Keyfactor Command Server(s)
A Keyfactor Command server implementation is made up of several Keyfactor Command roles:
Keyfactor Command Management Portal
The server with this role provides the web-based administration interface that is used to view and report on certificates issued in the environment and enroll for certificates. This role runs under Microsoft IIS. Configuration for the Keyfactor Command implementation as a whole is also done through the Keyfactor Command Management Portal. The Logi Analytics Platform for reporting is hosted on the server with this role.
This role is required on all Keyfactor Command servers.
Keyfactor Command Windows Services
The server with this role hosts back-end services required to support Keyfactor Command. This includes the Keyfactor Command Service, which is used for all periodic tasks throughout Keyfactor Command, including CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization, monitoring alerts, and report automation.
This role is required on all Keyfactor Command servers.
Keyfactor Command Web API
The server with this role hosts the Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command.. The Keyfactor API is also included in the Management Portal role, since the Management Portal makes extensive use of this API.
This role is optional. If you choose not to install this role, you will still be able to use the Keyfactor API. This role is available as a separate component for users who wish to install the Keyfactor API on a separate server from the Management Portal server.
Keyfactor Command Orchestrator Service API
The server with this role hosts the back-end service for receiving requests from and sending requests to Keyfactor agents and orchestrators.
This role is optional. If you choose not to install this role, you will not be able to use agents and orchestrators with Keyfactor Command.
Keyfactor Command CA Connector API
The server with this role hosts the CA Connector API. This API includes endpoints to support connections from remote CA clients.
This role is optional. If you choose not to install this role, you will not be able to use remote CA clients with Keyfactor Command.
The component uses OAuth for authentication even if you've opted to use Active Directory authentication for the remainder of your Keyfactor Command installation, and therefore requires an OAuth 2.0 compliant implementation. You may choose to install Keyfactor Identity Provider if you do not have an alternate provider (see Installing Keyfactor Identity Provider).
In many environments, the Keyfactor Command Management Portal, Windows Services, Web API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., and Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Service API roles are collocated on a single server (or pair of servers if redundancy is desired). Both physical and virtual servers are supported.
For a high availability (HA) solution using the same roles on all nodes, note that the following conditions apply:
-
All servers must point to the same Keyfactor Command SQL database.
-
All servers must be configured with the same encryption certificate AND the corresponding private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. (see Database Tab).
-
Keyfactor recommends that the Keyfactor Command Service be configured to run all services on each node. This allows the service to manage the jobs most efficiently—the service will check out jobs via a locking mechanism that will enforce that any jobs are running on only one service at a time. However, you do have the option to manually tune the jobs on the servers if desired (such that server A always does jobs 1, 2 and 3 and server B always does jobs 4, 5 and 6).
-
Review load balancing rules and configuration, if applicable. Load balancing configuration is beyond the scope of this guide.
Keyfactor does not recommend installing any of these roles on a CA or on a SQL server in a production environment.
As you plan for Keyfactor Command, you need to decide upon an architecture for the implementation and prepare servers with sufficient resources accordingly. See System Requirements for more information about planning for servers with sufficient resources to support the planned roles.