Create Service Accounts for the Java Agent

The Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. makes use of up to two service accounts to allow it to communicate with the Keyfactor Command server. These two service accounts work together to transfer information from the Java Agent to the Keyfactor Command server. The two service accounts can be thought of as players on two sides of a fence, with the service account for the Java Agent lobbing information over the fence to the service account on the Keyfactor Command server side to catch and hand to the Keyfactor Command server:

• Java Agent Side
  On the Java Agent side of the fence, you may use either a local account or an Active Directory service account.

  Windows

  For domain-joined Windows machines, an Active Directory service account is typically used. For non-domain-joined Windows machines, you may use a local account created on the Windows machine as the service account instead of a domain account.

  The service account under which the Keyfactor Java Agent service runs on Windows must be granted permissions to "Log on as a service" through local security policy. This step is generally done automatically as part of the installation scripts, but may need to be completed by hand in certain environments or on certain operating systems. The service account needs sufficient permissions to allow it to discover and inventory Java keystores and PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. certificate stores as applicable (read permissions on the appropriate files and directories) and update the stores if desired (write permissions on the files and directories in which the files are stored).

  Important:  During the installation process, you enter the Java agent service identity username and password interactively in a PowerShell window to configure the service account. PowerShell will not support the following characters in the service account password when used in this interface:

  " $

  If you need to support these characters in the password, you can re-enter the username and password in the Services MMC after receiving an error in the PowerShell interface.

  Linux

  For the purposes of this documentation it is assumed that Linux machines will be non-domain joined and will use a local account to run the Java Agent.

  For Linux systems, Keyfactor recommends running the service as an account other than root.

• Keyfactor Command Server Side
  On the Keyfactor Command server side of the fence, an Active Directory service account in the primary Keyfactor Command server forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. is used. This can be the same service account used for other Keyfactor Command server services. This service account appears in the Management Portal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Management grid as the Identity for the Java Agent.

If the Java Agent is installed on a domain-joined machine in the same forest as the Keyfactor Command server, the same Active Directory service account may be used on both sides of the fence.

The service accounts need to be created prior to installation of the Java Agent software, and the person installing the Java Agent software needs to know the domain, username and password of each service account.