.png){kind=logo}
Linux Agent
The Signum Linux Agent provides an authenticated user access to signing certificates stored on the Signum server and HSM for use with signing tools that can utilize a PKCS11 token interface (Jarsigner, Cosign, OpenSSL, etc.). Currently the only supported Domain with the Linux Agent is LocalUsers. Future versions of this agent will support additional authentication methods.
Installation Requirements
The Signum Linux Agent is available as either a .deb or .rpm package.
Package dependences are below.
Linux .NET installation instructions: https://docs.microsoft.com/en-us/dotnet/core/install/linux
RPM
Libcurl
dotnet-runtime-6.0
aspnetcore-runtime-6.0
sqlite-libs
libstdc++
openssl-libs
DEB
libcurl4
dotnet-runtime-6.0
aspnetcore-runtime-6.0
libssl3 or libss1.1 - Depends on Linux Distro, Debian uses 1.1 , Ubuntu uses version 3
libsqlite3-0
Configuration
After installing the package and required dependencies make note of the items and default locations below.
By default, the Keyfactor service uses port 51599 this can be changed by editing the config file.
The README file can be found in /etc/keyfactor.
The Config file can be found at /etc/keyfactor/config.
The pkcs11 lib is in /usr/lib/ and named libkeyfactorpkcs11.so.
The KeyfactorService is executed as a root process by default.
After installation, enter “keyfactor-setup” in terminal to bring up the Agent Parameters.
Logs are stored in the /tmp folder unless set to stdout.
Linux Agent Readme
demo@ubuntu:/etc/keyfactor$ cat README
Instructions to install the Keyfactor agent in Linux v3.53.1
Tested on:
- Ubuntu 22.04 LTS 64 bits
- Debian 11.3
- RHEL 9.0
Prerequisites:
Install the .NET runtime 6.0 following the steps from https://docs.microsoft.com/en-us/dotnet/core/install/linux.
Notes:
This agent uses a local Web API that is executed as background service. By default, the local service runs as a
root process and uses the default port 51599.
URL: https://localhost:51599
This configuration can be changed by editing the files /etc/keyfactor/config and /etc/systemd/system/KeyfactorService.service.
Service commands:
sudo systemctl stop KeyfactorService
sudo systemctl start KeyfactorService
sudo systemctl status KeyfactorService
sudo systemctl enable KeyfactorService
sudo journalctl -u KeyfactorService
Test the agent with the following command:
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -t
Install tool:
# sudo apt install opensc
or
# sudo yum install openscLinux Agent Service & Config
Example of the Signum Linux Agent Config file where the port, log type and level settings can be configured. Note that the logtype can also be set to STDOUT.
demo@ubuntu:/etc/keyfactor$ cat config
port=51599
loglevel=LOW
logtype=FILEExample of the settings for the Keyfactor Service.
demo@ubuntu:/etc/systemd/system$ cat KeyfactorService.service
[Unit]
Description=Long running KeyfactorService service/daemon created by Keyfactor.
[Service]
# will set the Current Working Directory (CWD). KeyfactorService service will have issues without this setting.
WorkingDirectory=/usr/local/keyfactor/service
# systemd will run this executable to start the service.
ExecStart=/usr/local/keyfactor/service/KeyfactorService
# to query logs using journalctl, set a logical name here.
SyslogIdentifier=KeyfactorService
# Use your username to keep things simple.
# If you pick a different user, make sure dotnet and all permissions are set correctly to run the app.
# To update permissions, use 'chown yourusername -R /srv/Worker' to take ownership of the folder and files.
# Use 'chmod +x /srv/Worker/Worker' to allow execution of the executable file.
User=root
# Ensure the service restarts after crashing.
Restart=always
# Amount of time to wait before restarting the service.
RestartSec=5
# This environment variable is necessary when dotnet isn't loaded for the specified user.
# To figure out this value, run 'env | grep DOTNET_ROOT' when dotnet has been loaded into your shell.
#Environment=DOTNET_ROOT=/opt/rh/rh-dotnet31/root/usr/lib64/dotnet
[Install]
WantedBy=multi-user.targetLinux Agent Setup
Below is the command line argument to pass using “keyfactor-setup” to configure the Agent to communicate to the Signum server.
demo@ubuntu:/etc/keyfactor$ keyfactor-setup
Keyfactor Agent configuration tool.
Parameters:
hostname= Set agent server address
clientid= Set service ClientId
username= Set user username to connect
loglevel= [NONE|LOW|HIGH] Set log level (optional)
logtype= [FILE|STDOUT] (optional, default FILE)
Format to set new config:
#Keyfactor-setup hostname=[HOSTNAME] clientid=[CLIENT ID] username=[USERNAME]
Operations:
show : Shows stored info
help : Shows this messageLogin Example
Note the password parameter can be provided via the flag or passed through STDIN.
Demo@Ubuntu:~$ keyfactor-setup hostname=url.com clientid=12345 loglevel=LOW username=test@domain
password:
*********************************Logout Example
bendew@benUbuntu:~$ keyfactor-setup logout
Logout ini.
No session was closed for the provided user and clientId
Successfully logged out from server.
Successfully removed stored credentials.Linux Agent Test
One way to verify that the Linux Agent is connected is to use the pkcs11-tool to query for certificate objects that are available to the user. For this test to return values, the Agent user needs a policy configured allowing the use of one or more certificates.
demo@Ubuntu:~$ pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -O
Certificate Object; type = X.509 cert
label: CC5B8075AFE198D8BD2EA2577FC99B33A8F34C90 - Certificate
subject: DN: CN=Test 2
ID: cc5b8075afe198d8bd2ea2577fc99b33a8f34c90
Public Key Object; RSA 2048 bits
label: CC5B8075AFE198D8BD2EA2577FC99B33A8F34C90 - Public key
ID: cc5b8075afe198d8bd2ea2577fc99b33a8f34c90
Usage: encrypt, verify, wrap
Access: none
Private Key Object; RSA
label: CC5B8075AFE198D8BD2EA2577FC99B33A8F34C90 - Private key
ID: cc5b8075afe198d8bd2ea2577fc99b33a8f34c90
Usage: decrypt, sign, unwrap
Access: sensitive, extractable