Docs › Secure Factory CLI › Setting up a Secure Factory CLI workstation

Setting up a Secure Factory CLI workstation

To set up a Secure Factory CLI workstation, you must:

Initialize and pair a hardware token to a workstation.

You initialize a hardware token and pair the token to a workstation at the Secure Factory Workstation Initializer station using the Secure Factory Workstation Initializer CLI tool (init_workstation.exe).

The initialization and pairing process:
- Sets up the token with the signing keys that the Secure Factory Service uses to register the workstation.
- Sends a workstation registration request to Secure Factory Service with the workstation-token pairing information and keys to enable Secure Factory Service to identify the workstation and authenticate communication with the workstation using the paired token.
Configure the Secure Factory CLI workstation.

Configuring the workstation enables a user with the paired hardware token to perform operations from the workstation.

Requirements

Before you set up a Secure Factory CLI workstation, you must:

Install Secure Factory CLI and Secure Factory Workstation Initializer.
Install Yubico YubiKey Manager on the Secure Factory Workstation Initializer machine.
Obtain YubiKey 5 Series hardware tokens.

Initializing and pairing a hardware token to a workstation

To initialize and pair a hardware token to a workstation:

Insert the YubiKey into the USB port of the initialization station.

Use the Workstation Initializer CLI tool to initialize your hardware token and register the workstation:

init_workstation --prepare-hw-token --pin <your-pin-code> --register-workstation --host-url=https://your-secure-factory:8443 --workstation-name "MyWsName" --workstation-description "My Workstation"

This command sets the unique workstation name, workstation description, and the hardware token PIN code.

This is an example of the output for a successful request:

YubiKey initialized and ready
Workstation registered successfully

Please contact Pelion Secure Factory Service administrator.
Registration request info:
    Workstation Name: MyWsName
    Workstation Description:
                My Workstation
    Certificate:
                -----BEGIN CERTIFICATE-----
                MIICzDCCAbSgAwIBAgIUa7DBvKTMmYn/xwne1kHKfA5xTQ8wDQYJKoZIhvcNAQEL
                BQAwIDEeMBwGA1UEAwwVIkZhY3RvcnktWUstMTAxMjE3NDgiMB4XDTE5MTAwMzEx
                MjE1MVoXDTIwMTAwMjExMjE1MVowIDEeMBwGA1UEAwwVIkZhY3RvcnktWUstMTAx
                MjE3NDgiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnAN7M7apTw5
                4hTxRJObrl1lue0NtJ6HQpnfzW5N2q/9meHNMWPo6rQ0A72GwRz90FzrHAjvI7SW
                0yoQ+NVopRc2Hx3l0Zw0WzpDtl3vOKIZZnUrGSWwY0om8whrReseVxg9R//kjHqv
                ylvBrh1N+TmUHSJeTGkrZIXfghKCRRsL8kldcZ+6MD9qCfA1haTncAuwcoubRyvs
                +IHtq0EKzQio9hol4Ys1H0RNLihRmdCWBBHEnMBo4UCDVYPZtzp3D6GcPXxwTgf6
                x2zE7YxCQGUqgpzuAvHi3+2PIZsI+ECNskj6v2Dsv4HB2DnKdGodEzWCwOhO/BSZ
                7kJtXl41rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAU51y4mFmcjKJGZrD4KfYi
                7MCs1drLV/Tbjj39HgC61Mzj/Wo/qGRM/GYkwM6DpNVDOF3xCXBb51FUfUBoX7+6
                gowqqsPWkgcGGGAfwE4adMlJDHFOjDcH3NREmpog3qAk5qmhoUTkkjuDbGg+WDYh
                MtXtlXk0jItVWC/xLkwiFdIQRgiV+LM/ULI7uZOHNs8CWgffglPRCahZTu1jQG8I
                Wd1G/1Y4P8hSGOl3jUJvtHxBXWnfJ05yIXHAgbFLAmsu/s0znOvYccUkgRuNtz7+
                PdFNs4/JPSGOMEVzQIMlVUqbQwi2plldLLXsdMvmNvEakF3Lf2UCAg+CpMAS22CU
                -----END CERTIFICATE-----

You also need to update the Secure Factory Client configuration as follows:
    Connect your YubiKey
    Update 'factory_tool.ini' file with values of:
        GENERAL/FACTORY_WORKSTATION_ID and PKCS11/PIN

Note: You can also use separate commands to initialize a hardware token and register a workstation. For more information about how to use the Workstation Initializer CLI tool, see Workstation Initializer CLI tool usage options and Workstation Initializer CLI tool usage examples.

Secure Factory Workstation Initializer generates a key and certificate on the YubiKey, and sends a registration request to the Secure Factory Service with the workstation name, workstation description and the YubiKey certificate.

Make sure to note:
- Which YubiKey belongs to which workstation.
- The PIN code for the YubiKey.
You'll need this information when you configure the Secure Factory CLI workstation.
Contact the Secure Factory Service administrator and request approval for your registration request.

Workstation Initializer CLI tool usage options

The Workstation Initializer CLI tool enables you to prepare hardware tokens and register workstations as separate or combined operations.

Use this structure for all CLI commands:

init_workstation [options]

Option	Description
`--prepare-hw-token`	Force reset hardware token and prepare it for workstation registration.
`--register-workstation`	Register workstation and pair it to a key.
`--pin <text>`	Set the PIN for the hardware token and workstation. The PIN must consist of six to eight numbers. An existing PIN is deleted when you reset a hardware token.
`--workstation-name <name>`	Unique name of the workstation you are registering. When you try to register a workstation for which there is already a registration request: If the previous request is in `PENDING` status, the new request overrides the previous request. If the previous request is in `APPROVED` OR `REVOKED` status, the new request is rejected.
`--workstation-description <description>`	Description of the workstation you are registering.
`--ykman <path>`	Path to the YubiKey Manager `ykman.exe` installation.
`--cert-validity-days <number of days>`	Validity period, in days, for the generated hardware token certificate. Warning: When the hardware token certificate expires, you will no longer be able to use the hardware token and paired workstation. Choose a validity period that is greater than the expected lifetime of the hardware token.
`--host-url <text>`	URL to Secure Factory Service host.
`-v, --verbose`	Add verbosity to log.
`--version`	Show the version and exit.
`--help`	Show help and exit.

Workstation Initializer CLI tool usage examples

Help:

init_workstation --help

Preparing your YubiKey:

init_workstation --prepare-hw-token --pin <your PIN code>

Registering a workstation:

init_workstation --register-workstation --pin <your PIN code> --host-url=https://your-secure-factory:8443 --workstation-name ws-1 --workstation-description "Workstation 1"

Combined:

init_workstation --prepare-hw-token --pin <your PIN code> --register-workstation --host-url=https://your-secure-factory:8443 --workstation-name "MyWsName" --workstation-description "My Workstation"

Configuring a Secure Factory CLI workstation

To configure a workstation:

At the workstation, open the factory_tool.ini workstation configuration file.
Set PIN to the hardware token PIN code that you defined during workstation registration.

Note: The PKCS11_LIB parameter is automatically set during the Secure Factory CLI installation process.
Set FACTORY_WORKSTATION_ID to the name of your Secure Factory CLI workstation that you defined during workstation registration.
Set ALLOWED_HOSTS to a comma-separated list of URLs to your Secure Factory Service hosts.
For each of the URLs you set in ALLOWED_HOSTS:
1. Copy the server CA certificate (ca.crt) from the <installation path>/keystore/ directory of the server to the workstation. You can find the path to the ca.crt file by running ./sfn status on one of the Secure Factory Service nodes.
2. Add a [<host-url>] line to create a new section in the factory_tool.ini file for host-specific configurations.
  
  For example:
```
[https://10.10.10.221:8443]
```
3. Set a FT_SERVER_CERTIFICATE_FILE parameter to the path to your server CA certificate.
Workstation configuration file example
```
[PKCS11]
PIN = <your PIN code>
PKCS11_LIB = C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll

[GENERAL]
FACTORY_WORKSTATION_ID = <name of your Secure Factory CLI workstation>
ALLOWED_HOSTS=https://10.10.10.221:8443,https://10.10.10.222:8443

[https://10.10.10.221:8443]
FT_SERVER_CERTIFICATE_FILE = <path to your server cert>\ca1.crt

[https://10.10.10.222:8443]
FT_SERVER_CERTIFICATE_FILE = <path to your server cert>\ca2.crt
```
Note: If both hosts share the same certificate file, you can list the FT_SERVER_CERTIFICATE_FILE parameter once in the [GENERAL] section of the configuration file.
After the Secure Factory Service administrator approves the workstation registration request, you can verify the secure connection to the service using the CLI status command.

Documentation