Keyfactor Command Server(s)
A Keyfactor Command server implementation is made up of several Keyfactor Command roles:
Keyfactor Command Management Portal
The server with this role provides the web-based administration interface that is used to view and report on certificates issued in the environment and enroll for certificates. This role runs under Microsoft IIS. Configuration for the Keyfactor Command implementation as a whole is also done through the Keyfactor Command Management Portal. The Logi Analytics Platform for reporting is hosted on the server with this role.
This role is required on all Keyfactor Command servers.
Keyfactor Command Windows Services
The server with this role hosts back-end services required to support Keyfactor Command. This includes the Keyfactor Command Service, which is used for all periodic tasks throughout Keyfactor Command, including CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization, monitoring alerts, and report automation.
This role is required on all Keyfactor Command servers.
Keyfactor Command Web API
The server with this role hosts the Web APIs—the newer Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. and the older Classic API. The newer Keyfactor API is also included in the Management Portal role, since the Management Portal makes extensive use of this API.
This role is optional. If you choose not to install this role, you will not be able to use the older Classic API. Only users with existing applications written using the Classic API typically need to install the Classic API.
Keyfactor Command Orchestrator Service API
The server with this role hosts the back-end service for receiving requests from and sending requests to Keyfactor agents and orchestrators.
This role is optional. If you choose not to install this role, you will not be able to use agents and orchestrators with Keyfactor Command.
Keyfactor Command vSCEP Validation Service
The server with this role hosts the back-end service for validating SCEP requests.
This role is optional. If you choose not to install this role, you will not be able to use Keyfactor's vSCEP validation technology to validate the certificate request subject and, optionally, SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.(s) in a certificate requested based on a SCEP challenge.
In many environments, the Keyfactor Command Management Portal, Windows Services, Web API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., and Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Service API roles are collocated on a single server (or pair of servers if redundancy is desired). The vSCEP Validation Service is an optional role that is only installed in environments where SCEP validation is required. Both physical and virtual servers are supported.
For a high availability (HA) solution using the same roles on all nodes, note that the following conditions apply:
-
All servers must point to the same Keyfactor Command SQL database.
-
All servers must be configured with the same encryption certificate AND the corresponding private key
Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. (see Database Tab). -
Keyfactor recommends that the Keyfactor Command Service be configured to run all services on each node. This allows the service to manage the jobs most efficiently—the service will check out jobs via a locking mechanism that will enforce that any jobs are running on only one service at a time. However, you do have the option to manually tune the jobs on the servers if desired (such that server A always does jobs 1, 2 and 3 and server B always does jobs 4, 5 and 6).
-
Review load balancing rules and configuration, if applicable. Load balancing configuration is beyond the scope of this guide.
Keyfactor does not recommend installing the Keyfactor Command Management Portal, Windows Servers, Web API, Orchestrator Service API, or vSCEP Validation Service role on a CA or on a SQL server in a production environment.
As you plan for Keyfactor Command, you need to decide upon an architecture for the implementation and prepare servers with sufficient resources accordingly. See System Requirements for more information about planning for servers with sufficient resources to support the planned roles.
