Skip to main content
Skip table of contents

Linux Agent

The Signum Linux Agent provides an authenticated user access to signing certificates from the Signum Server and a connected HSM for use with signing tools that support PKCS11. Currently the only supported Domain with the Linux Agent is LocalUsers. Future versions of this agent will support additional authentication methods.

Installation Requirements & Dependencies

The Signum Linux Agent is available as either a .deb package or as an .rpm package for both RHEL 8 and 9.

Installation instructions for the .NET Runtime from Microsoft: https://docs.microsoft.com/en-us/dotnet/core/install/linux

Dependencies

Debian

CODE
sudo apt update && sudo apt upgrade
CODE
sudo apt-get install libcurl4 dotnet-runtime-6.0 aspnetcore-runtime-6.0 libssl3 libsqlite3-0 opensc -y

RHEL

CODE
sudo dnf update && sudo dnf upgrade
CODE
sudo dnf -y install libcurl dotnet-runtime-6.0 aspnetcore-runtime-6.0 sqlite-libs libstdc++ openssl-libs opensc

Agent Installation

Debian

Modify to match the agent .deb being installed.

CODE
sudo dpkg -i keyfactor-agent_3.80.2-643d46090637d7b135224869274ca633f651b928_ssl3-Trust_amd64.deb

Checking the Agent version.

CODE
dpkg --list keyfactor-agent
CODE
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version      Architecture Description
+++-===============-============-============-=================================
ii  keyfactor-agent 3.80.2       amd64        Keyfactor Agent

RHEL

Modify to match the agent .rpm being installed.

CODE
sudo rpm -i keyfactor-agent-3.80.2-643d46090637d7b135224869274ca633f651b928-Trust.x86_64_rhel9.rpm

Checking the Agent version.

CODE
rpm -qa keyfactor-agent
CODE
keyfactor-agent-3.80.2-643d46090637d7b135224869274ca633f651b928-Trust.x86_64_rhel9

After installing you can verify the Agent Daemon is running.

CODE
systemctl status KeyfactorService.service
CODE
● KeyfactorService.service - Long running KeyfactorService service/daemon created by Keyfactor.
     Loaded: loaded (/etc/systemd/system/KeyfactorService.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-01-30 16:22:33 UTC; 20min ago
   Main PID: 5472 (KeyfactorServic)
      Tasks: 15 (limit: 4668)
     Memory: 40.9M
        CPU: 960ms
     CGroup: /system.slice/KeyfactorService.service
             └─5472 /usr/local/keyfactor/service/KeyfactorService

Agent Configuration & Authentication

With the Agent installed use the keyfactor-setup tool to configure the Agent Daemon with the connection information and credentials to authenticate a user.

CODE
keyfactor-setup 
CODE
Keyfactor Agent configuration tool.

Parameters:
   hostname= Set agent server address
   clientid= Set service ClientId
   username= Set user username to connect
   loglevel= [NONE|LOW|HIGH] Set log level (optional)
   

Format to set new config:
   #Keyfactor-setup  hostname=[HOSTNAME] clientid=[CLIENT ID] username=[USERNAME]

Operations:
   show : Shows storaged info
   help : Shows this message

Authenticating

To authenticate the Agent you will need the Signum Server URL and ClientID which can be found in the Signum Links and Dashboard pages respectively at https://portal.az.keyfactorsaas.com/ . Enter your username in the format of username@domain. For example, if your username is testuser and your Local User Domain Alias is testdomain you would enter “testuser@testdomain”.

CODE
keyfactor-setup hostname=signum.demodoc.us.s.az.keyfactorsaas.com clientid="2qiBoMy5mt2bAZqHfGdOd/G4bY2hBKc0Oq0Llj+ME1U=" username="testuser@testdomain" 

Enter the users credentials when prompted. The credentials can also be passed in with a “password” argument. Remember to clear shell histories of sensitive credentials.

CODE
password:
*****************

If the user that has been authenticated has access to a certificate in Signum via a policy you can list the key objects using pkcs11-tool .

CODE
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert
CODE
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      74495288CACC9CF4A15D269AB9C0C3DDABEDB3B0 - Certificate
  subject:    DN: CN=Demo
  ID:         74495288cacc9cf4a15d269ab9c0c3ddabedb3b0

Logging Out

Calling Keyfactor setup logout will remove the users credentials.

CODE
keyfactor-setup logout
CODE
Successfully logged out from server.
Successfully removed stored credentials.

Additional Information

By default, the Agent Daemon uses port 51599 this can be changed by editing the config file stored at

CODE
/etc/keyfactor/config

The Agent PKCS11 module, which is needed for configuring different signing tools can be found at

CODE
/usr/lib/libkeyfactorpkcs11.so

Logs are stored in /tmp/ .

CODE
ls -la /tmp/*[Kk]eyfactor*
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.