Install the Main Keyfactor Command Components on the Keyfactor Command Server(s)

The following installation steps show all possible Keyfactor Command features enabled. Your Keyfactor Command license may not cover all Keyfactor Command features. If it does not, unlicensed features will not be shown in the configuration wizard. You may skip those configuration steps.

To begin the Keyfactor Command installation, execute the KeyfactorPlatform.msi file from the Keyfactor Command installation media and install as follows.

1. On the first installation page, click Next to begin the setup wizard.

   

   Figure 452: Install: Begin Setup Wizard

2. On the next page, read and accept the license agreement and click Next.

3. On the next page, select the components to install. For a server with the default roles collocated, leave the default options and click Next to continue. The vSCEP Validation Service component is not selected by default. If desired, you can highlight Keyfactor Command and click Browse to select an alternate installation location for the files. The default installation location is:

   C:\Program Files\Keyfactor\Keyfactor Platform\
   Note:  Although Figure 453: Install: Select Components shows only the default components selected, the remainder of this page covers configuring Keyfactor Command as though all the components have been selected.

   

   Figure 453: Install: Select Components

   Tip:  Refer to Keyfactor Command Server(s) for information about configuring the roles for these components.

   Table 764: Available components for Keyfactor.

   Component	Description
   Management Portal	Mandatory. Web-based management console for configuring all aspect of Keyfactor. The new API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will be installed with this component.
   Windows Services	Mandatory. Includes the timer Windows service to manage timed events, such as CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Sync, PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. monitoring and system maintenance.
   Web API	Optional. The API component. Disabling Web API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will remove the classic API from being installed. Enabling it will install both the classic and new API.
   Orchestrator Services	Optional. Not required if neither agents nor orchestrators will be utilized by Keyfactor Command. Web based orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. services API.
   vSCEP	Optional. vSCEP services used to validate certificate requests

4. On the next screen, click Install.
5. On the final installation wizard page, leave the "Launch the Configuration Wizard now" box selected and click Finish. The configuration wizard should start automatically. This can take several seconds.

6. On the Keyfactor Command Database Configuration page, enter the name, IP address, or fully qualified domain name (FQDN) of your SQL server and select a Credential Type of either Windows or SQL.

   Important:  Keyfactor Command uses an encrypted channel to connect to the SQL server by default, which requires configuration of an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate on the SQL server (see Using SSL to Connect to SQL Server). The name or IP address you enter here for your SQL server must be available as a SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. in this certificate unless you have disabled the encrypted connection for Keyfactor Command (see Configurable SQL Connection Strings).
   • If you select Windows as the Credential Type for connecting to SQL, click the Connect button.

     

     Figure 454: Windows Authentication

   • If you select SQL as the Credential Type for connecting to SQL, the window will expand to include fields to enter a SQL username and password. Enter a username and password to authenticate to SQL, and click the Connect button.

     Note:  The password must not contain single or double quotes. An error will be shown if single or double quotes are used in the password. For the permissions required for this user, see Grant Permissions in SQL.

     

     Figure 455: SQL Authentication

   Note:  Keyfactor Command supports configuration of a base SQL connection template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that is used for all connections Keyfactor Command makes to SQL. For more information, see Configurable SQL Connection Strings.
   Note:  Keyfactor recommends that you accept the default Credential Type of Windows unless you have a strong need to do otherwise. Your SQL server must be configured to support mixed mode authentication in order to use the SQL option.

7. After the Connect button is clicked, the database name field will be activated. You can either enter the name of the desired database—for either a new or existing database—or click Browse to scroll through a list of existing databases.

   Note:  On subsequent runs of the configuration wizard, the database name field will be pre-populated with the database name used on the last completed run. Any change to the server connection fields (server name, authentication type, etc.) will require the Connect button to be used again to unlock the database name field and the Continue button.

8. Click the Continue button. You will receive a confirmation dialog if any changes will be made to the database at this stage.

   Note:  If any of the following situations occurs, you will receive a message:

   • The selected database does not exist and will be created.
   • The selected database is empty and not associated with Keyfactor Command; it will be populated with the Keyfactor Command schema.
   • The selected database does not match the current product schema and will be upgraded.
   • The selected database is not empty and is not associated with Keyfactor Command.
   • The user does not have access to the database.
   • An SSL certificate is not correctly configured on the SQL server.

9. On the Keyfactor Command Encryption Warning page, read and understand the warning. Make note of the referenced documents to provide to your SQL team. Take advantage of the option to make a backup of the Database Master Key (DMK) by entering a path to a directory on your SQL server along with a filename for the backup file and a password to encrypt the file and clicking Backup. The user running the Keyfactor Command installer must have write permissions to this directory. Click Continue.

   Important:  Keyfactor Command uses Microsoft SQL Server encryption to protect security sensitive data, including service account credentials. Backup of the SQL server Database Master Key (DMK) is of critical importance in database backup and recovery operations. The backup file of the DMK and the password should be stored in a safe, well-documented location. Without the file and password created with this process, some data that is encrypted within the Keyfactor Command database will be unrecoverable in a disaster recovery scenario. For more information, see SQL Encryption Key Backup in the Keyfactor Command Reference Guide.

   If you choose to install Keyfactor Command in the default location, the referenced documents can later be found here:

   C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\DMKBackup.docx
   C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\DMKRestore.docx

   

   Figure 456: Configure: Backup Database Master Key

10. On the Keyfactor Command License upload page, click Upload and browse to locate the license file provided to you by Keyfactor. This file should have the extension CMSLICENSE. Once the uploaded license shows as valid, click Continue.

    

    Figure 457: Configure: Upload License

11. In the Keyfactor Command configuration wizard, you can choose to upload a configuration file to populate the fields. You may have a file saved from a previous run of the configuration wizard or you may be provided one by Keyfactor. To upload a file, in the configuration wizard, click File at the top of the wizard and choose Open Data File… . Browse to locate the configuration file. Configuration files have an extension of .cmscfg. The file may be protected with a password. If it is, you will need to provide this password to open the file. Continue with the remainder of the steps, reviewing the tabs to assure that the data is complete and correct.

    Note:  At the bottom of the configuration wizard, if the database server name is longer than will fit in the provided window, it will be truncated and an ellipsis will be added.

    

    Figure 458: Configure: Open Data File

12. Application Pools Tab

    On the Application Pools tab of the configuration wizard, click Add, change the default application pool name, if desired, and enter the user name (DOMAIN\username format) and password of the Active Directory service account under which the application pool will run. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid. Assuming the verification completes successfully, click Save.

    

    Figure 459: Configure: Application Pools

13. Database Tab

    On the Database tab in the top section, select an Authentication Mode for ongoing communications to SQL server—Windows Authentication or SQL Server Authentications. Your SQL server must be configured to support mixed mode authentication in order to use the SQL server authentication option. If you choose SQL server authentication, enter the Username and Password for a SQL administrator for the Keyfactor Command SQL database. If the user does not exist in SQL, it will be created and granted the necessary permissions for management of the Keyfactor Command database (db_owner). If the user already exists in SQL, it will be granted the necessary permissions. If the database you originally connected to is an Azure database, SQL Server Authentication is the only option provided.

    If desired, check the Configure Encryption box. This option allows you to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology utilizing a Keyfactor Command-defined certificate on top of the SQL server encryption noted above. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. Read and understand the encryption warning. This warning applies to implementations with more than one Keyfactor Command server.

    Note:  In an environment where there are multiple copies of Keyfactor Command pointing to the same database, each server running a Keyfactor Command instance will need to have the same encryption certificate AND the corresponding private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure..

    Select Application and SQL for the Encryption Type and click the Select button to choose a certificate from the Personal Certificate store of the Local Computer with which to encrypt the data. Only valid certificates with the appropriate key usage will appear in the selection dialog. See Acquire a Public Key Certificate for the Keyfactor Command Server.

    Tip:  If you need to reset the encryption level to remove application-level encryption, run the configuration wizard again and select the SQL Only option. You must ensure that the server you are re-running the configuration wizard on has both the certificate used for application-level encryption and its associated private key. When Keyfactor Command notices that application-level encryption has been disabled, it will process all the secrets in the database and remove the additional encryption. The data will then be re-saved to the secrets table using only SQL-level encryption.

    

    Figure 460: Configure: Encryption Warning

    

    Figure 461: Configure: Database

14. Service Tab

    On the Service tab, enter the user name (DOMAIN\username format) and password of the Active Directory service account under which the Keyfactor Command Service will run. This can be the same service account used for the application pool or a different service account. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid. If desired, check the Start service on bootup box to start the Keyfactor Command Service at system start.

    The remaining fields on this tab are used to configure the jobs that the Keyfactor Command Service will run. If you're installing a single Keyfactor Command server, you should enable all jobs for this server by checking the Everything box unless you are specifically aware of a job that doesn't need to be run. For example, if you've opted not to use the SSL scanning functionality, you can uncheck Everything and then uncheck the Endpoint History Purge box. Show services details for more information on the specific jobs. At the bottom of the list of services, modify the default value of 1000 for Concurrent Workflows, if desired.

    If you are installing multiple Keyfactor Command servers in a redundant solution, Keyfactor recommends checking the Everything box to run all the service jobs on all Keyfactor Command servers. This allows the Keyfactor Command Service to manage the jobs most efficiently. However, you do have the option to configure different service jobs on your different Keyfactor Command nodes (so server 1 might run Maintenance jobs, while server 2 runs Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. jobs, etc.). To do this, uncheck the Everything box and check the boxes next to the services that should run on a particular Keyfactor Command server instance.

    Table 765: Keyfactor Command Services

    Type	Service	Description	Notes
    Maintenance	Synchronization	Periodically synchronize certificates from certificate authorities.	The schedules for this are user configurable (see Certificate Authorities in the Keyfactor Command Reference Guide).
    Maintenance	Bulk Audit Entry Processing	Periodically add audit log entries for large jobs. Most audit log entries are added immediately at the time the activity generating the audit log takes place. However, some large jobs that might generate heavy server load (e.g. bulk revocation) save the audit log entries in a temporary location to reduce server load and then they are added to the audit log by this periodic job.	This job runs every 10 minutes.
    Maintenance	Metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. Generation	Periodically generate and assign metadata to certificates when they are imported into Keyfactor Command using a custom metadata extension.	This job runs every 15 minutes.
    Maintenance	Private Key Cleanup	Periodically remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion.	This job runs daily at 1:00 am. For more information about stored private keys, see Status Tab in the Keyfactor Command Reference Guide.
    Maintenance	Purge Audit Log History	Periodically remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion.	This job runs monthly on the first day of the month at 2:00 am. For more information, see Application Settings: Auditing Tab in the Keyfactor Command Reference Guide. Only audit logs belonging to unprotected categories are eligible for deletion.
    Maintenance	Endpoint An endpoint is a URL that enables the API to gain access to resources on a server. History Purge	Periodically remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion, based on the setting in Application Settings: Auditing Tab(SSL > Retain SSL Endpoint History (days)) in the Keyfactor Command Reference Guide.	This job runs daily at 1:00 am.
    Maintenance	Report Cleanup	Periodically remove records from temporary files generated while running reports.	This job runs daily at midnight.
    Maintenance	Update Stats	Periodically run the Microsoft SQL update statistics function in the Keyfactor Command database.	This job runs monthly on the first day of the month at 1:00 am.
    Maintenance	Sync Templates	Periodically synchronize certificate templates from the source (e.g. Active Directory) to pick up new templates.	This job runs every hour.
    Maintenance	Schedule SSL Jobs	Periodically identify and schedule SSL discovery and monitoring jobs.	This job runs every 5 minutes.
    Maintenance	Workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. Cleanup	Periodically remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged X number of days past the completion date (last modified date), where X is defined by the Workflow Instance Cleanup Days application setting (see Application Settings: Console Tab in the Keyfactor Command Reference Guide). The default value is 14 days.	This job runs daily at midnight.
    Alerts	CA Health	Periodically send email alerts when a CA is not responding.	The schedule for this is user configurable (see Certificate Authority Monitoring in the Keyfactor Command Reference Guide).
    Alerts	CA Threshold	Periodically send email alerts when a CA is issuing certificates or experiencing issuance failures outside of the established norms.	The schedule for this is user configurable (see Advanced Tab in the Keyfactor Command Reference Guide).
    Alerts	CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.	Periodically send email alerts for certificate revocation lists (CRLs) that are approaching expiration.	The schedule for this is user configurable (see Adding or Modifying a Revocation Monitoring Location in the Keyfactor Command Reference Guide).
    Alerts	Pending/Expiration	Periodically send email alerts (typically to certificate approvers) for certificate requests made using a certificate template that requires manager approval. Periodically send email alerts for certificates approaching expiration.	The schedules for these are user configurable. See Configuring a Pending Request Alert Schedule and Configuring an Expiration Alert Schedule in the Keyfactor Command Reference Guide.
    Alerts	Collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). Membership Caching	Periodically update the temporary tables that store information on which certificates are in which certificate collections. These temporary tables (caches) are used to support faster processing of some systems.	This value is user configurable with an application setting (see Application Settings: Console Tab in the Keyfactor Command Reference Guide). The default is 20 minutes.
    Alerts	Issued Alerts	Periodically send email alerts (typically to certificate requesters) for certificate requests made using a certificate template that requires manager approval that have been approved.	The schedule for this is user configurable (see Configuring an Issued Request Alert Schedule in the Keyfactor Command Reference Guide). A scheduled alert is only needed to deliver notifications for approvals done outside of Keyfactor Command.
    Alerts	SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Key Rotation Alerts	Periodically send email notifications to SSH key users and/or administrators when a key is nearing the end of the key lifetime.	The schedule for this is user configurable (see Configuring a Key Rotation Alert Schedule in the Keyfactor Command Reference Guide).
    Other	Reporting	Deliver regularly scheduled reports via email or saved to a file system.	The schedules for these are user configurable (see Reports in the Keyfactor Command Reference Guide).
    Other	Run Suspended Workflows	Periodically attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts. A locking conflict may occur if two users attempt to provide input to a workflow instance (e.g. approve a request) at exactly the same time.	This job runs daily at midnight.
    n/a	Concurrent Workflows	Sets the batch size used when suspended workflows are run by the Keyfactor Command service.	The default value is 1000.

    

    Figure 462: Configure: Service

15. Email Tab

    On the Email tab, enter the FQDN of your SMTP Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. server, the SMTP port (default is 25), and the sender name and account. Depending on the email configuration in your environment, the sender account may need to be a valid user on your mail server (using Active Directory credentials) or you may be able to put anything in this field (if your mail server supports anonymous connections). You may use the people picker button () to browse for the sender account if you are using a valid account. Select the Use SSL box if this option is supported by your mail server and select the appropriate authentication method for your environment. If your mail server requires that you provide a username and password for a valid user, enter that Active Directory username and password in the fields at the bottom of the page after selecting the Explicit credentials radio button. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid. The user you select here must match the email address you set in the Sender Account field if you select Explicit credentials. The information entered on this tab may later be changed in the Keyfactor Command Management Portal.

    

    Figure 463: Configure: Email

16. Keyfactor Portal Tab

    On the Keyfactor Portal tab in the top section, enter the FQDN that you will use to access the Keyfactor Command Management Portal in the Host Name field. This can be either the actual host name The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). of the server on which you are installing the Keyfactor Command Administration component or a DNS The Domain Name System is a service that translates names into IP addresses. alias pointing to the server. If you have multiple Keyfactor Command Management Portal servers with load balancing, this will be a DNS name pointing to your load balancer. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and confirm that the application pool for Keyfactor Command that you created earlier appears in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    Administration Section

    In the Administration section, enter the Active Directory security group or groups that you will use to control administrative access to the Keyfactor Command Management Portal in the Administrative Users field. Multiple groups should be separated by commas with no trailing spaces. You may use the people picker button () to browse for groups. Click the verify button () to confirm that any entered groups are valid. Enter only the group(s) to which you want to grant full administrative rights to the Keyfactor Command Management Portal. Following initial configuration, you can create other permission levels and grant those permission levels to other Active Directory users or groups through the Keyfactor Command Management Portal. See Security Roles and Identities in the Keyfactor Command Reference Guide for more information.

    Important:  The built-in Active Directory groups Domain Admins and Enterprise Admins cannot be used directly to grant access to the Management Portal due to how these groups function within Windows. You can create a custom Active Directory group, reference that group in the Management Portal, and add the built-in Domain Admins or Enterprise Admins group to that custom group, if desired.

    Important:  The administrative group must be created as a Global or Universal group. If the administrative group is created as a domain-local group, it will not be recognized by the Management Portal Security Roles and Identities configuration. Configuration of the Management Portal will be incomplete until the group is deleted and recreated as a Global or Universal group.
    Enrollment Section

    In the Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). section of the page, modify the default Certificate Subject Format field, if desired. The subject values provided in this field are substituted at processing time for any entered by the user in PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment or provided with enrollment defaults if the template used is set to supply in request.

    The data in the subject format takes precedence over any data entered during PFX enrollment or supplied by enrollment defaults (see Enrollment Defaults Tab in the Keyfactor Command Reference Guide). For example, if you define the following subject format:

    CN={CN},E={E},O=Key Example\, Inc.,OU={OU},L=Chicago,ST=IL,C=US

    The organization for certificates generated through PFX enrollment will always be "Key Example, Inc." regardless of what is shown on the PFX enrollment page during enrollment.

    This setting also applies to CSRs generated using the CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. generation method and to CSR and PFX enrollments done using the Classic API.

    Data from the default subject does not display in the PFX enrollment form. To define defaults that will display in the PFX enrollment form (and can be modified by users), use enrollment defaults (see Enrollment Defaults Tab in the Keyfactor Command Reference Guide).

    Note:  Backslashes are required before any commas embedded within values in the subject field (e.g. O=Key Example\, Inc.). Quotation marks should not be used in the strings in the fields except in the case where these are part of the desired subject value, as they are processed as literal values.

    Tip:  The default subject format does not apply to enrollments done using the CSR enrollment method or any requests done with the Keyfactor API.
    PFX Enrollment Section

    In the PFX Enrollment section of the page, uncheck the Enabled box if you do not wish to support PFX enrollment. If you wish to support PFX enrollment, leave the Enabled box checked. Select the Domain radio button if you wish PFX files to be protected with the user’s Active Directory password or select the Auto-Generated radio button if you wish PFX files to be protected with a one-time password. Check the Alphanumeric Password Characters box if you wish the one-time password used to protect PFX files to contain numbers and letters. Uncheck the Alphanumeric Password Characters box if you wish the one-time password used to protect PFX files to contain numbers, letters and special characters. In the Password Length field, enter a number for the number of characters the one-time password should have. The minimum value is 8. If you select the Domain radio button, the data entered in the password fields is not relevant.

    CSR Enrollment Section

    In the CSR Enrollment section of the page, uncheck the Enabled box if you do not wish to support CSR enrollment. If you wish to support CSR enrollment, leave the Enabled box checked.

    

    Figure 464: Configure: Keyfactor Portal

17. Dashboard and Reports Tab

    On the Dashboard and Reports tab, enter the FQDN of the server hosting the Keyfactor Command Management Portal—where the Logi Analytics Platform is installed—in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Management Portal component or a DNS alias pointing to the server. Check or uncheck the Use SSL box as appropriate for your environment. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and confirm that the application pool for Keyfactor Command that you created earlier appears in the Application Pool dropdown. In the Keyfactor Site IP Address(es) field, enter the IPv4 (and IPv6 (if applicable), separated by a comma) IP address(es) of the server hosting the Keyfactor Command Management Portal in a comma-delimited list. If you plan to use integrated Windows authentication (see Configure Kerberos Authentication) to access the Management Portal, uncheck the Use Basic Authentication box. If you plan to use Basic authentication to access the Management Portal, check the Use Basic Authentication box and enter the user name (DOMAIN\username format) and password of the Active Directory service account that the Logi Analytics Platform will use to access Keyfactor Command (using the Keyfactor API). This can be the same service account used for the application pool or a different service account. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid.

    Note:  If desired, you can configure the Host Name field as localhost and then configure the Keyfactor Site IP Addresses(es) field as 127.0.0.1,::1 (to cover both the IPv4 and IPv6 loopback addresses). You cannot mix and match actual host names and IP addresses with localhost and loopback addresses—e.g. setting Host Name to keyfactor.keyexample.com and Keyfactor Site IP Address(es) to 127.0.0.1,::1 will not work.
    Note:  If you are installing the Management Portal in a load balanced configuration, see Appendix - Logi Load Balancing: Keyfactor Command Configuration Wizard Setup.
    Note:  If you do not enter ::1 (the loopback address for IPv6) in the Keyfactor Site IP Address(es) field, the configuration wizard automatically appends this for you. Having extra names and/or addresses by which the Management Portal might be known in this field allows Logi to connect to Keyfactor Command in the most scenarios possible.

    

    Figure 465: Configure: Dashboard and Reports

18. vSCEP Services Tab

    On the vSCEP Service tab (this tab won't appear if you installed only the default components), enter the FQDN of the server hosting the Keyfactor Command vSCEP™ service in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Services (vSCEP Validation Service) components or a DNS alias pointing to the server. Check or uncheck the Use SSL box as appropriate for your environment. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and confirm that the application pool for Keyfactor Command that you created earlier appears in the Application Pool dropdown. Select a certificate template you will use with this service in the SCEP Certificate Template dropdown. Enter the full path to the SCEP challenge page for the SCEP server in the SCEP Path field. This path should be given in full URL format as follows (where MICROSOFT_NDES_SERVER_FQDN is the FQDN of your Microsoft NDES server or Keyfactor_SCEP_SERVER_FQDN is the FQDN of your Keyfactor SCEP server):

    • For Microsoft NDES:

      https://[MICROSOFT_NDES_SERVER_FQDN]/certsrv/mscep_admin

    • For Keyfactor SCEP:

      https://[KEYFACTOR_SCEP_SERVER_FQDN]/scep/challenge

    Your Microsoft NDES or Keyfactor SCEP server may have been configured to use HTTP rather than HTTPS. Enter the full path to the SCEP enrollment page for the SCEP server in the Request Path field. This path should be given in full URL format as follows (where MICROSOFT_NDES_SERVER_FQDN is the FQDN of your Microsoft NDES server or Keyfactor_SCEP_SERVER_FQDN is the FQDN of your Keyfactor SCEP server):

    • For Microsoft NDES:

      https://[MICROSOFT_NDES_SERVER_FQDN]/certsrv/mscep/mscep.dll

    • For Keyfactor SCEP:

      https://[KEYFACTOR_SCEP_SERVER_FQDN]/scep/api/scep

    Your Microsoft NDES or Keyfactor SCEP server may have been configured to use HTTP rather than HTTPS.

    Enter the Active Directory security group or groups that you will use to control access to the vSCEP API in the Allowed Users/Groups field or enter individual users (DOMAIN\username or DOMAIN\group name format). You may use the people picker button () to browse for users or groups. Click the verify button () to confirm that any entered users or groups are valid.

    

    Figure 466: Configure: vSCEP Service

19. Orchestrators

    On the Orchestrators tab, enter the FQDN of the server hosting the Keyfactor Command orchestrators web site in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Services (Orchestrator Services API) components or a DNS alias pointing to the server. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and confirm that the application pool for Keyfactor Command that you created earlier appears in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    Reenrollment Section (Optional)

    In the Template For Submitted CSRs field, from the dropdown, select the template to be used for reenrollment requests made from the Certificate Stores page.

    In the CA For Submitted CSRs field, enter the certificate authority used for reenrollment requests made from the Certificate Stores page. The CA should be entered in the format FQDN\Logical Name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two)..

    

    Figure 467: Configure: Orchestrators with Standard Authentication

    Certificate Authentication Section (Optional)

    In the Certificate Authentication section of the Orchestrators tab, check the Enabled box if you wish to support client certificate enrollment from the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. or Keyfactor Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location.. In the Certificate Authentication HTTP Header field, enter the HTTP header under which the orchestrator connection proxy should send the client authentication certificate. Keyfactor Command uses the certificate supplied in this header to identify the orchestrator attempting to authenticate. In the Certificate Authentication Username and Certificate Authentication Password fields, enter the credentials for the Active Directory user configured on the proxy to authenticate the orchestrator(s) to the Keyfactor Command server.

    

    Figure 468: Configure: Orchestrators with Client Certificate Authentication

20. API Tab

    On the API tab, enter the FQDN of the server hosting the Keyfactor Command KeyfactorAPI service in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Services (Keyfactor API) components or a DNS alias pointing to the server. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and confirm that the application pool for Keyfactor Command that you created earlier appears in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    Classic API Section

    In the Classic API section of the API page, check the Enabled box if you wish to make use of the Classic API (a.k.a. the CMS API). The classic API may be needed in your environment if you're upgrading from a previous version of Keyfactor Command and have written API applications using the classic API. Enter the FQDN of the server hosting the Keyfactor Command Classic API service in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Services (Classic API) components or a DNS alias pointing to the server. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and confirm that the application pool for Keyfactor Command that you created earlier appears in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    

    Figure 469: Configure: APIs

21. Auditing Configuration Tab

    On the Auditing Configuration tab, enter the number of years to retain audit data in the Audit Entry Retention Period (years) field. By default, seven years of data is retained. The audit log cleanup job runs once daily and removes any audit log entries older than the time specified in the retention parameter A parameter or argument is a value that is passed into a function in an application. except those in the following protected categories:

    • Security

    • CertificateCollections

    • ApplicationSettings

    • SecurityIdentities

    • SecurityRoles

    Linux SysLog Server Section

    In the Linux SysLog Server section of the page, check the Connect to SysLog to enable the option to copy audit logs in real time to a separate server for collection and analysis with a centralized logging solution (e.g. rsyslog Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network., Splunk, Elastic Stack). In the Host Name field, enter the fully qualified domain name of the server that will be receiving the logs. Set the Port to the port on which your log receipt application is listening to receive the logs. The default value is 514 (the default rsyslog port). If desired, turn on Use TLS SysLogging. When you click Save, Keyfactor Command will verify that a connection can be made to the specified server on the specified port. Additional configuration on both the Keyfactor Command server and log receipt server are needed to make TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. communications work (see Prepare for External Log Shipping over TLS (Optional)). If you have not yet completed these configurations, you will receive a validation error on save if the Use TLS SysLogging option is enabled.

    The auditing settings can be updated on the auditing tab of the applications settings page following installation (see Application Settings: Auditing Tab in the Keyfactor Command Reference Guide).

    

    Figure 470: Configure: Audit

22. At this point in the configuration, if you have populated all the required fields, the yellow warning banner at the top of the configuration wizard should have disappeared. If it is still visible, click the dropdown arrow to open the Warnings page and review the warning(s) to see what needs to be corrected. Under some circumstances you will be allowed to continue with the configuration even if the yellow warning banner is still present. You will know this is the case if the Verify Configuration button is active. Under these circumstances, you should review the warnings before continuing.

    

    Figure 471: Configure: Configuration Warnings

23. Before completing the configuration wizard, you may choose to save a copy of the configuration as a file for future use. To download the configuration as a file, in the configuration wizard, click File at the top of the wizard and choose Save Data File. Browse to a location where you want to save the configuration file, enter a file name and click Save. You will be prompted to enter a password to encrypt the data in the file. You may choose to protect the file with a password or not. If you use a password at this time, you will need to provide this password to open the file. Keyfactor strongly recommends using a password to protect production files. If you do not wish to use a password to protect a production file, you may edit the file to remove the sensitive information (passwords for the service accounts entered in the configuration wizard). Once you enter a password or uncheck the encryption box, click OK to save the file.

    

    Figure 472: Configure: Save Configuration as a File

24. At the bottom of the Keyfactor Command Configuration Wizard dialog, click Verify Configuration.

25. On the Configuration Operations page, review the planned operations and then click Apply Configuration. Prior to clicking Apply Configuration, you can revisit any of the Configuration Wizard tabs to review or make changes by clicking Edit Configuration.

    

    Figure 473: Configure: Configuration Operations

26. When the configuration completes successfully, you will see the below message. If you didn’t save a copy of the configuration earlier, you may do so at this time by clicking Save Settings. Otherwise, click Close to close the dialog.

    

    Figure 474: Configure: Configuration Complete