The Signum Linux Agent provides an authenticated user access to signing certificates stored on the Signum server and HSM for use with signing tools that can utilize a PKCS11 token interface (Jarsigner, Cosign, OpenSSL, etc.). Currently the only supported Domain with the Linux Agent is LocalUsers. Future versions of this agent will support additional authentication methods.
The Signum Linux Agent is available as either a .deb or .rpm package.
Package dependences are below.
Linux .NET installation instructions: https://docs.microsoft.com/en-us/dotnet/core/install/linux
libssl3 or libss1.1 - Depends on Linux Distro, Debian uses 1.1 , Ubuntu uses version 3
After installing the package and required dependencies make note of the items and default locations below.
By default, the Keyfactor service uses port 51599 this can be changed by editing the config file.
The README file can be found in /etc/keyfactor.
The Config file can be found at /etc/keyfactor/config.
The pkcs11 lib is in /usr/lib/ and named libkeyfactorpkcs11.so.
The KeyfactorService is executed as a root process by default.
After installation, enter “keyfactor-setup” in terminal to bring up the Agent Parameters.
Logs are stored in the /tmp folder unless set to stdout.
Linux Agent Readme
demo@ubuntu:/etc/keyfactor$ cat README Instructions to install the Keyfactor agent in Linux v3.53.1 Tested on: - Ubuntu 22.04 LTS 64 bits - Debian 11.3 - RHEL 9.0 Prerequisites: Install the .NET runtime 6.0 following the steps from https://docs.microsoft.com/en-us/dotnet/core/install/linux. Notes: This agent uses a local Web API that is executed as background service. By default, the local service runs as a root process and uses the default port 51599. URL: https://localhost:51599 This configuration can be changed by editing the files /etc/keyfactor/config and /etc/systemd/system/KeyfactorService.service. Service commands: sudo systemctl stop KeyfactorService sudo systemctl start KeyfactorService sudo systemctl status KeyfactorService sudo systemctl enable KeyfactorService sudo journalctl -u KeyfactorService Test the agent with the following command: pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -t Install tool: # sudo apt install opensc or # sudo yum install opensc
Linux Agent Service & Config
Example of the Signum Linux Agent Config file where the port, log type and level settings can be configured. Note that the logtype can also be set to STDOUT.
demo@ubuntu:/etc/keyfactor$ cat config port=51599 loglevel=LOW logtype=FILE
Example of the settings for the Keyfactor Service.
demo@ubuntu:/etc/systemd/system$ cat KeyfactorService.service [Unit] Description=Long running KeyfactorService service/daemon created by Keyfactor. [Service] # will set the Current Working Directory (CWD). KeyfactorService service will have issues without this setting. WorkingDirectory=/usr/local/keyfactor/service # systemd will run this executable to start the service. ExecStart=/usr/local/keyfactor/service/KeyfactorService # to query logs using journalctl, set a logical name here. SyslogIdentifier=KeyfactorService # Use your username to keep things simple. # If you pick a different user, make sure dotnet and all permissions are set correctly to run the app. # To update permissions, use 'chown yourusername -R /srv/Worker' to take ownership of the folder and files. # Use 'chmod +x /srv/Worker/Worker' to allow execution of the executable file. User=root # Ensure the service restarts after crashing. Restart=always # Amount of time to wait before restarting the service. RestartSec=5 # This environment variable is necessary when dotnet isn't loaded for the specified user. # To figure out this value, run 'env | grep DOTNET_ROOT' when dotnet has been loaded into your shell. #Environment=DOTNET_ROOT=/opt/rh/rh-dotnet31/root/usr/lib64/dotnet [Install] WantedBy=multi-user.target
Linux Agent Setup
Below is the command line argument to pass using “keyfactor-setup” to configure the Agent to communicate to the Signum server.
demo@ubuntu:/etc/keyfactor$ keyfactor-setup Keyfactor Agent configuration tool. Parameters: hostname= Set agent server address clientid= Set service ClientId username= Set user username to connect loglevel= [NONE|LOW|HIGH] Set log level (optional) logtype= [FILE|STDOUT] (optional, default FILE) Format to set new config: #Keyfactor-setup hostname=[HOSTNAME] clientid=[CLIENT ID] username=[USERNAME] Operations: show : Shows stored info help : Shows this message
Note the password parameter can be provided via the flag or passed through STDIN.
Demo@Ubuntu:~$ keyfactor-setup hostname=url.com clientid=12345 loglevel=LOW username=test@domain password: *********************************
bendew@benUbuntu:~$ keyfactor-setup logout Logout ini. No session was closed for the provided user and clientId Successfully logged out from server. Successfully removed stored credentials.
Linux Agent Test
One way to verify that the Linux Agent is connected is to use the pkcs11-tool to query for certificate objects that are available to the user. For this test to return values, the Agent user needs a policy configured allowing the use of one or more certificates.
demo@Ubuntu:~$ pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -O Certificate Object; type = X.509 cert label: CC5B8075AFE198D8BD2EA2577FC99B33A8F34C90 - Certificate subject: DN: CN=Test 2 ID: cc5b8075afe198d8bd2ea2577fc99b33a8f34c90 Public Key Object; RSA 2048 bits label: CC5B8075AFE198D8BD2EA2577FC99B33A8F34C90 - Public key ID: cc5b8075afe198d8bd2ea2577fc99b33a8f34c90 Usage: encrypt, verify, wrap Access: none Private Key Object; RSA label: CC5B8075AFE198D8BD2EA2577FC99B33A8F34C90 - Private key ID: cc5b8075afe198d8bd2ea2577fc99b33a8f34c90 Usage: decrypt, sign, unwrap Access: sensitive, extractable