Install the Keyfactor Command Components on the Keyfactor Command Server(s)

Before you begin the installation, make sure that you have reviewed the system requirements (see System Requirements), completed the prerequisites (see Planning & Preparing), and have your Keyfactor Command license file ready to upload during the configuration.

The following installation steps show all possible Keyfactor Command features enabled. Your Keyfactor Command license may not cover all Keyfactor Command features. If it does not, unlicensed features will not be shown in the configuration wizard. You may skip those configuration steps.

To begin the Keyfactor Command installation, execute the KeyfactorPlatform.msi file from the Keyfactor Command installation media and install as follows.

  1. On the first installation page, click Next to begin the setup wizard.

    Figure 535: Install: Begin Setup Wizard

  2. On the next page, read and accept the license agreement and click Next. Click Print to review a printed copy if desired.
  3. On the next page, select the components to install. For a server with the default roles collocated, leave the default options and click Next to continue. If desired, you can highlight Keyfactor Command and click Browse to select an alternate installation location for the files. The default installation location is:

    C:\Program Files\Keyfactor\Keyfactor Platform\
    Note:  Although Figure 536: Install: Select Components shows only the default components selected, the remainder of this page covers configuring Keyfactor Command as though all the components have been selected.

    Figure 536: Install: Select Components

    Tip:  Refer to Keyfactor Command Server(s) for a description of these components.

    Table 899: Available components for Keyfactor Command.

    Component Description
    Management Portal Mandatory. Web-based management console for configuring all aspects of Keyfactor Command. The Keyfactor API will be installed with this component.
    Windows Services Mandatory. Includes the timer Windows service to manage timed events, such as CA Sync, PKI monitoring and system maintenance.
    Web API Optional. The Keyfactor API component. This allows the Keyfactor API for external use to be installed on a separate server from the Management Portal, if desired.
    Orchestrator Services API Optional. Only required if agents or orchestrators will be used in conjunction with Keyfactor Command. Web based orchestrator services API.
    CA Connector API

    Optional. Only required if remote CA clients will be used. Web based CA connector API. This component is disabled by default.

    Important:  This component requires an instance of RabbitMQ (https://www.rabbitmq.com) to complete the communication from Keyfactor Command to Remote CA Connectors and remote CAs (though RabbitMQ only communicates directly to Keyfactor Command, not the Remote CA Connectors). In many cases, this would be a containerized instance. For example:

    The component uses OAuth for authentication even if you've opted to use Active Directory authentication for the remainder of your Keyfactor Command installation, and therefore requires an OAuth 2.0 compliant implementation. You may choose to install Keyfactor Identity Provider if you do not have an alternate provider (see Installing Keyfactor Identity Provider).

  4. On the next screen, click Install.
  5. On the final installation wizard page, leave the Launch the Configuration Wizard now box selected and click Finish. The configuration wizard should start automatically. This can take several seconds.
  6. On the Keyfactor Command Database Configuration page, enter the name, IP address, or fully qualified domain name (FQDN) of your SQL server and select a Credential Type of either Windows or SQL.

    Important:  Keyfactor Command uses an encrypted channel to connect to the SQL server by default, which requires configuration of an SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate on the SQL server (see Using SSL to Connect to SQL Server). The name or IP address you enter here for your SQL server must be available as a SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. in this certificate unless you have disabled the encrypted connection for Keyfactor Command (see Configurable SQL Connection Strings).
    • If you select Windows as the Credential Type for connecting to SQL, click the Connect button.

      Figure 537: Windows Authentication

    • If you select SQL as the Credential Type for connecting to SQL, the window will expand to include fields to enter a SQL username and password. Enter a username and password to authenticate to SQL, and click the Connect button.

      Note:  The password must not contain single or double quotes. An error will be shown if single or double quotes are used in the password.

      Figure 538: SQL Authentication

    Note:  For the permissions required for this user, see Grant Permissions in SQL.
    Note:  Keyfactor Command supports configuration of a base SQL connection templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that is used for all connections Keyfactor Command makes to SQL. For more information, see Configurable SQL Connection Strings.
    Note:  Your SQL server must be configured to support mixed mode authentication in order to use the SQL option.
  7. After the Connect button is clicked, the database name field will be activated. You can either enter the name of the desired database—for either a new or existing database—or click Browse to scroll through a list of existing databases.

    Note:  On subsequent runs of the configuration wizard, the database name field will be pre-populated with the database name used on the last completed run. Any change to the server connection fields (server name, authentication type, etc.) will require the Connect button to be used again to unlock the database name field and the Continue button.
  8. Click the Continue button. You will receive a confirmation dialog if any changes will be made to the database at this stage.

    Note:  If any of the following situations occurs, you will receive a message:
    • The selected database does not exist and will be created.
    • The selected database is empty and not associated with Keyfactor Command; it will be populated with the Keyfactor Command schema.
    • The selected database does not match the current product schema and will be upgraded.
    • The selected database is not empty and is not associated with Keyfactor Command.
    • The user does not have access to the database.
    • An SSL certificate is not correctly configured on the SQL server.
  9. On the Keyfactor Command Encryption Warning page, read and understand the warning. Make note of the referenced documents to provide to your SQL team. Take advantage of the option to make a backup of the Database Master Key (DMK) by entering a path to a directory on your SQL server along with a filename for the backup file and a password to encrypt the file and clicking Backup. The user running the Keyfactor Command installer must have write permissions to this directory. Click Continue.

    Important:  Keyfactor Command uses Microsoft SQL Server encryption to protect security sensitive data, including service account credentials. Backup of the SQL server Database Master Key (DMK) is of critical importance in database backup and recovery operations. The backup file of the DMK and the password should be stored in a safe, well-documented location. Without the file and password created with this process, some data that is encrypted within the Keyfactor Command database will be unrecoverable in a disaster recovery scenario. For more information, see SQL Encryption Key Backup.

    If you choose to install Keyfactor Command in the default location, the referenced documents can later be found here:

    C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\DMKBackup.docx

    C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\DMKRestore.docx

    Figure 539: Configure: Backup Database Master Key

  10. On the Keyfactor Command License upload page, click Upload and browse to locate the license file provided to you by Keyfactor. This file should have the extension CMSLICENSE. Once the uploaded license shows as valid, click Continue.

    Figure 540: Configure: Upload License

  11. In the Keyfactor Command configuration wizard, you can choose to upload a configuration file to populate the fields. You may have a file saved from a previous run of the configuration wizard or you may be provided one by Keyfactor. To upload a file, in the configuration wizard, click File at the top of the wizard and choose Open Data File. Browse to locate the configuration file. Configuration files have an extension of .cmscfg. The file may be protected with a password. If it is, you will need to provide this password to open the file. Continue with the remainder of the steps, reviewing the tabs to assure that the data is complete and correct.

    Note:  If you open a configuration file that contains configuration information for an identity provider other than Active Directory but does not set OAuth enabled to true, the additional identity provider information will not be loaded.

    Figure 541: Configure: Open Data File

    Note:  At the bottom of the configuration wizard, if the database server name is longer than will fit in the provided window, it will be truncated and an ellipsis will be added.
  12. Configure the tabs of the configuration wizard as follows.
  13. At this point in the configuration, if you have populated all the required fields, the yellow warning banner at the top of the configuration wizard should have disappeared. If it is still visible, click the dropdown arrow to open the Warnings page and review the warning(s) to see what needs to be corrected. Under some circumstances you will be allowed to continue with the configuration even if the yellow warning banner is still present. You will know this is the case if the Verify Configuration button is active. Under these circumstances, you should review the warnings before continuing.

    Figure 558: Configure: Configuration Warnings

  14. Before completing the configuration wizard, you may choose to save a copy of the configuration as a file for future use. To download the configuration as a file, in the configuration wizard, click File at the top of the wizard and choose Save Data File. Browse to a location where you want to save the configuration file, enter a file name and click Save. You will be prompted to enter a password to encrypt the data in the file. You may choose to protect the file with a password or not. If you use a password at this time, you will need to provide this password to open the file. Keyfactor highly recommends using a strong password to protect the file. If you do not wish to use a password to protect the file, sensitive information (e.g. passwords for the service accounts entered in the configuration wizard) will be removed from the file. Once you enter a password or uncheck the encryption box, click OK to save the file.

    Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

    Figure 559: Configure: Save Configuration as a File

  15. At the bottom of the Keyfactor Command Configuration Wizard dialog, click Verify Configuration.
  16. On the Configuration Operations page, review the planned operations and then click Apply Configuration. Prior to clicking Apply Configuration, you can revisit any of the Configuration Wizard tabs to review or make changes by clicking Edit Configuration.

    Figure 560: Configure: Configuration Operations

  17. When the configuration completes successfully, you will see the below message. If you didn’t save a copy of the configuration earlier, you may do so at this time by clicking Save Settings. Otherwise, click Close to close the dialog.

    Figure 561: Configure: Configuration Complete