Install the Universal Orchestrator on Windows

To install the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. on Windows, copy the zip file containing installation files to a temporary working directory on the Windows server and unzip it.

Note:  In some instances, downloading a compressed file on Windows can cause the file to be marked as blocked. If you unzip a blocked file and proceed with the installation, the installation may fail with an error about missing files or dependencies (e.g. “Could not load file or assembly [filename] or one of its dependencies...”). Before beginning the installation, check the zip file before unzipping it to confirm that it is not blocked and unblock it if it is blocked.

Figure 530: Installation Files Blocked after Download

To begin the installation:

  1. On the Windows machine on which you wish to install the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores., open a PowerShell window using the “Run as Administrator” option and change to the temporary directory where you placed the installation files.
  2. In the PowerShell window, run the following commands to populate a variable with the user credentials for the Keyfactor Command connect service account (see Create Service Accounts for the Universal Orchestrator) and, if you plan to run the orchestrator as a standard custom service account (rather than the default of Network Service), populate a variable with the user credentials for the Universal Orchestrator service account:

    $credKeyfactor = Get-Credential
    $credService = Get-Credential

    Enter the appropriate username and password when prompted. In these examples, credKeyfactor is used for the for the Keyfactor Command connect service account that the orchestrator uses to connect to Keyfactor Command and credService is used for the Universal Orchestrator service account that the service runs as. Usernames should be given in DOMAIN\username format.

    To avoid being prompted for credentials while using Network Service to run the local service:

    $keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
    $keyfactorPassword = "MySecurePassword"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)

    To avoid being prompted for credentials while using a standard AD service account to run the local service:

    $serviceUser = "DOMAIN\myserviceusername"
    $keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
    $keyfactorPassword = "MyFirstSecurePassword"
    $servicePassword = "MySecondSecurePassword"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)

    To avoid being prompted for credentials while using a group managed service account (gMSA) to run the local service:

    $serviceUser = "DOMAIN\myGMSAserviceusername$"
    $keyfactorUser = "DOMAIN\mykeyfactorconnectusername"
    $keyfactorPassword = "MySecurePassword"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser,(New-Object System.Security.SecureString))
    Tip:  In some cases, you may be using the same service account for both the Universal Orchestrator service account role and the Keyfactor Command connect service account role. If this is the case, you may use a single variable for both passwords in the next step.
    Note:  Group managed service accounts are not supported for use in making the connection to Keyfactor Command.
  3. In the PowerShell window, run the install.ps1 script using the following syntax to begin the installation:

    Installation example with expected output using basic authentication (rather than a client certificate) and Network Service to run the local service:

    $keyfactorUser = "KEYEXAMPLE\svc_kyforch1"
    $keyfactorPassword = "MySecurePassword123!"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
    
    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -WebCredential $credKeyfactor -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all
    Copying files Setting configuration data Installing Windows Service Granting necessary file permissions to NT AUTHORITY\NETWORK SERVICE for configuration file Starting service KeyfactorOrchestrator-Default

    Installation example with expected output using basic authentication (rather than a client certificate) and a standard AD service account to run the local service:

    $serviceUser = "KEYEXAMPLE\svc_kyforch1"
    $keyfactorUser = "KEYEXAMPLE\svc_kyforch2"
    $servicePassword = "MyFirstSecurePassword123!"
    $keyfactorPassword = "MySecondSecurePassword456#"
    $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
    
    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -WebCredential $credKeyfactor -ServiceCredential $credService -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all
    Copying files Setting configuration data Installing Windows Service Granting necessary file permissions to KEYEXAMPLE\svc_kyforch1 for configuration file Granting Log on as a Service permission to KEYEXAMPLE\svc_kyforch1 Starting service KeyfactorOrchestrator-Default

    Installation example with expected output using basic authentication (rather than a client certificate) and an AD gMSA to run the local service:

    $serviceUser = "KEYEXAMPLE\GMSA_kyforch$"
    $keyfactorUser = "KEYEXAMPLE\svc_kyforch"
    $keyfactorPassword = "MySecurePassword123!"
    $secKeyfactorPassword = ConvertTo-SecureString $keyfactorPassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser,(New-Object System.Security.SecureString))
    $credKeyfactor = New-Object System.Management.Automation.PSCredential ($keyfactorUser, $secKeyfactorPassword)
    
    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -WebCredential $credKeyfactor -ServiceCredential $credService -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all
    Copying files Setting configuration data Installing Windows Service Granting necessary file permissions to KEYEXAMPLE\GMSA_kyforch$ for configuration file Granting Log on as a Service permission to KEYEXAMPLE\GMSA_kyforch$ Starting service KeyfactorOrchestrator-Default
    Important:  Prior to using a gMSA in the installation, you need to have installed the account on the Universal Orchestrator server using the Install-ADServiceAccount PowerShell command. For example:

    Install-ADServiceAccount -Identity GMSA_kyforch$

    This requires the Active Directory module for Windows PowerShell, which is installed as a feature as part of the Remote Server Administrator Tools.

    Installation example with expected output using client certificate authentication with the certificate stored in the local machine store:

    $serviceUser = "KEYEXAMPLE\svc_kyforch"
    $servicePassword = "MySecurePassword123!"
    $secServicePassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
    $credService = New-Object System.Management.Automation.PSCredential ($serviceUser, $secServicePassword)
    
    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -ClientCertificateThumbprint 29b21df7403b4afe6daf44762e5c47fb73c07ce7 -ServiceCredential $credService -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all
    Copying files Setting configuration data Installing Windows Service Granting necessary file permissions to KEYEXAMPLE\svc_kyforch for configuration file Granting Log on as a Service permission to KEYEXAMPLE\svc_kyforch Starting service KeyfactorOrchestrator-Default
    Tip:  The client certificate authentication example shown here references a certificate stored in the local machine store. Because of this, the service account that will run the Universal Orchestrator service needs to be granted permissions to read the private key of the certificate before the installation is run. If the certificate had been acquired into the Universal Orchestrator service account user's personal store rather than the local machine store, the step of granting private key read permissions would not have been necessary.

    Installation example with expected output using client certificate authentication with the certificate stored as a file:

    .\install.ps1 -URL https://keyfactor.keyexample.com/KeyfactorAgents -ClientCertificate C:\Certs\kyforch.pfx -ClientCertificatePassword MySecurePassword123! -OrchestratorName websrvr42-IIS.keyexample.com -Capabilities all
    
    Copying files Setting configuration data Installing Windows Service Granting necessary file permissions to KEYEXAMPLE\svc_kyforch for configuration file Granting Log on as a Service permission to KEYEXAMPLE\svc_kyforch Starting service KeyfactorOrchestrator-Default
    Tip:  The client certificate authentication example shown here does not use the -ServiceCredential parameter. This will cause the Universal Orchestrator service to run as Network Service. If you prefer to run the service as a domain service account, you will need to include the -ServiceCredential parameter and specify the PSCredential value for the service credentials appropriately, as shown in the previous examples.

    Network Service will need to be granted read and write permissions on the PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file before the script is executed.

  4. Review the output from the installation to confirm that no errors have occurred.

The script creates a directory, C:\Program Files\Keyfactor\Keyfactor Orchestrator by default, and places the orchestrator files in this directory. Log files are found in C:\Program Files\Keyfactor\Keyfactor Orchestrator\logs by default, though this is configurable (see Configure Logging for the Universal Orchestrator).

The orchestrator service, by default given a display name of Keyfactor Orchestrator Service (Default), should be automatically started at the conclusion of the install and configured to restart on reboot unless you have selected the NoService parameter.

Tip:   Once the installation of the orchestrator is complete, you need to use the Keyfactor Command Management Portal to approve the orchestrator and configure certificate stores or SSL jobs as per the Keyfactor Command Reference Guide:

If you've opted to enable remote CA management for the orchestrator, further configuration is needed (see Configure the Universal Orchestrator for Remote CA Management).