%20(500%20x%20162%20px)(1).png)
Lab 1: Software Installation and Configuration Wizard
Software Installation and Configuration Wizard
As with any Windows application, Keyfactor begins with the installation of the software files. In the lab environment, we've staged the latest installation files in C:\Software\Keyfactor for you, which can be accessed via the Software folder shortcut located on the VM desktop.
Double-click the KeyfactorPlatform-12.5.0.msi installer package.
After the installer package loads, click Next on the dialog.
Accept the licensing agreement and click Next
You will be presented with the product components that you wish to install.
By default, we choose to install everything but the CA Connector API.
Each component could be installed on a separate server, but for the lab, let's keep the defaults.
You can also choose to change the path where the bits are copied.
By default, our installation wizard places these files at:
CODEC:\Program Files\Keyfactor\Keyfactor Platform\Note: If you are upgrading from an existing Keyfactor installation, this path will default to the previously used installation path.
Click Next
Click Install and allow the installation to run, and when it completes, click Finish. This will automatically open the Configuration Wizard.
For the next portion of the lab, we need to connect to the database.
Keyfactor Database Configuration
Server
Once the Keyfactor Database Configuration dialog loads, you will be prompted for a server name and credential type for accessing that database.
Enter the following server name:
dc-sql-ca.kftrain.labFor our lab environment, we will be using the Windows credential type. This connects to the database in the context of the logged-in administrative user.
Click Connect.
Database
The next step of the Database Configuration Wizard is to choose an existing database or create a new one, but we've already created a database for use with this lab (sample instructions for new database creation below.)
Click Browse to choose the pre-configured database, and for this activity, it will be the following:
- CODE
Keyfactor (Version: 12.5.0)
Click Continue, and the Configuration Wizard will display a list of configurations that need to be completed to get the Keyfactor platform up and operational.
Click Upload on the License Upload page. You will find the license file “KeyfactorCommand-Training-Labs-License.cmslicense” in the C:\Software\Keyfactor directory.
Keyfactor Configuration Wizard
There are several tasks we will need to complete within the Configuration Wizard. We'll walk through each of these items individually.
Application Pools
This tab is where you create a new Application Pools that will be used to run our Keyfactor Web Applications on the IIS web server. This defines the configurations and identities that will apply to our application. This screen can be used to create new application pools and will display any available application pools for this server.
For this lab, we will be creating four Application Pools. We will create each of the Application Pools listed below. Click Add to create the first Application Pool.
Configuration | Value |
Name | KeyfactorPortal |
User | kftrain\kf_service |
Password | Password1 |
Click Save. Next, click Add to create the second Application Pool.
Configuration | Value |
Name | KeyfactorAgents |
User | kftrain\kf_service |
Password | Password1 |
Click Save. Next, click Add to create the third Application Pool.
Configuration | Value |
Name | KeyfactorAnalysis |
User | kftrain\kf_service |
Password | Password1 |
Click Save. Next, click Add to create the fourth Application Pool.
Configuration | Value |
Name | KeyfactorAPI |
User | kftrain\kf_service |
Password | Password1 |
Click Save.
As a reminder, this account must be part of the Constrained Delegation configuration covered in the previous lesson if users are going to manage and enroll with a Microsoft CA from the Keyfactor portal.
Authentication
This tab is where you configure Command to work with OAuth/your IdP. For this lab, we will be using Basic Authentication, so we will Uncheck the Use OAuth for Keyfactor Portal, API, and Orchestrators box.
Database
This tab is where you configure how the web application and service will connect to the database. For the lab, use Windows Authentication and leave the default for encryption.
Note: When configuring this in your own environment, choose the authentication method (Windows or SQL) and the user that will be used to authenticate to the database. If this user does not exist, the Wizard will attempt to create the user and add it to the selected database as db_owner. This will be done in context of the user used to connect to the database (see bottom status bar). If this user does not have appropriate database permission to make this change, the configuration will fail.
Here we also determine if we want to use Keyfactor Application encryption on top of the SQL encryption. The encryption section allows you to determine how data is encrypted within our secrets table. By default, all secrets are encrypted with the SQL server service master key. In some situations, an additional layer of protection may be required to ensure that secrets cannot be decrypted outside of the application. To enable this scenario, you can choose to use a certificate to encrypt the data before storage in SQL. This results in data that is encrypted using the certificate stored in the database and then encrypted using the Service Master Key. This is one way to ensure that only the application is able to decrypt secrets within the Keyfactor database.
Service
The Service tab allows you to define how the Keyfactor Command Service will be configured on this server. It should be noted that these service functions can be run on multiple servers, and care should be taken to ensure that the same function is not run on multiple servers. If you are going to separate duties between servers, it makes sense to break them down by category for ease of administration.
For the lab, enter the following user and password.
Configuration | Value |
User | kftrain\kf_service |
Password | Password1 |
Select the Start service on bootup check box.
The Email tab is where you set how Keyfactor will deliver email notifications.
For the lab, use the following values.
Configuration | Value |
Host | mail.kftrain.lab |
Port | 2525 |
Sender Name | Certificate Management System |
Sender Account | keyfactor@kftrain.lab |
Use SSL | Unchecked |
Relay Authentication | Anonymous |
Keyfactor Portal
The Keyfactor Portal tab begins the configuration process of the Management Portal web application. Here you can set some information regarding the website and host as well as application pool to run this particular site. You also need to define your initial set of administrative users who will be able to log in to the portal and begin configuration of the application. Additionally, this tab is where you set up initial configuration for enrollment formats and supported methods.
For the lab, use the following values.
Configuration | Value |
Host Name | keyfactor.kftrain.lab |
Use SSL | Checked |
Web Site | Default Web Site |
Virtual Directory | KeyfactorPortal |
Application Pool | KeyfactorPortal |
Administrative Users
The Administrative Users tab is where you can configure the groups or users that will control administrative access to the Keyfactor Command Management Portal.
For the lab, use the following values.
Configuration | Value |
Identity Provider | Active Directory |
Claim Type | ADUser |
Claim Value | KFTRAIN.LAB\Administrator |
Description | Admins or Keyfactor Command |
Dashboards & Reports
The Dashboard and Reports tab is where you begin the configuration of how the portal will communicate with the reporting engine. This component is installed as a separate web application within the specific site and can have its own application pool.
For the lab, use the following values.
Configuration | Value |
Host Name | keyfactor.kftrain.lab |
Use SSL | Checked |
Web Site | Default Web Site |
Virtual Directory | KeyfactorAnalysis |
Application Pool | KeyfactorAnalysis |
Orchestrators
The Orchestrators tab configures where the platform will place the Orchestrators API so that orchestrators can communicate with Keyfactor.
For the lab, use the following values.
Configuration | Value |
Host Name | keyfactor.kftrain.lab |
Use SSL | Checked |
Web Site | Default Web Site |
Virtual Directory | KeyfactorAgents |
Application Pool | KeyfactorAgents |
The Reenrollment section defines how an orchestrator's CSR is handled when submitted as part of a reenrollment job. It will determine the template and CA to use when issuing the certificate. Reenrollment jobs will be covered in more detail as we get to the orchestrator. For now, leave these fields empty.
The Certificate Authentication section allows the user to enable certificate authentication for the Universal Orchestrator. Keep in mind, enabling this option will require certificate authentication for ALL orchestrators. For now, keep this option disabled.
API
The API tab defines the same web application settings for the Keyfactor API. Depending on your solution, you may need to enable the classic API. Note that the classic API is not required for new installations, but may be required as part of an upgrade to support legacy code or integrations. This API will be deprecated in the future, so make sure any new integrations use the Keyfactor API.
For the lab, use the following values.
Configuration | Value |
Host Name | keyfactor.kftrain.lab |
Use SSL | Checked |
Web Site | Default Web Site |
Virtual Directory | KeyfactorAPI |
Application Pool | KeyfactorAPI |
Audit Configuration
The Audit Configuration tab is where you set the retention period for audit log entries and configure log exports to a syslog server. Both of these configurations are available to be configured as part of the global application settings. For the purposes of this lab, keep the default entries on this tab.
Once your configuration is complete, click Verify Configuration. If there are no errors, click Apply Configuration to write the configuration files to the various locations.
At this point, your system is configured, and you should be able to log in to the portal at the following URL!
https://keyfactor.kftrain.lab/keyfactorportal
Note: The browser in the lab will default to our Lab page, you can click the link titled Keyfactor Command Portal (Available After Install).