include the certificate section of the file starting from -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
Paste the content of the extracted HPEAlletra9060User.pem file from Create the tenant client certificate bundle in the Certificate text box. Only paste the certificate section starting from -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. Then select Add.
Notice the new status of the Certificate along with the Root Certificate now showing up beside our created certificate.
Launch the Alletra 9060 CLI using an account with Security Admin privileges.

Verify that the certificates were created with the showcert command.

Alletra-9060 cli% showcert
Service         Commonname                               Type   Enddate                  Fingerprint
ekm-client      HPEAlletra9060User                       cert   Jan 13 20:14:56 2024 GMT c93bb1e83381573626dd56366252fec7842781d7
ekm-client*     HyTrust KeyControl Certificate Authority rootca Dec 31 23:59:59 2049 GMT fe6391cfa9dfc185026f301b3c9306d1afdb761f

Import an ekm-server in the CLI, by pasting the content extracted from the cacert.pem file from Create the tenant client certificate bundle with the importcert ekm-server command. Only paste the certificate section starting from -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. Then continue.

Alletra-9060 cli% importcert ekm-server -ca stdin
Please paste the CA bundle for ekm-server. Once finished, please press Enter twice.
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIEY5jLbzANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJV
UzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtleUNv
bnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYwMTAwMDAwMFoXDTQ5
MTIzMTIzNTk1OVowVzELMAkGA1UEBhMCVVMxFTATBgNVBAoTDEh5VHJ1c3QgSW5j
LjExMC8GA1UEAxMoSHlUcnVzdCBLZXlDb250cm9sIENlcnRpZmljYXRlIEF1dGhv
cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN8ujGo8vM61rgIe
iry2NEYmqns6C6RkTJbl9j+QsBB8JTUx0AeQA1b8/0eLQ3u6xbjmSDco1K1ISdkZ
u3vkfj2TunyMY2pPxCXGWkk5B/J9JOluTZRAzkJMhfE6oBfv70xoBthxDKMY9/r3
K8cHTDira4OMHd65n9ISg65+2IH9n+4OG83VAk+9aYQHYLMh3y+bR0m7Ss/dcbLP
ggQ1Ib1Cpln8mtRkWF1YsfVOxuNYazi+O5aP0lJ5k4jPfSJPbNJoXon9ZyBDrbH9
jK6e34BU8QQDS62dSGM8DlVETtgVO8AldSrpv9RiuBUdxcj0qlSzw33rFfg4GGDV
1z+9MdUCAwEAAaOByDCBxTAdBgNVHQ4EFgQU/m8a+5IuIULlMiEj4mq6Q71JbX8w
gYIGA1UdIwR7MHmAFP5vGvuSLiFC5TIhI+JqukO9SW1/oVukWTBXMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMSHlUcnVzdCBJbmMuMTEwLwYDVQQDEyhIeVRydXN0IEtl
eUNvbnRyb2wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggRjmMtvMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQC4/AB/lf2z
XhhyOWMEAiaBRPjYiRgaPW68gRh7RTvu2BTcN50BnI2V9xE3WBq/JpRlDMg3XtCR
Sq5xepWyOfjCFdjtd6f2nAFI/J6gTm1mUwmP883Q9pciW47ozNTZVGvGzCG+JwZE
Js4CFkBEhfPERM8+66+fqb2aSxytECSeQx/pron8oahW9X4mxX3NYkOBWBS+zI00
FQiWaJMbbhq+GLJeTy+hdL8OY8L8crRC7fV3BFCKKxU9u4QwJOJcjNY9P1Yz2Xcb
3Jy8rK4D/V/2vDNWoeeOY/9PXe2rBj4RkC8X9vcBHn5itdM+Z1VKYVRTafrFQJAj
7ueQc/tJLADf
-----END CERTIFICATE-----
Do you want to import these certificate(s) for ekm-server service?
* stdin certificate authorities?
Continue importing signed certificate(s) (yes/no)?

Verify that the ekm-server certificate was created with the showcert command. Notice the newly created ekm-server below.

Alletra-9060 cli% showcert
Service         Commonname                               Type   Enddate                  Fingerprint
ekm-client      HPEAlletra9060User                       cert   Jan 13 20:14:56 2024 GMT c93bb1e83381573626dd56366252fec7842781d7
ekm-client*     HyTrust KeyControl Certificate Authority rootca Dec 31 23:59:59 2049 GMT fe6391cfa9dfc185026f301b3c9306d1afdb761f
ekm-server*     HyTrust KeyControl Certificate Authority rootca Dec 31 23:59:59 2049 GMT fe6391cfa9dfc185026f301b3c9306d1afdb761f

Register the Entrust KeyControl KMS

Launch the Alletra 9060 CLI using an account with Security Admin privileges.
Create an External Key Manager Server with the controlencryption setekm command in the CLI. Include all of the configuration parameters listed below. Then proceed to create a password
```
Alletra-9060 cli% controlencryption setekm -setserver EntrustKeyControl.epl2.net -ekmuser HPEAlletra9060User -kmipprotocols 1.3
```

Verify that the external key manager has been created with the controlencryption status -d command.

Alletra-9060 cli% controlencryption status -d
Licensed Enabled BackupSaved State  SeqNum Keystore
yes      yes     yes         normal      1 LKM

Number of EKM servers defined: 1
EKM servers: EntrustKeyControl.epl2.net
EKM server port: 5696
EKM username: HPEAlletra9060User
KMIP Protocols: 1.3

Verify communication with the newly created External Key Management server with the controlencryption checkekm command to show that EKM settings are correct.
```
Alletra-9060 cli% controlencryption checkekm
EKM settings are correct
```
Power down the KeyControl nodes one at a time and verify the communication with the External Key Management server with the controlencryption checkekm command to show that EKM settings are correct.
```
Alletra-9060 cli% controlencryption checkekm
EKM settings are correct
```

Execute tests

Execute the test as described in the HPE Alletra internal documentation.

Integrating with an HSM

For guidance on integrating the Entrust KeyControl with a Hardware Security Module (HSM), consult with your HSM vendor. If you are using an Entrust nshield HSM, refer to the Entrust KeyControl nShield HSM Integration Guide available at Entrust documentation library.

Table of Contents
Introduction
Procedures
Integrating with an HSM

RESOURCES

INTEGRATION GUIDE
HPE Alletra 9000 Storage Array KeyControl® Integration Guide

Table of Contents