Linux Agent
The Signum Linux Agent provides an authenticated user access to signing certificates from the Signum Server and a connected HSM for use with signing tools that support PKCS11. Currently the only supported Domain with the Linux Agent is LocalUsers. Future versions of this agent will support additional authentication methods.
Installation Requirements & Dependencies
The Signum Linux Agent is available as either a .deb package or as an .rpm package for both RHEL 8 and 9. Standalone versions of the agent packages are also included that come bundled with the dotnet runtimes should those be needed based on the OS version being used.
Installation instructions for the .NET Runtime from Microsoft: https://docs.microsoft.com/en-us/dotnet/core/install/linux
Dependencies
Debian
sudo apt update && sudo apt upgrade
Dotnet 6.0 - Agents before 4.10.0
sudo apt install sudo dotnet-runtime-6.0 aspnetcore-runtime-6.0 libssl3 libsqlite3-0 opensc -y
Dotnet 8.0 - Agents after 4.10.0
sudo apt install libcurl4 dotnet-runtime-8.0 aspnetcore-runtime-8.0 libssl3 libsqlite3-0 opensc -y
RHEL
sudo dnf update && sudo dnf upgrade
Dotnet 6.0 - Agents before 3.80.4
sudo dnf -y install libcurl dotnet-runtime-6.0 aspnetcore-runtime-6.0 sqlite-libs libstdc++ openssl-libs opensc
Dotnet 8.0 - Agents after 3.80.4
sudo dnf -y install libcurl dotnet-runtime-8.0 aspnetcore-runtime-8.0 sqlite-libs libstdc++ openssl-libs opensc
Agent Installation
Debian
Modify to match the agent .deb being installed.
sudo apt install ./keyfactor-agent_4.10.0-c2914fc366a725b7d55ce349c17862897fa28270_ssl3-Trust_amd64.deb
Checking the Agent version.
dpkg --list keyfactor-agent
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-============-============-=================================
ii keyfactor-agent 4.10.0 amd64 Keyfactor Agent
RHEL
Modify to match the agent .rpm being installed. Use the standalone Agent versions if dotnet 8 is not yet available in the App stream.
sudo dnf install ./keyfactor-agent-4.10.0-c2914fc366a725b7d55ce349c17862897fa28270.x86_64
Checking the Agent version.
rpm -qa keyfactor-agent
keyfactor-agent-4.10.0-c2914fc366a725b7d55ce349c17862897fa28270.x86_64
After installing you can verify the Agent Daemon is running.
systemctl status KeyfactorService.service
● KeyfactorService.service - Long running KeyfactorService service/daemon created by Keyfactor.
Loaded: loaded (/etc/systemd/system/KeyfactorService.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-01-30 16:22:33 UTC; 20min ago
Main PID: 5472 (KeyfactorServic)
Tasks: 15 (limit: 4668)
Memory: 40.9M
CPU: 960ms
CGroup: /system.slice/KeyfactorService.service
└─5472 /usr/local/keyfactor/service/KeyfactorService
Agent Configuration & Authentication
With the Agent installed use the keyfactor-setup tool to configure the Agent Daemon with the connection information and credentials to authenticate a user.
keyfactor-setup
Keyfactor Agent configuration tool.
Parameters:
hostname= Set agent server address
clientid= Set service ClientId
username= Set user username to connect
loglevel= [NONE|LOW|HIGH] Set log level (optional)
https_proxy= Setup an http_proxy to be used by Signum, this configuration overrides the system configuration (usually /etc/systemd/system.conf) if not specified, blank or unable to connect to the signum instance through it, the agent will fall-back to the system configuration (usually /etc/systemd/system.conf).
Format to set new config:
#Keyfactor-setup hostname=[HOSTNAME] clientid=[CLIENT ID] username=[USERNAME] https_proxy=[PROXY] https_proxy=[PROXY URL]
Operations:
show : Shows stored info.
help : Shows this message.
test : Tests the connection to the configured instance.
logout : Closes the session for the current user and deletes stored credentials.
Authenticating
To authenticate the Agent you will need the Signum Server URL and ClientID which can be found in the Signum Links and Dashboard pages respectively at https://portal.az.keyfactorsaas.com/ . Enter your username in the format of username@domain. For example, if your username is testuser and your Local User Domain Alias is testdomain you would enter “testuser@testdomain”.
keyfactor-setup hostname=a_signum_url clientid="2qiBoMy5mt2bAZqHfGdOd/G4bY2hBKc0Oq0Llj+ME1U=" username="testuser@testdomain"
Enter the users credentials when prompted. The credentials can also be passed in with a “password” argument. Remember to clear shell histories of sensitive credentials.
password:
*****************
A connection status message will be returned.
Instance [the_signum_url] successfuly reached.
New configuration saved successfully, some changes to system settings might require restarting KeyfactorService.
Please run [systemctl restart KeyfactorService] or equivalent with appropiate permissions.
If the user that has been authenticated has access to a certificate in Signum via a policy you can list the key objects using pkcs11-tool .
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: 74495288CACC9CF4A15D269AB9C0C3DDABEDB3B0 - Certificate
subject: DN: CN=Demo
ID: 74495288cacc9cf4a15d269ab9c0c3ddabedb3b0
Logging Out
Calling Keyfactor setup logout will remove the users credentials.
keyfactor-setup logout
Successfully logged out from server.
Successfully removed stored credentials.
Additional Information
The Agent connection can be tested with keyfactor-setup test
Instance [a_signum_url] successfuly reached.
By default, the Agent Daemon uses port 51599 this can be changed by editing the config file stored at
/etc/keyfactor/config
The Agent PKCS11 module, which is needed for configuring different signing tools can be found at
/usr/lib/libkeyfactorpkcs11.so
Logs are stored in /tmp/ .
ls -la /tmp/*[Kk]eyfactor*