Keyfactor Command Server(s)

A Keyfactor Command server implementation is made up of several Keyfactor Command roles:

In many environments, the Keyfactor Command Management Portal, Windows Services, Web API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., and Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Service API roles are collocated on a single server (or pair of servers if redundancy is desired). Both physical and virtual servers are supported.

For a high availability (HA) solution using the same roles on all nodes, note that the following conditions apply:

• All servers must point to the same Keyfactor Command SQL database.

• All servers must be configured with the same encryption certificate AND the corresponding private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. (see Database Tab).

• Keyfactor recommends that the Keyfactor Command Service be configured to run all services on each node. This allows the service to manage the jobs most efficiently—the service will check out jobs via a locking mechanism that will enforce that any jobs are running on only one service at a time. However, you do have the option to manually tune the jobs on the servers if desired (such that server A always does jobs 1, 2 and 3 and server B always does jobs 4, 5 and 6).

• Review load balancing rules and configuration, if applicable. Load balancing configuration is beyond the scope of this guide.

Keyfactor does not recommend installing any of these roles on a CA or on a SQL server in a production environment.

As you plan for Keyfactor Command, you need to decide upon an architecture for the implementation and prepare servers with sufficient resources accordingly. See System Requirements for more information about planning for servers with sufficient resources to support the planned roles.