The appsettings.json configuration file allows you to view or change the configuration settings for the Keyfactor Universal Orchestrator
The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. installation.
Installations on Windows Servers
To update the appsettings.json file for a Windows installation:
-
Navigate to the Configuration folder on your server, located by default at:
C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration - Browse to open the appsettings.json file in a text editor (e.g. Notepad) and adjust the values as needed.
- Save the file.
{
"AppSettings": {
"AgentsServerUri": "https://command.keyexample.com/KeyfactorAgents",
"CertPath": "",
"ExtensionsDirectory": "extensions",
"OrchestratorName": "websrvr33.keyexample.com",
"ScriptTimeout": 60,
"AuthCertThumbprint": "",
"WindowsContainerRuntime": false,
"CheckServerCertificateRevocation": true,
"BearerTokenUrl": "https://appsrvr18.keyexample.com:1443/realms/Keyfactor/protocol/openid-connect/token",
"ClientId": "Universal-Orchestrator",
"TokenLifetime": 300,
"Scope": "",
"Audience": "",
"InventoryMaxUpdateSizeMb": 10,
"OrchestratorId": "3c3594f9-e2f6-4e5a-b647-ab12242540d8"
}
}Installations on Linux Servers
To update the appsettings.json file for a full Linux installation:
-
Navigate to the Configuration folder on your server, located by default at:
/opt/keyfactor/orchestrator/configuration - Using a text editor, open the appsettings.json file, and adjust the values as needed.
- Save the file.
{
"AppSettings": {
"AgentsServerUri": "https://command.keyexample.com/KeyfactorAgents",
"CertPath": "",
"ExtensionsDirectory": "extensions",
"OrchestratorName": "appsrvr162.keyexample.com",
"ScriptTimeout": 60,
"AuthCertThumbprint": "",
"WindowsContainerRuntime": false,
"CheckServerCertificateRevocation": true,
"BearerTokenUrl": "",
"ClientId": "",
"TokenLifetime": null,
"Scope": null,
"Audience": null,
"InventoryMaxUpdateSizeMb": 10,
"OrchestratorId": "fed75ec7-ba6c-444c-bdf5-a5442a2a3cb0"
}
}Installations in Linux Containers
The configurations from the appsettings.json file can be updated by setting environment variables. Most of the values you might wish to set in a container appsettings.json file are available as parameters (see Table 1029: Appsetting.json File Parameters).
Configuration Settings
The following table shows the configuration settings for the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. available in the appsettings.json file.
Table 1029: Appsetting.json File Parameters
| Setting | Description | Container Parameter |
|---|---|---|
| Agents Server Uri |
The URL of the Orchestrators API on the Keyfactor Command server. For example: Copy
|
COMMAND_ AGENTS_ URL |
| CertPath |
The path and file name on the orchestrator of a PKCS12 file containing the client authentication certificate used to authenticate to Keyfactor Command created as per Acquire a Certificate for Client Certificate Authentication (Optional). The certificate must have a Client Authentication EKU. This setting applies only to orchestrators installed on Windows and Linux. |
|
| Extensions Directory |
The file path to the extensions to be loaded by the extension loader (for handling certificate store types). For Windows installations, this is a subdirectory under the install directory. The default value is extensions. This translates to, for example, for Windows installations: C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions
Linux installations: /opt/keyfactor/orchestrator/extensions
Container installations: /app/extensions
|
|
| Orchestrator Name |
The name the orchestrator uses to register itself with Keyfactor Command. By default, the container hostname is used, which is not ideal as this will create a new orchestrator entry with every container start. Although this parameter is not strictly required, Keyfactor strongly recommends using it. If you choose to uninstall and reinstall the orchestrator (e.g. using compose down), it is important to use the same orchestrator name for subsequent implementations so that Keyfactor Command will recognize the orchestrator when it is started again. |
ORCHESTRATOR_ NAME |
| Script Timeout |
This parameter is considered deprecated and may be removed in a future release. |
|
| AuthCert Thumbprint |
The thumbprint of the client authentication certificate used to authenticate to Keyfactor Command created as per Acquire a Certificate for Client Certificate Authentication (Optional). This setting applies only to orchestrators installed on Windows. |
|
| Windows Container Runtime |
This parameter is considered deprecated and may be removed in a future release. |
|
| Check Server Certificate Revocation | A Boolean that indicates whether the revocation status (CRL) of the SSL certificate on the Keyfactor Command server should be checked when connecting to Keyfactor Command. | |
| Bearer Token Url |
The URL of the token endpoint for your identity provider. For example: Copy
For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required if you’re using an OAuth identity provider. |
BEARER_ TOKEN_ URL |
| ClientId |
For implementations using an identity provider other than Active Directory, the ID of the identity provider client that should be used to authenticate the session (see Create Service Accounts for the Universal Orchestrator). This parameter is required if you’re using an OAuth identity provider. |
CLIENT ID |
| Token Lifetime | For implementations using an identity provider other than Active Directory, the number of seconds for which the bearer token is valid. If not specified, the orchestrator uses the default value set by the Keyfactor Command server of 300 seconds (5 minutes). | TOKEN_ LIFETIME |
| Scope | This parameter is used to specify one or more scopes that should be included in token requests delivered to the identity provider when using an identity provider other than Active Directory. Multiple scopes should be separated by spaces. | SCOPE |
| Audience | This parameter is used to specify an audience value to be included in token requests delivered to the identity provider when using an identity provider other than Active Directory. | AUDIENCE |
| Inventory Max Update SizeMb |
An integer indicating the maximum batch size in MB of orchestrator inventory jobs. Valid values are 1-10. By default, inventory jobs are batched into updates that have a maximum size of 10 MB. This size matches the default size under IIS to receive the inventory updates for Keyfactor Command installations on Windows. |
|
| Orchestrator Id |
The GUID of the orchestrator. This value can’t be modified. |