Physical Architecture

Figure 440: Keyfactor Command Physical Architecture Diagram shows the physical architecture of the Keyfactor Command solution.

For simplicity, the servers in Figure 440: Keyfactor Command Physical Architecture Diagram are shown as single physical instances. In practice, these servers may be virtual machines and may be load balanced or clustered to meet availability or performance requirements. The diagram includes some optional components—including the Keyfactor vendor gateways and Keyfactor orchestrators—which are not covered in this guide. For more information about these components, see the Installing Orchestrators guide and the documentation for each of the gateways.

• Keyfactor Command-Dedicated Servers1 The roles described in this section may be co-located on a single physical or virtual server or may be further separated to multiple machines.:

  • Keyfactor Command Server—This server hosts the Keyfactor Command Management Portal, the Keyfactor Command vSCEP™ and Services roles, and the Logi Analytics Platform for report generation. These roles run as ASP.NET (4.5 or higher) applications on IIS. Both Windows Server 2019 and 2022 are supported.

• Enterprise-Shared Servers:

  • Microsoft SQL Server—Keyfactor Command supports Microsoft SQL Server 2017, 2019 and 2022 all with TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. encryption enabled for its primary database. While a dedicated SQL deployment is certainly an option, many organizations maintain a well-established SQL server farm to support multiple applications within the organization; if preferred, Keyfactor Command can easily make use of such a service. Keyfactor does not recommend locating the Keyfactor Command roles on the SQL server in a production deployment.

  • Web Reverse Proxy—If Internet-based access is required, the Keyfactor Command services can be published through a variety of reverse proxy products such as Microsoft UAG/TMG, F5, SiteMinder, or NetScaler.

  • Network-based Hardware Security Module (HSM not pictured)—In certain configurations, Keyfactor Command requires the use of Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Agent (EA) and/or Key Recovery Agent (KRA) certificates. To provide additional security over these certificates’ private keys, Keyfactor strongly recommends the use of a Hardware Security Module (HSM) such as the Thales NetHSM if these features will be used.