Install the Universal Orchestrator on a Linux Server

To install the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. on a Linux server, copy the zip file containing installation files to a temporary working directory on the Linux server and unzip it.

To begin the installation:

  1. On the Linux machine on which you wish to install the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores., in a command shell change to InstallationScripts subdirectory under the temporary directory where you placed the installation files.
  2. Use the chmod command to make the install.sh script file executable. The file ships in a non-executable state to avoid accidental execution. For example:

    sudo chmod +x install.sh
  3. In the command shell, run the install.sh script as root using the following parameters to begin the installation:

    Installation example with expected output using Basic authentication (the password for the svc_kyforch service account is saved in my_password_file):

    vi my_password_file
    
    sudo ./install.sh --url https://keyfactor.keyexample.com/KeyfactorAgents --username svc_kyforch@keyexample.com --secret-file-path my_password_file --orchestrator-name appsrvr16-ssl.keyexample.com --capabilities all --force
    Creating user keyfactor-orchestrator Copying files from /tmp/KeyfactorOrchestrator to /opt/keyfactor/orchestrator Saving app settings Setting file permissions Installing systemd service keyfactor-orchestrator-default Created symlink /etc/systemd/system/multi-user.target.wants/keyfactor-orchestrator-default.service → /etc/systemd/system/keyfactor-orchestrator-default.service. Starting systemd service keyfactor-orchestrator-default

    Installation example with expected output using token authentication (the secret for the client is provided at standard in):

    echo "WcHlahyku6wmD0a6rjOXClrkz0Jw9sGh" | sudo ./install.sh --url https://keyfactor.keyexample.com/KeyfactorAgents --bearer-token-url https://appsrvr18.keyexample.com:1443/realms/Keyfactor/protocol/openid-connect/token --token-lifetime 300 --client-id Universal-Orchestrator --secret-std-in --orchestrator-name appsrvr16-ssl.keyexample.com --capabilities all --force
    
    Creating user keyfactor-orchestrator Copying files from /tmp/KeyfactorOrchestrator to /opt/keyfactor/orchestrator Setting file permissions and saving app settings Installing systemd service keyfactor-orchestrator-default Created symlink /etc/systemd/system/multi-user.target.wants/keyfactor-orchestrator-default.service → /etc/systemd/system/keyfactor-orchestrator-default.service. Starting systemd service keyfactor-orchestrator-default

    Installation example with expected output using client certificate authentication (the password for the client certificate is saved in cert_password_file):

    vi cert_password_file
    
    sudo ./install.sh --url https://keyfactor.keyexample.com/KeyfactorAgents --client-auth-certificate /opt/certs/kyforch.p12 --secret-file-path cert_password_file --orchestrator-name appsrvr16-ssl.keyexample.com --capabilities all --force
    Creating user keyfactor-orchestrator Copying files from /tmp/KeyfactorOrchestrator to /opt/keyfactor/orchestrator Saving app settings Setting file permissions Installing systemd service keyfactor-orchestrator-default Created symlink /etc/systemd/system/multi-user.target.wants/keyfactor-orchestrator-default.service → /etc/systemd/system/keyfactor-orchestrator-default.service. Starting systemd service keyfactor-orchestrator-default
  4. Review the output from the installation to confirm that no errors have occurred.

The script creates a directory, /opt/keyfactor/orchestrator by default, and places the orchestrator files in this directory. Log files are found in /opt/keyfactor/orchestrator/logs by default, though this is configurable (see Configure Logging for the Universal Orchestrator).

The orchestrator service, by default named keyfactor-orchestrator-default.service, should be automatically started at the conclusion of the install and configured to restart on reboot unless you have selected the no-service parameter.

Tip:  Once the installation of the orchestrator is complete, you need to use the Keyfactor CommandManagement Portal to approve the orchestrator and configure certificate stores or SSL jobs: