Install the Universal Orchestrator on Windows

To install the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. on Windows, copy the zip file containing installation files to a temporary working directory on the Windows server and unzip it.

Note:  In some instances, downloading a compressed file on Windows can cause the file to be marked as blocked. If you unzip a blocked file and proceed with the installation, the installation may fail with an error about missing files or dependencies (e.g. “Could not load file or assembly [filename] or one of its dependencies...”). Before beginning the installation, check the zip file before unzipping it to confirm that it is not blocked and unblock it if it is blocked.

Figure 467: Installation Files Blocked after Download

To begin the installation:

  1. On the Windows machine on which you wish to install the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores., open a PowerShell window using the “Run as Administrator” option and change to InstallationScripts subdirectory under the temporary directory where you placed the installation files.
  2. In the PowerShell window, select from the following commands to run based on the identity provider you’re using for Keyfactor Command, the desired orchestrator service accounts, and the desired install experience to prepare for the install.

    In these examples, credKeyfactor is used for the Keyfactor Command connect service account that the orchestrator uses to connect to Keyfactor Command and credService is used for the Universal Orchestrator service account that the service runs as. Usernames should be given in DOMAIN\username format for Active Directory domain accounts or hostnameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername).\username format for local user accounts.

    • If you’re using Active Directory as an identity provider, will be running the service as an Active Directory domain or local account rather than Network Service, and do not want to provide the usernames and passwords in the command, run the following commands to populate a variable with the user credentials for the Keyfactor Command connect service account (see Create Service Accounts for the Universal Orchestrator) and populate a variable with the user credentials for the Universal Orchestrator service account:

      Copy
      $credKeyfactor = Get-Credentials
      $credService = Get-Credential

      Enter the appropriate username and password when prompted.

    • Active Directory as the identity provider, running the service as Network Service, and not providing the username and password for the Keyfactor Command connect service account in the command:

      Copy
      $credKeyfactor = Get-Credential
    • Active Directory as the identity provider, running the service as Network Service, and providing the username and password for the Keyfactor Command connect service account in the command:

      Copy
      $keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
      $keyfactorPassword = "MySecurePassword"
      $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
      $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
    • Active Directory as the identity provider, running the service as a domain or local account, and providing the username and password for the Keyfactor Command connect service account and the service account the orchestrator runs as in the command:

      Copy
      $serviceUser = "DOMAIN\myserviceusername"
      $keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
      $keyfactorPassword = "MyFirstSecurePassword"
      $servicePassword = "MySecondSecurePassword"
      $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
      $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
      $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
      $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)
    • Active Directory as the identity provider, running the service as a group managed service account (gMSA), and providing the username and password for the Keyfactor Command connect service account in the command:

      Copy
      $serviceUser = "DOMAIN\myGMSAserviceusername$"
      $keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
      $keyfactorPassword = "MySecurePassword"
      $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
      $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
      $credService = New-Object System.Management.Automation.PSCredential ($serviceUser,(New-Object System.Security.SecureString))
      Note:  Group managed service accounts are not supported for use in making the connection to Keyfactor Command.
    • An identity provider other than Active Directory and running the service as Network Service:

      none
    • An identity provider other than Active Directory, running the service as a domain or local account, and not providing the username and password for the service account the orchestrator runs as in the command:

      Copy
      $credService = Get-Credential
    • An identity provider other than Active Directory, running the service as a domain or local account, and providing the username and password for the service account the orchestrator runs as in the command:

      Copy
      $serviceUser = "DOMAIN\myserviceusername"
      $servicePassword = "MySecondSecurePassword"
      $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
      $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)
    Tip:  In some cases, you may be using the same service account for both the Universal Orchestrator service account role and the Keyfactor Command connect service account role. If this is the case, you may use a single variable for both passwords in the next step.
  3. In the PowerShell window, run the install.ps1 script using the following syntax to begin the installation:

    Installation example with expected output using Basic authentication and Network Service to run the local service:

    Copy
    $keyfactorUser = "KEYEXAMPLE\svc_kyforch1"
    $keyfactorPassword = "MySecurePassword123!"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)

    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -WebCredential $credKeyfactor -OrchestratorName websrvr42.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to NT AUTHORITY\NETWORK SERVICE for configuration file
    Starting service KeyfactorOrchestrator-Default

    Installation example with expected output using Basic authentication and a standard Active Directory service account to run the local service:

    Copy
    $serviceUser = "KEYEXAMPLE\svc_kyforch1"
    $keyfactorUser = "KEYEXAMPLE\svc_kyforch2"
    $servicePassword = "MyFirstSecurePassword123!"
    $keyfactorPassword = "MySecondSecurePassword456#"
    $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)

    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -WebCredential $credKeyfactor -ServiceCredential $credService -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to KEYEXAMPLE\svc_kyforch1 for configuration file
    Granting Log on as a Service permission to KEYEXAMPLE\svc_kyforch1
    Starting service KeyfactorOrchestrator-Default

    Installation example with expected output using Basic authentication and an Active Directory gMSA to run the local service:

    Copy
    $serviceUser = "KEYEXAMPLE\GMSA_kyforch$"
    $keyfactorUser = "KEYEXAMPLE\svc_kyforch"
    $keyfactorPassword = "MySecurePassword123!"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser,(New-Object System.Security.SecureString))
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)

    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -WebCredential $credKeyfactor -ServiceCredential $credService -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to KEYEXAMPLE\GMSA_kyforch$ for configuration file
    Granting Log on as a Service permission to KEYEXAMPLE\GMSA_kyforch$
    Starting service KeyfactorOrchestrator-Default
    Important:  Prior to using a gMSA in the installation, you need to have installed the account on the Universal Orchestrator server using the Install-ADServiceAccount PowerShell command. For example:

    Install-ADServiceAccount -Identity GMSA_kyforch$

    This requires the Active Directory module for Windows PowerShell, which is installed as a feature as part of the Remote Server Administrator Tools.

    Installation example with expected output using token authentication and Network Service to run the local service:

    Copy
    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -BearerTokenUrl https://appsrvr18.keyexample.com:1443/realms/Keyfactor/protocol/openid-connect/token -ClientId Universal-Orchestrator -ClientSecret m1aE6RErW5cezSPmv0PJcFdFp152HFqK -OrchestratorName websrvr42-UO.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to NT AUTHORITY\NETWORK SERVICE for configuration file
    Starting service KeyfactorOrchestrator-Default

    Installation example with expected output using token authentication and a local account on the machine to run the local service:

    Copy
    $serviceUser = "websrvr42\kyforch"
    $servicePassword = "MySecurePassword123!"
    $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)

    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -BearerTokenUrl https://appsrvr18.keyexample.com:1443/realms/Keyfactor/protocol/openid-connect/token -TokenLifetime 150 -ClientId Universal-Orchestrator -ClientSecret m1aE6RErW5cezSPmv0PJcFdFp152HFqK -ServiceCredential $credService -OrchestratorName websrvr42-UO.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to websrvr42\kyforch for configuration file
    Granting Log on as a Service permission to websrvr42\kyforch
    Starting service KeyfactorOrchestrator-Default

    Installation example with expected output using client certificate authentication with the certificate stored in the local machine store:

    Copy
    $serviceUser = "KEYEXAMPLE\svc_kyforch"
    $servicePassword = "MySecurePassword123!"
    $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)

    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -ClientCertificateThumbprint 29b21df7403b4afe6daf44762e5c47fb73c07ce7 -ServiceCredential $credService -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to KEYEXAMPLE\svc_kyforch for configuration file
    Granting Log on as a Service permission to KEYEXAMPLE\svc_kyforch
    Starting service KeyfactorOrchestrator-Default
    Tip:  The client certificate authentication example shown here references a certificate stored in the local machine store. Because of this, the service account that will run the Universal Orchestrator service needs to be granted permissions to read the private key of the certificate before the installation is run. If the certificate had been acquired into the Universal Orchestrator service account user's personal store rather than the local machine store, the step of granting private key read permissions would not have been necessary.

    Installation example with expected output using client certificate authentication with the certificate stored as a file:

    Copy
    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -ClientCertificate C:\Certs\kyforch.pfx -ClientCertificatePassword MySecurePassword123! -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all

    Copying files
    Setting configuration data
    Installing Windows Service
    Granting necessary file permissions to KEYEXAMPLE\svc_kyforch for configuration file
    Granting Log on as a Service permission to KEYEXAMPLE\svc_kyforch
    Starting service KeyfactorOrchestrator-Default
    Tip:  The client certificate authentication example shown here does not use the -ServiceCredential parameter. This will cause the Universal Orchestrator service to run as Network Service. If you prefer to run the service as a domain service account, you will need to include the -ServiceCredential parameter and specify the PSCredential value for the service credentials appropriately, as shown in the previous examples.

    Network Service will need to be granted read and write permissions on the PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file before the script is executed.

  4. Review the output from the installation to confirm that no errors have occurred.

The script creates a directory, C:\Program Files\Keyfactor\Keyfactor Orchestrator by default, and places the orchestrator files in this directory. Log files are found in C:\Program Files\Keyfactor\Keyfactor Orchestrator\logs by default, though this is configurable (see Configure Logging for the Universal Orchestrator).

The orchestrator service, by default given a display name of Keyfactor Orchestrator Service (Default), should be automatically started at the conclusion of the install and configured to restart on reboot unless you have selected the NoService parameter.

Tip:   Once the installation of the orchestrator is complete, you need to use the Keyfactor Command Management Portal to approve the orchestrator and configure certificate stores or SSL jobs:

If you've opted to enable remote CA management for the orchestrator, further configuration is needed (see Configure the Universal Orchestrator for Remote CA Management).