Orchestrator Auto-Registration

OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. auto-registration allows you to automatically approve or deny new orchestrators without administrator input, if desired. This is useful in environments hosting a large number of orchestrators. On the Orchestrator Auto-Registration Settings page you define the conditions under which an orchestrator (e.g. Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. or Keyfactor Java AgentClosed The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed.) can automatically be approved using the built-in auto-registration system. This is one of two ways that Keyfactor Command supports orchestrator auto-registration. Keyfactor Command also offers an enhanced orchestrator auto-registration system that allows the construction of custom orchestrator auto-approval handler modules. Any custom auto-registration handlers are processed first before the built-in auto-registration system runs. For more information about custom auto-registration handlers, see Custom Auto-Registration Handlers.

The configurable settings for the built-in auto-registration system are:

  • Auto-Register

    Should orchestrators be allowed to auto register? If the Auto-Register box is checked but the Validate Users setting is not checked, any orchestrator that appears in your environment will automatically be approved regardless of origin.

  • Validate Users

    Do the user accounts under which the orchestrators are running need to be a member of a specific group in order to auto-register (aka validation)?

    • User Groups

      If the user accounts must be a member of a group to auto-register (Validate Users is checked), which group or groups is that (or which user account if all orchestrators will be registering as the same user)? If the Auto-Register setting and the Validate Users settings are both enabled, then this field will be considered. If Validate Users is not checked, this setting will not be displayed.

The default auto-registration settings are to allow no orchestrators to auto-register.

Important:  Orchestrator auto-registration in Keyfactor Command is only supported when using Active Directory as an identity provider (see Selecting an Identity Provider for Keyfactor Command). If you need auto-registration with an identity provider other than Active Directory, see Custom Auto-Registration Handlers.
Tip:  Click the help icon () next to the Orchestrator Auto-Registration page title to open the Keyfactor Command Documentation Suite to this section. You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.