.png){kind=logo}
Windows Agent
The Signum Windows Agent provides an authenticated user access to signing certificates stored on the Signum server and HSM for use with signing tools that can utilize certificates provided by Microsoft’s Key Storage Provider (KSP) interface (SignTool, Nuget Signer, SetAuthenticode, VBA Signing etc..). For signing tools that support PKCS11 the Windows Agent can also be used to provide access to those certificates using PKCS11. There are two versions, one for 32-bit and one for 64-bit systems. There are two modes for the Agent, User and Server mode with and without a UI respectively.
Installation Requirements
Microsoft Windows 8.1, 10, 11 (32 / 64 bits)
Windows Server 2019 and later
Microsoft Visual C++ 14.29.30133 (The installer will prompt and download this automatically where possible unless configured not to.)
SQL Compact - This is optional for using KSP in Windows but required if using PKCS11 for certain signing tools that support PKCS11 in Windows. (The installer will prompt and download this automatically where possible unless configured not to.)
.NET 4.7
Administrator privileges (only at install time)
Installation
To install the Windows Agent, a.bat file setup with initial configuration parameters needs to be run targeting or in the same directory as the Signum Agent .msi installer. With the basic format being:
configuration_parameter_key="some_value" for example AuthMode="LocalUsers"Below is an example .bat file that installs a particular version of the Signum Windows Agent .msi .
msiexec /i kf-agent-x64-3.72.2-2a4f19c5-MS-WO_Trust.msi ^
RTPRIMARY="signum-server-url.com.com" RTSECONDARY="signum-server-url.com.com" ^
CLIENTID="Scic1jVkgyDjfFlLugkA5hwMlD8vVqX8U4H+GXHOka4=" ^
AuthMode="LocalUsers" AGENTMODE="USER" ^
Language="en-US" ^
NO_FIREFOX="1" NO_EDGE="1" NO_CHROME="1" NO_IEXPLORER="1" ^
/l* log.txt ^
echo Exit Code is %errorlevel%
(
Comments
Example Signum Agent Installer script to be run alongside the .msi. Edit the filename to match your version.
Primary and secondary server: Enter just the URL without https:// i.e. signum.com
ClientID: Keyfactor can provide the ClientID for Signum
AuthMode: Domain type to authenticate with if using SAML2 or OAUTH2, you also need to add a Domain property, DefaultDomain="$TheDomainAlias"
AgentMode:The Agent Mode to run the Agent in, USER is with a GUI, SERVER is without and needs to be setup with the rtsetup tool after install found with the installation files
Setting these properties to 1 will not install any browser extensions. The extensions are a legacy feature and not needed for Signum.
)
Installation Parameters
Below are the available parameters to pass during installation. Note that some of these parameters are for other use cases with prior versions of Signum.
Most Frequently Used Parameters
Parameter | Optional | Default Value | Description |
|---|---|---|---|
PrimaryServer | No | Primary Signum Server URL (without https://) | |
SecondaryServer | No | For Signum, copy the information used in the PrimaryServer argument. This feature is for a legacy model of backup server and will be removed as a required argument from future versions of the agent. | |
ClientID | No | Unique value for the Signum Instance. This can be obtained from Keyfactor during deployment. | |
DefaultDomain | Optional for LocalUsers Required for SAML and OAuth | A default Domain to direct users to. Valid options are:
Note: If AgentMode is set to SERVER only LocalUsers is supported. | |
AuthMode | No | The Agent Authentication Mode. What type of Domain will customers be authenticating from. Valid options for Signum are:
| |
ONLY_KSP | No | 0 (32 bit DWORD Hex Value) | Optional setting to only use Microsoft’s KSP instead of both the KSP and CSP. |
Language | Yes | Agent’s language. Valid options are:
| |
AGENTMODE | Yes | USER | If the Agent will run in User-Interface mode (i.e. with a GUI) or in Server mode. Valid options are:
|
NO_FIREFOX | Yes | 0 | This is a legacy feature that is being deprecated for Signum. For Signum, this value should be set to 1. 0 - Installs the add-on for Firefox 1- Does not install the add-on for Firefox |
NO_CHROME | Yes | 0 | This is a legacy feature that is being deprecated for Signum. For Signum, this value should be set to 1. 0 - Installs the add-on for Chrome 1- Does not install the add-on for Chrome |
NO_IEXPLORER | Yes | 0 | This is a legacy feature that is being deprecated for Signum. For Signum, this value should be set to 1. 0 - Installs the add-on for IExplorer 1- Does not install the add-on for IExplorer |
NO_EDGE | Yes | 0 | This is a legacy feature that is being deprecated for Signum. For Signum, this value should be set to 1. 0 - Installs the add-on for MS Edge 1- Does not install the add-on for MS Edge |
Additional Parameters
Parameter | Optional | Default Value | Description |
Timeout seconds | Yes | 31 | Seconds of timeout after which the agent considers that the server is not available. |
START_DELAYED | Yes | 0 | Specifies the operating mode of the installed service. If set to delayed start, the agent will attempt to be the last process to start on boot. 0 - Automatic start 1- Delayed start |
PIN_EXPIRATION | Yes | 0 | Number of seconds before the user must re-enter a PIN. This only applies to a single Cryptographic session. |
NO_SQLCOMPACT | Yes | 0 | Some native signing tools are able to use both KSP and PKCS11 in Windows. SQL Compact needs to be installed to enable this PKCS11 functionality. 0 - Installs the SQL Server Compact 1- Does not install SQL Server Compact |
NO_REDIST | Yes | 0 | 0 - Installs the C++ redistributables 1- Does not install C++ redistributables |
WEBPROXY_URI | Yes | Can be used to optionally configure a proxy. The proxy must be transparent with no authentication. | |
KSP_WEBAPI_PORT | Yes | 51600 | |
HIDE_TRAYICON | No | 0 | 0 - Tray Icon is visible 1 - Tray Icon is not visible |
DISABLE_NOTIFICATIONS | No | 0 | 0 - Notifications are shown 1 - No notifications are shown ( if HIDE_TRAYICON is set to 1, then this parameter is also set to 1. |
Optional Additional Registry Settings
These properties cannot be passed at installation but can be set directly in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Evolium\Redtrust.
Parameter | Optional | Default Value | Description |
TCP_PORT | Yes | N/A | Default service is on 51598 |
WEBSERVER_PORT | Yes | N/A | Default service is on 51599 |
Windows Agent in USER mode
With the agent installed in USER mode i.e. with the user interface, there should be a “RTTrayApp” process running which is the Signum Windows Agent. Looking in the System tray, there should be an icon showing the Keyfactor Signum Agent.
Right clicking on the tray Icon will bring up several options.
About
Information about the Agent.
Settings
Note, this option is only present if the AuthMode is LocalUsers. The Settings section allows a user assigned to a LocalUsers Domain an option to update their credentials to the service.
Certificates
The Certificates part of the Agent only shows what certificates are available to the authenticated user based on the policies that have been defined. If multiple certificates are listed, making no selections in this window will make all of those certificates available and is the default behavior. Making a specific selection here will make only the selected certificates available on the machine.
Login
Selecting login on the Agent will bring up a login window where a LocalUser can enter their credentials. The option to remember user credentials is disabled by default, if enabled the user would automatically be logged in after restarting the machine. Logging out of the Agent would again prompt for the credentials. Reach out to Keyfactor about enabling this feature.
A user logging in to a Saml or Oauth Domain after clicking login would be taken to the IDP login page based on the DefaultDomain property configured as part of the Agent Parameter.
Logout
Logging out will terminate the Signum session and requires the user to re-authenticate to connect.
Windows Agent in SERVER Mode
Additional information about the Agent in Server mode.
Certificates are stored in the machine certificate store instead of the user store
Credentials are configured using the rtsetup tool
Only LocalUsers is supported as a Domain type for Signum
Using the Setup Tool
With the Agent msi installed (see Installation above), navigate to the installation folder (default location C:\Program Files\KeyFactor) and open the “rtsetup.exe” using command prompt or powershell. The tool will provide information about usage seen below. Running the rtsetup.exe tool with the parameters described will authenticate the LocalUser’s credentials, if the server information was set during the install there is no need to re-enter using the tool. After running the tool, restart the “RTService” which can be found by looking at the running services in Windows.
PS C:\Program Files\KeyFactor> .\rtsetup.exe
Tool to configure the Redtrust Server Agent.
Usage:
rtsetup.exe -authMode=LocalUsers -username=[username] -password=[password]
or
rtsetup.exe -authMode=ActivationCode -code=[activation code]
Optional parameters:
-primaryServer=[IP or hostname]
-secondaryServer=[IP or hostname]
-servicePort=[Port] (default value: 443)
Note: Both need to be set at once. Port is only updated when servers are set.
Use this tool in order to:
Set RedTrust credentials for agent (local users or activation code).
Set Redtrust server adresses.
After tool execution, service RTService needs to be restarted in order to refresh configuration.Editing Settings
Once the Agent has been installed many of the parameter settings can be changed by editing the registry at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Evolium\RedtrustAfter making changes, restart the System service that is running “RTService”. It may also be necessary to quiet and relaunch the Tray Application, this can be done by ending the “RTTrayApp” process in Task Manager and then relaunching by running the “RTTrayApp” found in C:\Program Files\KeyFactor.