Appendix - Set up the Universal Orchestrator to Use Client Certificate Authentication Directly

The Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. can be configured to support client certificate authentication by acquiring a certificate for the Keyfactor Command connect service account user or machine account of the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and storing it in Active Directory and then providing it to Keyfactor Command.

Complete the following steps and then configure the orchestrator to enable client certificate authentication as per the installation instructions (see -ClientCertificate (Client Certificate Authentication) or Install the Universal Orchestrator on a Linux Server).

Client certificate authentication using this method has the following requirements:

Note:  The following instructions assume that your Keyfactor Command server is already installed and configured with an SSL certificate that is trusted in your environment. If this is not the case, this will also need to be done.
Configure Keyfactor Command for Client Certificate Authentication

First, configure Keyfactor Command to enable client certificate authentication for the orchestrators. Once you do this, all orchestrators connecting to this instance of Keyfactor Command will be required to provide a certificate to authenticate. If you have some orchestrators deployed that do not support certificate authentication (e.g. Java agents), you will need to design a solution with multiple Keyfactor Command servers to support multiple authentication types. Contact your Keyfactor representative for assistance with this.

The KeyfactorAgents endpoint in Keyfactor Command must be configured to Use SSL and the CA CRL endpoints must be reachable by the orchestrator for every CA in the chain for both the CA that issued the SSL certificate on the Keyfactor Command server and the CA that will issue the client authentication certificates.

To configure Keyfactor Command to require client certificate authentication for orchestrators:

  1. On the Keyfactor Command server, open the Keyfactor Configuration Wizard.
  2. In the Certificate Authentication section of the Orchestrators tab, check the Enabled box.
  3. In the Certificate Authentication HTTP Header field, enter a Header Name. For the purposes of this configuration, the value you enter here is not significant, but the field is required, so you must enter something. It will not be used.
  4. In the Certificate Authentication Username and Certificate Authentication Password fields, enter the credentials for an Active Directory service account for the orchestrator(s).
    Tip:  The service account entered here does not need to match the service account used to authenticate the orchestrator.
  5. Click Verify Configuration and Apply Configuration.

Figure 631: Configure Keyfactor Command for Client Certificate Authentication

Configure Certificate Authentication and SSL Settings in IIS

Make the following changes in the IIS Management console on the Keyfactor Command server:

  1. In the IIS Management console, highlight the server name on the left and open Authentication. Make sure Anonymous Authentication is the only enabled method.

    Figure 632: Configure only Anonymous Authentication at the Server Level in IIS

  2. In the IIS Management console, highlight Default Web Site (or the web site name you’re using) on the left and open Authentication. Make sure Anonymous Authentication is the only enabled method.

    Figure 633: Configure only Anonymous Authentication at the Web Site Level in IIS

  3. In the IIS Management console, drill down into sites and into the Default Web Site (or other web site if your Keyfactor Command instance has been installed in an alternate web site). Under the Default Web Site, locate the KeyfactorAgents application and open Authentication for this. Disable all the authentication methods and enable only Anonymous Authentication.

    Figure 634: Disable Authentication Methods at the Application Level in IIS

  4. In the IIS Management console, open SSL Settings for the KeyfactorAgents application. Check the Require SSL box and select either Require or Accept for Client certificates.

    Important:  Only selected Require if your are only using orchestrators that support client certificate authentication and plan to configure all of them for certificate authentication.

    Figure 635: Configure SSL Settings in IIS for Client Certificate Authentication

    Tip:  If your KeyfactorAgents endpoint is running on a standalone server with no other Keyfactor roles, you may also configure your server to Require or Accept for Client certificates at the Default Web Site level. It is good security practice to check the Require SSL box. If your KeyfactorAgents endpoint is running on a server with other Keyfactor roles, you do not need to accept client certificates at this level and should not require them at this level.