Install the Universal Orchestrator in a Linux Container

When the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. runs in a Linux container, it is typically installed in a containerization solution that sits on top of a Linux server or set of servers. There are a wide variety of containerization solutions for multiple operating systems. This document covers deploying the container to either Docker or Kubernetes on Linux.

The artifactory for the Universal OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. images can be found in the following JFrog repository:

repo.keyfactor.com/images/command/

Two different images are available, depending on the functionality you are looking for:

Note:  For artifactory credentials or more information, check with your Keyfactor Client Success Manager or contact support@keyfactor.com.

Table 907: Linux Container Parameters

Parameter

Description

App Settings__ Check Server Certificate Revocation A Boolean that indicates whether the revocation status (CRL) of the SSL certificate on the Keyfactor Command server should be checked when connecting to Keyfactor Command (true) or not (false). The default is true (CRL checking will be done).
AUDIENCE This parameter is used to specify an audience value to be included in token requests delivered to the identity provider when using an identity provider other than Active Directory.
BEARER_ TOKEN_ URL

Required*. The URL of the token endpoint for your identity provider. For example:

Copy
https://my-keyidp-server.keyexample.com/realms/Keyfactor/protocol/openid-connect/token

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).

This parameter is required if you’re using an identity provider other than Active Directory.

CLIENT ID

Required*. For implementations using an identity provider other than Active Directory, the ID of the identity provider client that should be used to authenticate the session (see Create Service Accounts for the Universal Orchestrator).

This parameter is required if you’re using an identity provider other than Active Directory.

CLIENT_ SECRET

Required*. For implementations using an identity provider other than Active Directory, the secret of the identity provider client that should be used to authenticate the session.

This parameter is required if you’re using an identity provider other than Active Directory.

COMMAND_ AGENTS_ URL

Required. The URL of the Orchestrators API on the Keyfactor Command server. For example:

Copy
https://keyfactor.keyexample.com/KeyfactorAgents
LOG_ LEVEL The logging level for the orchestrator. The default value is Info. Possible values are the same as those described in Configure Logging for the Universal Orchestrator.
ORCHESTRATOR_ NAME

The name the orchestrator uses to register itself with Keyfactor Command. By default, the container hostname is used, which is not ideal as this will create a new orchestrator entry with every container start. Although this parameter is not strictly required, Keyfactor strongly recommends using it.

If you choose to uninstall and reinstall the orchestrator (e.g. using compose down), it is important to use the same orchestrator name for subsequent implementations so that Keyfactor Command will recognize the orchestrator when it is started again.

PASSWORD

Required*. The password for the Keyfactor Command Connect Service Account if you’re using Active Directory as an identity provider (see USERNAME).

This parameter is required if you’re using Active Directory as an identity provider.

SCOPE This parameter is used to specify one or more scopes that should be included in token requests delivered to the identity provider when using an identity provider other than Active Directory. Multiple scopes should be separated by spaces.
TOKEN_ LIFETIME

For implementations using an identity provider other than Active Directory, the number of seconds for which the bearer token is valid. If not specified, the orchestrator uses the default value set by the Keyfactor Command server of 300 seconds (5 minutes).

USERNAME

Required*. The username for service account used to connect to the Keyfactor Command server (see PASSWORD). This is the Keyfactor Command Connect Service Account described in Create Service Accounts for the Universal Orchestrator if you’re using Active Directory as an identity provider. The orchestrator uses Basic Authentication to authenticate to Keyfactor Command.

This parameter is required if you’re using Active Directory as an identity provider.

Note:  The Keyfactor Universal Orchestrator running in a container does not support client certificate authentication.
Tip:  Once the installation of the orchestrator is complete, you need to use the Keyfactor CommandManagement Portal to approve the orchestrator and configure certificate stores or SSL jobs: