Create Service Accounts for the Universal Orchestrator

The Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. makes use of up to two service accounts to allow it to communicate with the Keyfactor Command server. These two service accounts work together to transfer information from the Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. to the Keyfactor Command server. The two service accounts can be thought of as players on two sides of a fence, with the service account that the Universal Orchestrator runs as lobbing information over the fence to the service account that communicates with the Keyfactor Command server side to catch and hand to the Keyfactor Command server. Below, these are referred to as the Universal Orchestrator service account and the Keyfactor Command connect service account.

The service accounts need to be created prior to installation of the Universal Orchestrator software (except as noted below for installations on Linux), and the person installing the Universal Orchestrator software needs to know the domain (if applicable), username and password of each service account.

Universal Orchestrator Service Account

Your choice of service account may vary depending on the operating system on which you are installing the orchestrator:

Keyfactor Command Connect Service Account

For the Keyfactor Command connect service account, the service account you use depends on the identity provider you’re using:

• If you’re using Active Directory as an identity provider, a standard Active Directory service account in the primary Keyfactor Command server forest is used. Group managed service accounts are not supported in this role.

  Tip:  If the Universal Orchestrator is installed on Windows in the same forest as the Keyfactor Command server, the same Active Directory service account may be used as both the Universal Orchestrator service account and the Keyfactor Command connect service account, if desired.

• If you’re using an identity provider other than Active Directory, a client (not user) in the identity provider is used. The client should be configured with a secret and have Client authentication and Service account roles enabled (see Service Accounts). The user installing the orchestrator will need the client ID and secret.

  

  Figure 568: Client Secret for Orchestrator Client in Keyfactor Identity Provider

This service account appears in the Management Portal Orchestrator Management grid as the Identity for the Universal Orchestrator.

Permissions

The user installing the orchestrator must have the SeBackupPrivilege and SeRestorePrivilege rights on the Keyfactor Universal Orchestrator server. Normally, administrators are granted these permissions by default, but you should confirm the permissions prior to starting the install. These permissions can be set through Group Policy or Local Security Policy, and can be found under Local Policies\User Rights Assignment as Back up files and directories and Restore files and directories.

Figure 569: Local Security Policy

For more information on this from Microsoft, see: