A Keyfactor Command server implementation is made up of several Keyfactor Command roles:
Management Portal
The server with this role provides the web-based administration interface that is used to view and report on certificates issued in the environment and enroll for certificates. This role runs under Microsoft IIS. Configuration for the Keyfactor Command implementation as a whole is also done through the Keyfactor Command Management Portal. The Logi Analytics Platform for reporting is hosted on the server with this role.
This role is required on all Keyfactor Command servers.
Windows Services
The server with this role hosts back-end services required to support Keyfactor Command. This includes the Keyfactor Command Service, which is used for all periodic tasks throughout Keyfactor Command, including CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization, monitoring alerts, and report automation.
This role is required on all Keyfactor Command servers.
Web API
The server with this role hosts the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command.. The Keyfactor API is also included in the Management Portal role, since the Management Portal makes extensive use of this API.
This role is optional. If you choose not to install this role, you will still be able to use the Keyfactor API. This role is available as a separate component for users who wish to install the Keyfactor API on a separate server from the Management Portal server.
Orchestrator Service API
The server with this role hosts the back-end service for receiving requests from and sending requests to Keyfactor agents and orchestrators.
This role is optional. If you choose not to install this role, you will not be able to use agents and orchestrators with Keyfactor Command.
CA Connector API
The server with this role hosts the CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. API. This API includes endpoints to support connections from CA Connector Clients.
This role is optional. If you choose not to install this role, you will not be able to useCA Connector Clients with Keyfactor Command.
The component uses OAuth for authentication even if you've opted to use Active Directory authentication for the remainder of your Keyfactor Command installation, and therefore requires an OAuth 2.0 compliant implementation. You may choose to install Keyfactor Identity Provider if you do not have an alternate provider (see Installing Keyfactor Identity Provider).
In many Windows server installations, the Keyfactor Command Management Portal, Windows Services, Web API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., and Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Service API roles are collocated on a single server (or pair of servers if redundancy is desired). Both physical and virtual servers are supported. In Kubernetes installations, containers are created for each of these roles and managed with a Helm chart. Redundancy is handled using Kubernetes clusters.
For a high availability (HA) solution using the same roles on all nodes, note that the following conditions apply:
-
All servers must point to the same Keyfactor Command SQL database.
-
All servers must be configured with the same encryption certificate AND the corresponding private key
Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. (see Database Tab). -
Keyfactor recommends that the Keyfactor Command Service be configured to run all services on each node. This allows the service to manage the jobs most efficiently—the service will check out jobs via a locking mechanism that will enforce that any jobs are running on only one service at a time. However, you do have the option to manually tune the jobs on the servers if desired (such that server A always does jobs 1, 2 and 3 and server B always does jobs 4, 5 and 6).
-
Review load balancing rules and configuration, if applicable. Load balancing configuration is beyond the scope of this guide.
Keyfactor does not recommend installing any of these roles on a CA or on a SQL server in a production environment.
As you plan for Keyfactor Command, you need to decide upon an architecture for the implementation and prepare servers with sufficient resources accordingly. See System Requirements for more information about planning for servers with sufficient resources to support the planned roles.