Install the Universal Orchestrator in a Linux Container
When the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. runs in a Linux container, it is typically installed in a containerization solution that sits on top of a Linux server or set of servers. There are a wide variety of containerization solutions for multiple operating systems. This document covers deploying the container to either Docker or Kubernetes on Linux.
The artifactory for the Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. images can be found here:
Two different images are available, depending on the functionality you are looking for:
-
universal-orchestrator:[version]
This image has no built-in functionality and is designed to be used with custom extensions.
-
universal-orchestrator-ssl:[version]
This image provides the SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. capability to provide support for SSL discovery and monitoring.
Docker
If you plan to use Docker, you may find it helpful to first run the Universal Orchestrator in the foreground so that it will output log messages to assist in troubleshooting.
To install the Universal Orchestrator in a Linux container and start the container using compose:
-
Create a directory from which you will run the Docker container (e.g. /opt/kyf_uo). For example:
sudo mkdir /opt/kyf_uo -
Select a Universal Orchestrator image, and from your Docker host, retrieve the Universal Orchestrator image from the artifactory with commands similar to the following (placing your token or API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. key in the my_password file):
sudo nano my_password.txtcat my_password.txt | docker login repo.keyfactor.com --username username --password-stdindocker pull repo.keyfactor.com/images/command/universal-orchestrator-ssl:12.0Note: For artifactory credentials or more information, check with your Keyfactor Client Success Manager or contact support@keyfactor.com.Important: Remove the my_password.txt file when complete. For example:sudo rm my_password.txt -
Create a Docker compose file (compose.yaml) in the directory for your Docker container similar to the following, using the inputs as per Table 864: Linux Container Parameters, referencing the artifictory you pulled, selecting the appropriate authentication mechanism for your environment, and any additional volume mounts (see Custom Extensions). The fields highlighted in red below indicate fields that need to be edited or that you may wish to edit
Important: When editing the file, be sure to preserve the indenting exactly as found. YAML requires a very specific file layout to function. If the indenting (multiples of two spaces) or layout is incorrect, you will receive an error when trying to install.services: universal-orchestrator: image: repo.keyfactor.com/images/command/universal-orchestrator-ssl:12.0 container_name: universal_orchestrator_1 environment: COMMAND_AGENTS_URL: https://keyfactor.keyexample.com/KeyfactorAgents ORCHESTRATOR_NAME: appsrvr19-UO-1 # The name the orchestrator uses to register in Keyfactor Command # Uncomment the next two lines to use Active Directory #USERNAME: KEYEXAMPLE\svc_kyforch #PASSWORD: 'MySuperSecretPassword' # The service account password needs quotes under some circumstances if it contains special characters # Uncomment the next four lines to use OAuth (TOKEN_LIFETIME is optional) #BEARER_TOKEN_URL: https://appsrvr18.keyexample.com:1443/realms/Keyfactor/protocol/openid-connect/token #TOKEN_LIFETIME: 150 #CLIENTID: Universal-Orchestrator #CLIENT_SECRET: 'Client-Secret-from-Keyfactor-IdP' # The client secret needs quotes under some circumstances if it contains special characters volumes: - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-bundle.crt # The path on your host (the first one) will vary depending on the OS
Important: The password or secret for the Keyfactor Command connect service account is stored in clear text in this compose file. Access to this file should be strictly controlled. -
Set the permissions on the compose.yaml file such that the file is owned by root and readable only by root (this assumes your Docker daemon is running as root, which is typical). For example:
sudo chown root:root compose.yamlsudo chmod 400 compose.yamlTip: If you need to make edits to the compose file, you will need to make the file writable again. For example:sudo chmod 600 compose.yaml -
Execute the following command to install and run the container in the foreground:
sudo docker compose upPress CTRL-C to stop it if it’s running in the foreground. You can instead run it in the background by adding the -d flag like so, but it can sometimes be helpful to run it in the foreground initially so that you can easily review the log output live:
sudo docker compose up -dTip: To stop and start the container again after installation is complete, use the following commands:sudo docker compose stopsudo docker compose startOr:
sudo docker compose restartIf you need to delete the container and try the install again, use this command:
sudo docker compose downTo review logs generated from the container, identify the container ID or name with this command:
sudo docker container lsFor example, in the following output you could select either the container ID 0cf41b4c1ca4 or the name kyfidp:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b2abfe2b2b92 art.example1.com/condev-con/ejbca/ejbca-proxy:8.2.0 "/opt/keyfactor/bin/…" 2 months ago Up 2 months 8009/tcp, 8081-8082/tcp, :::80->8080/tcp, :::443->8443/tcp ejbca82 ee461eb238ba mariadb:latest "docker-entrypoint.s…" 2 months ago Up 2 months 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp ejbca81-database 0cf41b4c1ca4 art.example2.com/condev-exam/command/auth-server:latest "/opt/kyfidp/bin/k…" 3 months ago Up 3 months 8080/tcp, 0.0.0.0:5443->8443/tcp, :::5443->8443/tcp kyfidp
Then use the following command to output the current log (with the optional --follow to make output continuous):
sudo docker container logs [--follow] [container ID or name]
Custom Extensions
To use custom extensions with the orchestrators (see Installing Custom-Built Extensions), you can either build them into a custom-built orchestrator image or reference them as external volume mounts. The latter works well for quick testing in a development environment, but you’ll probably want to use a custom-built orchestrator image for a production deployment.
To run the orchestrator referencing an extension as an external volume mount:
-
Create a directory on your Linux server to host the extension(s) you wish to use and copy each extension you wish to use into this directory. For example:
/opt/kyf_uo/exts/f5-ext/opt/kyf_uo/exts/citrix-extMake note of whether the extension documentation indicates whether the files in the extension need to exist within a subdirectory or whether they should be placed in the root of the directory you’re creating (e.g. f5-ext).
-
Follow the instructions above, but modify the volumes section of your docker compose file to include the extension(s). For example (where /app/extensions is the path within the image where the extensions will live):
#[See beginning above] volumes: - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-bundle.crt - /opt/kyf_uo/exts/f5-ext:/app/extensions/f5-ext - /opt/kyf_uo/exts/citrix-ext:/app/extensions/citrix-ext
To create a custom build of the orchestrator referencing extensions:
-
Create a directory on your Linux server to host the extension(s) you wish to use and copy each extension you wish to use into this directory. This should be a subdirectory of the directory in which you will build your custom orchestrator image. For example:
/opt/kyf_uo/exts/f5-ext/opt/kyf_uo/exts/citrix-extMake note of whether the extension documentation indicates whether the files in the extension need to exist within a subdirectory or whether they should be placed in the root of the directory you’re creating (e.g. f5-ext).
-
In the directory above the extension directory (e.g. /opt/kyf_uo), create a file called Dockerfile and open it for editing. The entries in this file will vary depending on the extension(s) you wish to include in your build. Check the documentation for the specific extension for more information. The following example includes two extensions:
FROM repo.keyfactor.com/images/command/universal-orchestrator:12.0 WORKDIR "/app/extensions/f5-ext" COPY ./ext/f5-ext/ ./ WORKDIR "/app/extensions/citrix-ext" COPY ./ext/citrix-ext/ ./ WORKDIR "/app"
This build script sets the source for the artifactory and then changes directories within the image to the f5-ext directory. It copies the contents of the ext/f5-ext subdirectory under the current working directory on the host to the current directory in the image. It then repeats this change directory and copy for the Citrix Netscaler extension. Finally, it changes directory back to the /app directory within the image before leaving the build. This last step is important to be sure the image will later function as expected.
-
Build your custom image by executing the following command from the directory in which your Dockerfile is located (where custom-uo-image is the name you give to your image):
docker build -t custom-uo-image . -
Create your compose file as above, but referencing your custom image like so:
services: universal-orchestrator: image: custom-uo-image container_name: universal_orchestrator_f5_ns #[see remainder above]
- Complete the install as above.
Kubernetes
To install the Universal Orchestrator in a Linux container and start the container using Kubernetes:
-
Create a directory from which you will run the container (e.g. /opt/kyf_uo).
-
Create a secret in Kubernetes for the credentials that the orchestrator(s) will use to authenticate to Keyfactor Command (see Create Service Accounts for the Universal Orchestrator). For example, for Active Directory authentication:
echo -n 'keyexample\svc_kyforch' > ./usernameecho -n 'MySuperSecretPassword' > ./passwordkubectl create secret generic uo-credentials --from-file=./username --from-file=./passwordFor OAuth authentication:
echo -n 'Universal-Orchestrator' > ./clientidecho -n 'Client-Secret-from-Keyfactor-IdP' > ./clientsecretkubectl create secret generic uo-credentials --from-file=./clientid --from-file=./clientsecretImportant: The password or secret for the Keyfactor Command connect service account is stored in clear text in the “password” or “clientsecret” file. Be sure to delete it after the Kubernetes secret has been created. -
Create a secret in Kubernetes for the credentials you will use to authenticate to the Keyfactor artifactory. For example:
kubectl create secret docker-registry keyregcred --docker-server=repo.keyfactor.com --docker-username=MyUsername --docker-password=MySuperSecretAPIKeyorToken --docker-email=my.email@my-domain.comNote: For artifactory credentials or more information, check with your Keyfactor Client Success Manager or contact support@keyfactor.com. -
On your Kubernetes server, create a configmap containing CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. root certificates, including the chain certificates for the SSL certificate on the Keyfactor Command server (see Configure Certificate Root Trust for the Universal Orchestrator). For example:
kubectl create configmap ca-roots --from-file=/etc/ssl/certs/ca-certificates.crtNote: The standard path to the trusted root store will vary depending on your Linux implementation. -
Create a Kubernetes deployment file (e.g. uo_ssl.yaml) in the directory for your Kubernetes container similar to the following, using the inputs as per Table 864: Linux Container Parameters, referencing the artifictory for the image you wish to install, selecting the appropriate authentication mechanism for your environment, and any additional volume mounts. The fields highlighted in red below indicate fields that need to be edited or that you may wish to edit.
Important: When editing the file, be sure to preserve the indenting exactly as found. YAML requires a very specific file layout to function. If the indenting (multiples of two spaces) or layout is incorrect, you will receive an error when trying to install.apiVersion: apps/v1 kind: StatefulSet metadata: # Give the pod a unique name if you plan to deploy more than one orchestrator to the same Kubernetes server or cluster name: keyfactor-uo-1 labels: app.kubernetes.io/name: keyfactor-universal-orchestrator app.kubernetes.io/instance: ssl-1 app.kubernetes.io/version: "12.0" spec: # The universal orchestrator should not have replicas; instead use many different deployments with different names if horizontal scaling is needed replicas: 1 selector: matchLabels: app.kubernetes.io/name: keyfactor-universal-orchestrator app.kubernetes.io/instance: ssl-1 template: metadata: labels: app.kubernetes.io/name: keyfactor-universal-orchestrator app.kubernetes.io/instance: ssl-1 spec: initContainers: # The below two commented out blocks provide examples of adding custom extensions #- env: # - name: EXTENSION_NAME # value: citrix-adc-orchestrator # - name: EXTENSION_VERSION # value: 2.0.0 # - name: INSTALL_PATH # value: /app/extensions/citrix-adc-orchestrator # image: example/uo_extension_installer:1.0.5 # imagePullPolicy: IfNotPresent # name: citrix-adc-orchestrator-installer # volumeMounts: # - mountPath: /app/extensions # name: command-pv-claim # readOnly: false # subPath: "" #- env: # - name: EXTENSION_NAME # value: f5-rest-orchestrator # - name: EXTENSION_VERSION # value: 1.4.4 # - name: INSTALL_PATH # value: /app/extensions/f5-rest-orchestrator # image: example/uo_extension_installer:1.0.5 # imagePullPolicy: IfNotPresent # name: f5-rest-orchestrator-installer # volumeMounts: # - mountPath: /app/extensions # name: command-pv-claim # readOnly: false # subPath: "" containers: - name: keyfactor-universal-orchestrator-ssl-1 # Uncomment the desired image and confirm correct artifactory and version image: "repo.keyfactor.com/images/command/universal-orchestrator-ssl:12.0" #image: "repo.keyfactor.com/images/command/universal-orchestrator:12.0" imagePullPolicy: IfNotPresent # Universal orchestrator environment env: # The below block is the URL of the orchestrator API on the Keyfactor Command server - name: COMMAND_AGENTS_URL value: https://keyfactor.keyexample.com/KeyfactorAgents # The below block is the name the orchestrator will use when registering with Keyfactor Command - name: ORCHESTRATOR_NAME value: k8s-universal-orchestrator-ssl-1 - name: LOG_LEVEL value: Info # Uncomment the next two blocks to use Active Directory authentication #- name: USERNAME # valueFrom: # secretKeyRef: # name: uo-credentials # key: username #- name: PASSWORD # valueFrom: # secretKeyRef: # name: uo-credentials # key: password # Uncomment the next four blocks to use OAuth authentication (TOKEN_LIFETIME is optional) #- name: BEARER_TOKEN_URL # value: https://appsrvr18.keyexample.com:1443/realms/Keyfactor/protocol/openid-connect/token #- name: TOKEN_LIFETIME # value: "150" #- name: CLIENTID # valueFrom: # secretKeyRef: # name: uo-credentials # key: clientid #- name: CLIENT_SECRET # valueFrom: # secretKeyRef: # name: uo-credentials # key: clientsecret volumeMounts: # Uncomment the next block if adding extensions #- mountPath: /app/extensions # name: command-pv-claim # readOnly: false # subPath: "" - mountPath: /etc/ssl/certs/ca-certificates.crt name: root-ca readOnly: false subPath: ca-certificates.crt volumes: - configMap: items: - key: ca-certificates.crt path: ca-certificates.crt name: ca-roots name: root-ca # Uncomment the next block if adding extensions #- name: command-pv-claim # emptyDir: {} imagePullSecrets: - name: keyregcred
-
Set the permissions on the deployment file such that the file is owned by root and readable only by root (this assumes your Kubernetes implementation is running as root, which is typical). For example:
sudo chown root:root uo_ssl.yamlsudo chmod 400 uo_ssl.yamlTip: If you need to make edits to the compose file, you will need to make the file writable again. For example:sudo chmod 600 uo_ssl.yaml -
Execute the following command to install and run the container:
kubectl apply -f uo_ssl.yamlTip: To review logs generated from the container, identify the pod name with this command:kubectl get podsThen use the following command to output the current log:
kubectl logs [pod name] --followThe optional follow parameter A parameter or argument is a value that is passed into a function in an application. will continuously output the logs as they are generated until interrupted.
If you need to delete the container and try the install again, use this command:
kubectl delete -f uo_ssl.yaml
Table 864: Linux Container Parameters
Parameter |
Description |
---|---|
App Settings__ Check Server Certificate Revocation | A Boolean that indicates whether the revocation status (CRL) of the SSL certificate on the Keyfactor Command server should be checked when connecting to Keyfactor Command (true) or not (false). The default is true (CRL checking will be done). |
AUDIENCE | This parameter is used to specify an audience value to be included in token requests delivered to the identity provider when using an identity provider other than Active Directory. |
BEARER_ TOKEN_ URL |
Required*. The URL of the token endpoint for your identity provider. For example: Copy
For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required if you’re using an identity provider other than Active Directory. |
CLIENT ID |
Required*. For implementations using an identity provider other than Active Directory, the ID of the identity provider client that should be used to authenticate the session (see Create Service Accounts for the Universal Orchestrator). This parameter is required if you’re using an identity provider other than Active Directory. |
CLIENT_ SECRET |
Required*. For implementations using an identity provider other than Active Directory, the secret of the identity provider client that should be used to authenticate the session. This parameter is required if you’re using an identity provider other than Active Directory. |
COMMAND_ AGENTS_ URL |
Required. The URL of the Orchestrators API on the Keyfactor Command server. For example: Copy
|
LOG_ LEVEL | The logging level for the orchestrator. The default value is Info. Possible values are the same as those described in Configure Logging for the Universal Orchestrator. |
ORCHESTRATOR_ NAME |
The name the orchestrator uses to register itself with Keyfactor Command. By default, the container hostname is used, which is not ideal as this will create a new orchestrator entry with every container start. Although this parameter is not strictly required, Keyfactor strongly recommends using it. If you choose to uninstall and reinstall the orchestrator (e.g. using compose down), it is important to use the same orchestrator name for subsequent implementations so that Keyfactor Command will recognize the orchestrator when it is started again. |
PASSWORD |
Required*. The password for the Keyfactor Command Connect Service Account if you’re using Active Directory as an identity provider (see USERNAME). This parameter is required if you’re using Active Directory as an identity provider. |
SCOPE | This parameter is used to specify one or more scopes that should be included in token requests delivered to the identity provider when using an identity provider other than Active Directory. Multiple scopes should be separated by spaces. |
TOKEN_ LIFETIME |
For implementations using an identity provider other than Active Directory, the number of seconds for which the bearer token is valid. If not specified, the orchestrator uses the default value set by the Keyfactor Command server of 300 seconds (5 minutes). |
USERNAME |
Required*. The username for service account used to connect to the Keyfactor Command server (see PASSWORD). This is the Keyfactor Command Connect Service Account described in Create Service Accounts for the Universal Orchestrator if you’re using Active Directory as an identity provider. The orchestrator uses Basic Authentication to authenticate to Keyfactor Command. This parameter is required if you’re using Active Directory as an identity provider. |