Orchestrator Auto-Registration

OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. auto-registration allows you to automatically approve or deny new orchestrators without administrator input, if desired. This is useful in environments hosting a large number of orchestrators. On the Orchestrator Auto-Registration Settings page you define the conditions under which an orchestrator (e.g. Keyfactor Windows OrchestratorClosed The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location., Keyfactor Java AgentClosed The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed., or Keyfactor Mac Auto-Enroll Agent) can automatically be approved using the built-in auto-registration system. This is one of two ways that Keyfactor Command supports orchestrator auto-registration. Keyfactor Command also offers an enhanced orchestrator auto-registration system that allows the construction of custom orchestrator auto-approval handler modules. Any custom auto-registration handlers are processed first before the built-in auto-registration system runs. For more information about custom auto-registration handlers, see Custom Auto-Registration Handlers.

The configurable settings for the built-in auto-registration system are:

  • Auto-Register

    Should orchestrators be allowed to auto register? If the Auto-Register box is checked but the Validate Users setting is not checked, any orchestrator that appears in your environment will automatically be approved regardless of origin.

  • Validate Users

    Do the user accounts under which the orchestrators are running need to be a member of a specific group in order to auto-register (aka validation)?

    • User Groups

      If the user accounts must be a member of a group to auto-register (Validate Users is checked), which group or groups is that (or which user account if all orchestrators will be registering as the same user)? If the Auto-Register setting and the Validate Users settings are both enabled, then this field will be considered. If Validate Users is not checked, this setting will not be displayed.

The default auto-registration settings are to allow no orchestrators to auto-register.

Tip:  Click the help icon () next to the Orchestrator Auto-Registration page title to open the embedded web copy of the Keyfactor Command Documentation Suite to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.