Keyfactor Command Web Agent Services appsetting.json File

The WebAgentServices appsettings.json configuration file allows you to change default orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. installation configuration settings.

Windows Installations Under IIS

To update the appsettings.json file:

  1. Navigate to the WebAgentServices\Configuration folder on your server, located by default at:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Configuration
  2. Browse to open the appsettings.json file in a text editor (e.g. Notepad) and adjust the values as needed.
  3. Save the files.

Figure 456: Sample WebAgentServices Appsettings.json File

Container Installations Under Kubernetes

The configurations from the appsettings.json file can be updated in one of two ways for container installations:

  • To update one or two settings, set an environment variable in your custom values file.

  • To update a large number of settings or the entire contents of the appsettings.json file, create a config map containing the appsettings.json file contents and mount it as a volume to replace the existing appsettings.json file.

Note:  Some appsettings.json settings are overridden by environment variables in a standard installation, so don’t assume that the values you see in an appsettings.json file if you view it within a started container are actually the values in use. Be sure to check for environment variables as well. Environment variables take precedence over values of the same name from the appsettings.json file. For example, in a standard installation, the appsettings.json files ActiveDirectoryEnforced value will show true, but an environment variable is set in each container where this is relevant to set this to false.

To set an environment variable for one or two configuration values:

  1. On your Kubernetes server, edit your values file to add an additionalEnvironmentVariables section (if one does not already exist) and environment variable name(s) and value(s) for the setting(s) to change. For example, the following shows a portion of the example values file (see Install Keyfactor Command in Containers Under Kubernetes) with the MaxRequestSizeKb value set to 3000.

    additionalEnvironmentVariables:
  - name: MaxRequestSizeKb
    value: '3000'

volumes:
  - name: root-cas
    configMap:
      name: ca-roots
      items:
        - key: ca-certificates.crt
          path: ca-certificates.crt
volumeMounts:
  - name: root-cas
    mountPath: /etc/ssl/certs/ca-certificates.crt
    subPath: ca-certificates.crt
    Note:   Parameters are referenced by full name, including parent parameterClosed A parameter or argument is a value that is passed into a function in an application. name, if applicable. A SQL retry configuration setting would be, for example, SqlRetryConfiguration_NumberOfTries.

  2. Load the new values, referencing the deployment name, namespace, your customized values file, the helm chart, and version. For example:

    sudo helm upgrade Helm_Deployment_Name --namespace keyfactor-command --values values-local.yaml oci://repo.keyfactor.com/charts/command --version 1.0.0

To provide the appsettings.json file as a config map:

  1. On your Kubernetes server, create an appsettings.json file with the full contents of the file, including the updates you wish to make. For example:

    Copy 
    {
      "ActiveDirectoryEnforced": true,
      "ClientCertificateAuthentication": {
        "Enabled": false,
        "CheckAuthCertificateRevocationStatus": true,
        "DaysBeforeExpirationError": 30,
        "DaysBeforeExpirationWarning": 180,
        "AlwaysUseHeaderCertificate": false,
        "AuthenticationHeaderName": null
      },
      "ExtensionsDirectory": "Extensions",
      "MaxRequestSizeKb": "3000",
      "NLogConfigFile": "Configuration\\NLog_Orchestrators.config",
      "SqlRetryConfiguration": {
        "NumberOfTries": "5",
        "DeltaTime": "00:00:00.5",
        "MaxTimeInterval": "00:02:00"
      }
    }

  2. On your Kubernetes server, create a config map containing the appsettings.json file. For example:

    sudo kubectl create configmap appsettings-agentapi --namespace keyfactor-command --from-file=/opt/kyf_command/appsettings.json

  3. Edit your values file to add a volume and volumeMount for the config map of the appsettings.json file. For example, the following values file section shows the example root trusts volume (see Install Keyfactor Command in Containers Under Kubernetes) and the appsettings volume.

    volumes:
  - name: root-cas
    configMap:
      name: ca-roots
      items:
        - key: ca-certificates.crt
          path: ca-certificates.crt
  - name: appsettings-agentapi-volume
    configMap:
      name: appsettings-agentapi
volumeMounts:
  - name: root-cas
    mountPath: /etc/ssl/certs/ca-certificates.crt
    subPath: ca-certificates.crt
  - name: appsettings-agentapi-volume
    mountPath: /app/Configuration/appsettings.json
    subPath: appsettings.json

  4. Load the new values, referencing the deployment name, namespace, your customized values file, the helm chart, and version. For example:

    sudo helm upgrade Helm_Deployment_Name --namespace keyfactor-command --values values-local.yaml oci://repo.keyfactor.com/charts/command --version 1.0.0
Configuration Settings

The following table shows the configuration settings for the Keyfactor Command OrchestratorAPI application available in the appsettings.json file.

Table 89: Appsetting.json File Parameters - WebAgentServices

Setting Description
Active Directory Enforced A Boolean that indicates whether Active Directory authentication is in use for the Keyfactor Command server. This should be set to false if you are not using Active Directory. An IIS reset will be required to apply this setting if you change it.
Client Certificate Authentication

Configuration settings for client certificate authentication.

These values are not used for container installations under Kubernetes.

Setting Description
Enabled A Boolean that indicates that client certificate authentication is enabled on the web agent services application for this Keyfactor Command server (true) or not (false).
Check Auth Certificate Revocation Status A Boolean that indicates whether to check the revocation status of the certificate provided for client certificate authorization (true), if being used, or not (false). The default is true.
Days Before Expiration Error

An integer indicating the number of days ahead of certificate expiration that orchestrators should begin producing certificate expiration error messages. The expiration days should be a number large enough to allow the orchestrator to check in and discover that it is in the expiry window before the certificate actually expires. Once the certificate expires, renewal cannot be done. The default is 30 days.

If a certificate is in the warning period (Days Before Expiration Warning), operations will continue while a new certificate is requested. If the certificate is in the expiry period, the orchestrator will not be allowed to register a new session when the existing session expires or if the orchestrator service is restarted, but the certificate can be renewed.
Days Before Expiration Warning An integer indicating the number of days ahead of certificate expiration that orchestrators should begin producing certificate expiration warning messages.
Always Use Header Certificate A Boolean that indicates whether to use the certificate specified by the AuthenticationHeaderName (true) or not (false) if certificates are available both in the header name and the TLS session.
Authentication Header Name A string defining the authentication header name used for client certification authentication. This can be configured in the Keyfactor Command configuration wizard.
Extensions Directory

Enter the file path to the extensions to be loaded by the extension loader (for registration handler, workflow step, etc... support). For Windows installations under IIS, this is a subdirectory of the WebAgentServices directory. The default value is Extensions.

This translates to, for example, for Windows installations under IIS:

C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Extensions

Container installations under Kubernetes:

/app/Configuration/Extensions
Max Request Size Kb This application setting is only used for the CA synchronizations managed with a Keyfactor Universal Orchestrator. It is used to configure the CA synchronization batch size. The default is 5000.
NLog Config File

Enter the file path to the NLog_Orchestrators.config file as a subdirectory of the WebAgentServices directory. The default is:

Configuration\\NLog_Orchestrators.config

This translates to, for example:

C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Configuration\NLog_Orchestrators.config

This value is not used for container installations under Kubernetes.
Sql Retry Configuration SQL retry settings (seeKeyfactor Command Changing SQL Retry Settings for more information).
Setting Description
Number Of Tries The number of times a connection attempt will be made to SQL before an exception is thrown. The default is 5.
Delta TimeThe preferred gap time to delay before the next attempt to connect to SQL will be made. The default is .5 (1/2) second.
Max Time IntervalThe maximum time interval before the next attempt to connect to SQL will be made. The default is 2 minutes.