Installing Orchestrators
Installing Orchestrators
Keyfactor offers several orchestrators (a.k.a. agents) that may be used to interact with and enhance the functionality of the Keyfactor Command Server.
This guide covers installation of the following orchestrators:
- Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.
The Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. replaces the Keyfactor Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. and runs on both Windows or Linux servers. It can be used to:
- Interact with Windows servers (a.k.a. IIS certificate stores) to provide certificate management (installations on Windows only).
- Interact with FTP capable devices to provide certificate management.
- Run SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. discovery and monitoring tasks.
- Manage synchronization of certificate authorities in remote forests (installations on Windows only).
- Collect logs from the orchestrator for central review.
- Run custom jobs to provide certificate management capabilities on a variety of platforms and devices.
- Run custom jobs to execute tasks outside the standard list of certificate management functions. This powerful feature can execute just about any job that requires processing on the orchestrator and submitting data back to Keyfactor Command.
As of this release, the following functions, some of which were part of the Keyfactor Windows Orchestrator, are now included among the custom extensions supported for the Keyfactor Universal Orchestrator:
- Remote Java keystore certificate management.
- Remote PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. store certificate management.
- Interact with F5 devices for certificate management.
- Create new bindings for IIS web sites (the built-in IIS management tool will replace the certificate bound to a web site but not create new bindings) and manage certificates in both the Web Hosting certificate store and the Personal certificate store.
- Interact with NetScaler devices for certificate management.
These custom extensions are publicly available at:
The final release of the Keyfactor Windows Orchestrator was version 8.7. This version of the Keyfactor Windows Orchestrator is fully compatible with Keyfactor Command version 10.4. Keyfactor will continue to support the Keyfactor Windows Orchestrator. However, all new integrations and extensions will be delivered via the new Keyfactor Universal Orchestrator. Keyfactor recommends that customers use the Keyfactor Universal Orchestrator moving forward as new integrations become available. Customers with one or more of these types of certificate stores may wish to retain one or more legacy Keyfactor Windows Orchestrators to manage these types of stores until such time as new integrations become available for the Keyfactor Universal Orchestrator.
- Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed.
The Keyfactor Java Agent runs on Windows or Linux servers and is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. In addition, the Keyfactor Java Agent can be extended to create custom certificate store jobs.
Important: The Keyfactor Java Agent will be deprecated in version 11.0 of Keyfactor Command. Customers are encouraged to begin planning a migration to the Keyfactor Universal Orchestrator with the Remote File custom extension publicly available at: - Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise.
The Keyfactor Bash Orchestrator runs on Linux servers and is used to perform discovery and management of SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. public keys, including installation of new keys and automated removal of unauthorized keys.
Keyfactor also offers a variety of tools to allow users to develop custom orchestrators and extensions, including:
-
The AnyAgent capability of the Keyfactor Universal Orchestrator, Keyfactor Windows Orchestrator, and Java Agent allows management of certificates regardless of source or location by allowing customers to implement custom agent functionality.
-
Keyfactor Integration SDK
The Keyfactor Integration SDK (software development kit) includes a variety of tools for building a custom orchestrator, including the Keyfactor Native Agent, which is a reference implementation intended for customers wanting to include Keyfactor Command certificate store management functionality in embedded or other platforms.
-
Keyfactor Orchestrator NuGet Package
The Keyfactor Orchestrator NuGet package is designed to allow customers to build custom extensions for the Keyfactor Universal Orchestrator.
-
Keyfactor GitHub Site
Keyfactor offers several publicly available integrations and plugins for the Keyfactor platform in the Keyfactor GitHub. Find all the latest developer tools and resources to integrate the Keyfactor platform with your PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption., Cloud, and DevOps infrastructure.
These tools for developing custom orchestrators and extensions are not documented in this guide. For more information about these and other custom orchestrator solutions, contact your Keyfactor representative.