Nutanix Prism Central and Entrust KeyControl Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
- Documents to read first
- Product configurations
Procedures
Integrating with an HSM

Introduction

This document describes the integration of Nutanix Prism Central with the Entrust KeyControl Key Management Solution (KMS). Entrust KeyControl can serve as a KMS in Nutanix Prism Central using the open standard Key Management Interoperability Protocol (KMIP).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in Nutanix Prism Central.

To install and configure the Entrust KeyControl server as a KMIP server, see the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Also refer to the Nutanix Prism Central online documentation .

Product configurations

The following versions have been tested for compatibility:

Product	Version
Nutanix Prism Central	5.20 LTS
Entrust KeyControl	5.4

Procedures

The following steps summarize the deployment of the KeyControl in cluster mode and the configuration of the data-at-rest encryption in Nutanix:

Deploy a KeyControl node.
Select the KeyControl node as the Key Management server and generate the certificate requests.
Create the KMIP client certificate bundle.
Add KeyControl as a Certificate Authority (CA) for Nutanix Prism Central.
Add a second KeyControl node to cluster.
Create the KMIP Client Certificate Bundles in the second KeyControl node.
Select the second KeyControl node as a second Key Management Server.

Deploy a KeyControl node

Refer to the KeyControl node installation instructions . An OVA template was used to deploy the KeyControl node VM. The OVA template is available at https://my.hytrust.com/s/software-downloads .

Select the KeyControl node as Key Management Server and generate the certificate requests

Log into the Nutanix Prism Central web UI.
Select the Settings pull-down menu in the toolbar, scroll down, and select Settings again. The Gear icon in the top right of the toolbar does the same operation.
Select Data-at-rest Encryption under Security on the Settings left pane.
Select Edit Configuration or Continue Configuration .
Select An external KMS .
Scroll down to Certificate Signing Request Information .

Fill the request form, then select Save CSR Info .
Select Download CSRs .

When the Certificate Signing Request form appears, select Download CSRs for all nodes .
The compress csrs.zip file is created. Save it locally. Extract the files. Notice that a certificate request was created for each node in the Nutanix Prism Central cluster.

Create the KMIP client certificate bundles

Log into the KeyControl server web UI using an account with Security Admin privileges.
Select KMIP in the toolbar menu.
Select the Basic tab. Specify the options that you want to use. Ensure the state is set to Enabled .
Select Apply . At the prompt, select Proceed to confirm the configuration. If this server was already enabled, KeyControl restarts and refreshes its object list.
Select the Client Certificates tab. Then select Actions > Create Certificate .
Enter name in the Create a New Client Certificate dialog box. This operation will be repeated for each node in the Nutanix cluster. Choose a name unique per node in the cluster, for example the last octet of the node’s IP address as part of the name.
Select Load File and select the certificate request from the section above corresponding the particular node. Do not specify a password. Leave it blank.
Create certificates for the other nodes.
Select a certificate created above. Then select Actions > Download Certificate . The KeyControl web UI downloads <username_datetimestamp>.zip . Unzip it. It contains a user certification/key file called username.pem and a server certification file called cacert.pem .
Repeat the step above for the other Nutanix nodes.

Note
The cacert.pem file for each node above are identical. The username.pem files are unique for each node.

Add KeyControl as a certificate authority for Nutanix Prism Central

Log into the Nutanix Prism Central web UI.
Select the Settings pull-down menu in the toolbar, scroll down and select Settings again.
Select Data-at-rest Encryption under Security on the Settings left pane.
Select Continue Configuration . Scroll down and select Add Key Management Server .
Enter the IP address of KeyControl and port. The default port is 5696. Select Save .
Select Add New Certificate Authority further down the same pane. Name the CA, then select Upload CA Certificate , and select one of the cacert.pem file created above. All cacert.pem files are identical. Select Save .
Scroll up to the Key Management Server section and select Manage Certificates . This is not a button, but plain text in blue font.
Select Upload Files , select a username.pem created above, then select Submit .
Notice the status for the node corresponding to the selected certificate displaying Uploaded . Select Test CS and the status should change to Verified .
Repeat the above for the other nodes. Then select Back .
Scroll down in the same pane and select Enable Encryption . Enter the word ENCRYPT to confirm encryption. Then select Encrypt .
The following display confirms that the cluster in now encrypted.

Add a second KeyControl node to the cluster

Deploy a second KeyControl node using the OVA template and instructions described above. Then add the newly created KeyControl Node to the existing cluster .

Create the KMIP Client Certificate Bundles in the second KeyControl node

Nutanix treats each node in the KeyControl cluster as an independent KMIP server. Therefore, you must create a KMIP client certificate bundle at each KeyControl node. You can use the certificate signing request created in the Nutanix cluster above to create the bundles at each KeyControl node.

Follow the steps in Create the KMIP client certificate bundles to create the second KeyControl node. Notice the resulting bundles in the KeyControl cluster.

Select the second KeyControl node as a second Key Management Server

Log into the Nutanix Prism Central web UI.
Select the Settings pull-down menu in the toolbar, scroll down and select Settings again.
Select Data-at-rest Encryption under Security on the Settings left pane.
Select Continue Configuration . Scroll down and select Add Key Management Server .
Enter the IP address of the second KeyControl node and port. The default port is 5696. Select Save .
Notice both KeyControl nodes listed as Key Management Servers.
Select Manage Certificates above for the second KeyControl node.
Select Upload Files , select a username.pem created above for the second KeyControl node, then select Submit .

The system does not complain if the selected certificate is that of the first KeyControl node. However, the high availability (HA) functionality might not work in some scenarios.
Notice the status for the node corresponding to the selected certificate displaying Uploaded . Select Test CS and the status should change to Verified .
Repeat the above for the other Nutanix nodes.

Integrating with an HSM

You can use a hardware security module (HSM) to establish a root of trust for your encryption keys. For guidance on integrating Entrust KeyControl with an HSM, consult with your HSM vendor. If you are using an nshield HSM, refer to the Entrust KeyControl nshield HSM Integration Guide available in the Entrust documentation library.

Table of Contents
Introduction
Procedures
Integrating with an HSM

RESOURCES

Integration Guide
Nutanix Prism Central and Entrust KeyControl Integration Guide

Table of Contents