Appendix - Set up the Universal Orchestrator to Use Client Certificate Authentication Directly
The Keyfactor Universal Orchestrator can be configured to support client certificate authentication directly by acquiring a certificate for the Keyfactor Command connect service account user or machine account of the orchestrator
on the orchestrator and providing it to Keyfactor Command to authenticate the orchestrator.
Complete the following steps and then configure the orchestrator to enable client certificate authentication as per the installation instructions (see -ClientCertificate (Client Certificate Authentication) or Install the Universal Orchestrator on a Linux Server).
Client certificate authentication using this method has the following requirements:
-
The KeyfactorAgents endpoint
in Keyfactor Command must be configured to Use SSL.
-
The CA
CRL
endpoints must be reachable by the orchestrator for every CA in the chain for both the CA that issued the SSL
certificate on the Keyfactor Command server and the CA that will issue the client authentication certificates.
Alternately, you may disable CRL checking when installing each orchestrator (see the --NoRevocationCheck and --no-revocation-check options) or on the Keyfactor Command in the appsettings.json file for the WebAgentServices. By default, this is found in the following path:
C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Configuration\appsettings.jsonTo disable CRL checking at the server level for the orchestrator endpoint, set CheckAuthCertificateRevocationStatus to false.
{ "ActiveDirectoryEnforced": true, "CheckAuthCertificateRevocationStatus": "true", "ExtensionsDirectory": "Extensions", "MaxRequestSizeKb": "5000", "NLogConfigFile": "Configuration\\NLog_Orchestrators.config", "SqlRetryConfiguration": { "NumberOfTries": "5", "DeltaTime": "00:00:00.5", "MaxTimeInterval": "00:02:00" } }
- The CN
(common name
) of your client authentication certificate (see Acquire a Certificate for Client Certificate Authentication (Optional)) must have a value. Keyfactor recommends using a template
configured to set the subject as Supply in the request. The CN of the certificate appears as the identity of the orchestrator in Keyfactor Command.
Configure Keyfactor Command for Client Certificate Authentication
First, configure Keyfactor Command to enable client certificate authentication for the orchestrators. Once you do this, all orchestrators connecting to this instance of Keyfactor Command will be required to provide a certificate to authenticate. If you have some orchestrators deployed that do not support certificate authentication (e.g. Java agents), you will need to design a solution with multiple Keyfactor Command servers to support multiple authentication types. Contact your Keyfactor representative for assistance with this.
The KeyfactorAgents endpoint in Keyfactor Command must be configured to Use SSL and the CA CRL endpoints must be reachable by the orchestrator for every CA in the chain for both the CA that issued the SSL certificate on the Keyfactor Command server and the CA that will issue the client authentication certificates.
To configure Keyfactor Command to require client certificate authentication for orchestrators:
- On the Keyfactor Command server, open the Keyfactor Configuration Wizard.
- In the Certificate Authentication section of the Orchestrators tab, check the Enabled box.
- In the Certificate Authentication HTTP Header field, enter a Header Name. For the purposes of this configuration, the value you enter here is not significant, but the field is required, so you must enter something. It will not be used.
- In the Certificate Authentication Username and Certificate Authentication Password fields, enter the credentials for an Active Directory service account for the orchestrator(s).Tip: The service account entered here does not need to match the service account used to authenticate the orchestrator.
- Click Verify Configuration and Apply Configuration.
Figure 502: Configure Keyfactor Command for Client Certificate Authentication
Configure Certificate Authentication and SSL Settings in IIS
Make the following changes in the IIS Management console on the Keyfactor Command server:
-
In the IIS Management console, highlight the server name on the left and open Authentication. Make sure Anonymous Authentication is the only enabled method.
Figure 503: Configure only Anonymous Authentication at the Server Level in IIS
-
In the IIS Management console, highlight Default Web Site (or the web site name you’re using) on the left and open Authentication. Make sure Anonymous Authentication is the only enabled method.
Figure 504: Configure only Anonymous Authentication at the Web Site Level in IIS
-
In the IIS Management console, drill down into sites and into the Default Web Site (or other web site if your Keyfactor Command instance has been installed in an alternate web site). Under the Default Web Site, locate the KeyfactorAgents application and open Authentication for this. Disable all the authentication methods and enable only Anonymous Authentication.
Figure 505: Disable Authentication Methods at the Application Level in IIS
-
In the IIS Management console, open SSL Settings for the KeyfactorAgents application. Check the Require SSL box and select either Require or Accept for Client certificates.
Important: Only selected Require if your are only using orchestrators that support client certificate authentication and plan to configure all of them for certificate authentication.Figure 506: Configure SSL Settings in IIS for Client Certificate Authentication
Tip: If your KeyfactorAgents endpoint is running on a standalone server with no other Keyfactor roles, you may also configure your server to Require or Accept for Client certificates at the Default Web Site level. It is good security practice to check the Require SSL box. If your KeyfactorAgents endpoint is running on a server with other Keyfactor roles, you do not need to accept client certificates at this level and should not require them at this level.