.png){kind=logo}
The Signum Windows Agent provides an authenticated user access to signing certificates from the Signum Server and a connected HSM for use with signing tools that support working with Microsoft’s API for Key Storage Providers (KSP) and also the older Microsoft’s older Cryptographic Service Provider (CSP). Examples include Sign Tool, Jarsigner, Nuget Signer, and VSIX signer.
Prerequisites
-
Microsoft Windows 11 (64 bits)
-
Windows Server 2019 and later (64 bits)
-
Outbound access to port 443 on the Signum server instance.
-
A firewall rule permitting this outbound connection (if applicable).
-
-
Microsoft Visual C++ 14.29.30133 (The installer will prompt and download this automatically unless configured for a silent/quiet)
-
NetFramework 4.8
-
Administrator privileges during install
Agent Modes
There are two different modes the Windows Agent can be installed in, an interactive mode with a User Interface called User Mode, and a CLI configuration called Server Mode. The mode must be included at install by setting either AGENTMODE=”USER” or AGENTMODE=”SERVER” defined in the installation notes below.
For instructions on using different third-party signing tools with the Windows Agent, see Signing Guides.
Installation
To install the Windows Agent, run a .bat file setup with initial configuration parameters targeting, or in the same directory as, the Signum Agent .msi installer. The following shows the basic format:
configuration_parameter_key="some_value" for example AuthMode="LocalUsers"
The following is an example .bat file that installs a particular version of the Signum Windows Agent .msi in USER mode with an interactive UI configured to use a SAML provider for authentication:
msiexec /i kf-agent-x64-4.30.1-456b2f45-MS-WO_Trust.msi ^
RTPRIMARY="Deployment URL" RTSECONDARY="Deployment URL" ^
CLIENTID="The ClientID from the SaaS Portal" ^
AuthMode="SAML2" AGENTMODE="USER" DefaultDomain="somedomain.com" ^
Language="en-US" ^
echo Exit Code is %errorlevel%
Installation Parameters
The following parameters are available during installation:
To use PKCS#11, the Windows Agent in must be version 4.30.1 or higher. See Supported Versions.
|
Parameter |
Default Value |
Description |
Required |
|---|---|---|---|
|
|
None |
Provide the primary Signum Server URL, without https://. Example:
|
|
|
|
None |
Copy the information used in the This feature is for a legacy model of backup server and will be removed as a required argument from future versions of the agent. Example:
|
|
|
|
None |
Unique value for the Signum Instance. This can be obtained from Keyfactor during deployment. |
|
|
|
None |
The Agent Authentication Mode specifies what Domain type users are authenticating from. The authentication mode options are:
If |
|
|
|
USER |
Run the Agent in User Interface mode (with a GUI) or in Server mode with no user interface. Valid options are:
|
|
|
|
None |
For users connecting from SAML or OAuth domains, set parameter to the name of the domain. |
|
|
|
None |
Specify the Agent language. Available options are:
|
|
|
|
0 |
Optional setting to only use Microsoft’s KSP instead of both the KSP and CSP. This setting can be useful if you want the highest Agent performance and are not using older applications. This parameter can only be changed at install time. |
|
|
|
0 |
If enabled by being set to 1. This will cause the agent to automatically open the login UI or IDP webpage on reboots. Default behavior is users need to click “login” in the Tray Icon. |
|
Additional Parameters
|
Parameter |
Default Value |
Description |
Required |
|---|---|---|---|
|
|
0 |
0 - Tray Icon is visible 1 - Tray Icon is not visible |
|
|
|
0 |
0 - Notifications are shown 1 - No notifications are shown ( If HIDE_TRAYICON is set to 1, then this parameter is also set to 1.) |
|
|
|
31 |
Seconds of timeout after which the Agent considers that the server is not available. |
|
|
|
0 |
Specifies the operating mode of the installed service. If set to delayed start, the Agent will attempt to be the last process to start on boot. 0 - Automatic start 1 - Delayed start |
|
|
|
0 |
Number of seconds before the user must re-enter a PIN. This only applies to a single Cryptographic session. |
|
|
|
0 |
0 - Installs the C++ redistributables 1 - Does not install C++ redistributables |
|
|
|
None |
Can be used to optionally configure a proxy. The proxy must be transparent with no authentication, in the format of a URL. |
|
Optional Registry Settings
These properties cannot be passed at installation but can be set directly in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Evolium\Redtrust. By default, the agent can dynamically change these to avoid conflicts with other running processes.
|
Parameter |
Default Service |
Description |
Required |
|---|---|---|---|
|
|
51598 |
CSP module and RTTrayApp use this port to communicate to the local service. If the default port is unavailable, another one can be configured. Only set if a specific port is needed otherwise it will be assigned automatically. |
|
|
|
51600 |
KSP module uses this port to communicate to the local service. If the default port is unavailable, another one can be configured. Only set if a specific port is needed otherwise it will be assigned automatically. |
|
Edit the Settings
Once the Agent is installed, many of the parameter settings can be changed by editing the registry at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Evolium\Redtrust
After making changes, restart the System service that is running “RTService”. It may also be necessary to quiet and relaunch the Tray Application. This can be done by ending the “RTTrayApp” process in Task Manager and then relaunching by running the “RTTrayApp” found in C:\Program Files\KeyFactor.
Settings for the KSP and between USER/SERVER modes need to be set at installation time and cannot be updated later to new values.