Setting up a Secure Factory CLI workstation
To set up a Secure Factory CLI workstation, you must:
You initialize a hardware token and pair the token to a workstation at the Secure Factory Workstation Initializer station using the Secure Factory Workstation Initializer CLI tool (
The initialization and pairing process:
- Sets up the token with the signing keys that the Secure Factory Service uses to register the workstation.
- Sends a workstation registration request to Secure Factory Service with the workstation-token pairing information and keys to enable Secure Factory Service to identify the workstation and authenticate communication with the workstation using the paired token.
Configuring the workstation enables a user with the paired hardware token to perform operations from the workstation.
Before you set up a Secure Factory CLI workstation, you must:
- Install Secure Factory CLI and Secure Factory Workstation Initializer.
- Install Yubico YubiKey Manager on the Secure Factory Workstation Initializer machine.
- Obtain YubiKey 5 Series hardware tokens.
Initializing and pairing a hardware token to a workstation
To initialize and pair a hardware token to a workstation:
Insert the YubiKey into the USB port of the initialization station.
Use the Workstation Initializer CLI tool to initialize your hardware token and register the workstation:
init_workstation --prepare-hw-token --pin <your-pin-code> --register-workstation --host-url=https://your-secure-factory:8443 --workstation-name "MyWsName" --workstation-description "My Workstation"
This command sets the unique workstation name, workstation description, and the hardware token PIN code.
This is an example of the output for a successful request:
YubiKey initialized and ready Workstation registered successfully Please contact Pelion Secure Factory Service administrator. Registration request info: Workstation Name: MyWsName Workstation Description: My Workstation Certificate: -----BEGIN CERTIFICATE----- MIICzDCCAbSgAwIBAgIUa7DBvKTMmYn/xwne1kHKfA5xTQ8wDQYJKoZIhvcNAQEL BQAwIDEeMBwGA1UEAwwVIkZhY3RvcnktWUstMTAxMjE3NDgiMB4XDTE5MTAwMzEx MjE1MVoXDTIwMTAwMjExMjE1MVowIDEeMBwGA1UEAwwVIkZhY3RvcnktWUstMTAx MjE3NDgiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnAN7M7apTw5 4hTxRJObrl1lue0NtJ6HQpnfzW5N2q/9meHNMWPo6rQ0A72GwRz90FzrHAjvI7SW 0yoQ+NVopRc2Hx3l0Zw0WzpDtl3vOKIZZnUrGSWwY0om8whrReseVxg9R//kjHqv ylvBrh1N+TmUHSJeTGkrZIXfghKCRRsL8kldcZ+6MD9qCfA1haTncAuwcoubRyvs +IHtq0EKzQio9hol4Ys1H0RNLihRmdCWBBHEnMBo4UCDVYPZtzp3D6GcPXxwTgf6 x2zE7YxCQGUqgpzuAvHi3+2PIZsI+ECNskj6v2Dsv4HB2DnKdGodEzWCwOhO/BSZ 7kJtXl41rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAU51y4mFmcjKJGZrD4KfYi 7MCs1drLV/Tbjj39HgC61Mzj/Wo/qGRM/GYkwM6DpNVDOF3xCXBb51FUfUBoX7+6 gowqqsPWkgcGGGAfwE4adMlJDHFOjDcH3NREmpog3qAk5qmhoUTkkjuDbGg+WDYh MtXtlXk0jItVWC/xLkwiFdIQRgiV+LM/ULI7uZOHNs8CWgffglPRCahZTu1jQG8I Wd1G/1Y4P8hSGOl3jUJvtHxBXWnfJ05yIXHAgbFLAmsu/s0znOvYccUkgRuNtz7+ PdFNs4/JPSGOMEVzQIMlVUqbQwi2plldLLXsdMvmNvEakF3Lf2UCAg+CpMAS22CU -----END CERTIFICATE----- You also need to update the Secure Factory Client configuration as follows: Connect your YubiKey Update 'factory_tool.ini' file with values of: GENERAL/FACTORY_WORKSTATION_ID and PKCS11/PIN
Note: You can also use separate commands to initialize a hardware token and register a workstation. For more information about how to use the Workstation Initializer CLI tool, see Workstation Initializer CLI tool usage options and Workstation Initializer CLI tool usage examples.
Secure Factory Workstation Initializer generates a key and certificate on the YubiKey, and sends a registration request to the Secure Factory Service with the workstation name, workstation description and the YubiKey certificate.
Make sure to note:
- Which YubiKey belongs to which workstation.
- The PIN code for the YubiKey.
You'll need this information when you configure the Secure Factory CLI workstation.
Contact the Secure Factory Service administrator and request approval for your registration request.
Workstation Initializer CLI tool usage options
The Workstation Initializer CLI tool enables you to prepare hardware tokens and register workstations as separate or combined operations.
Use this structure for all CLI commands:
||Force reset hardware token and prepare it for workstation registration.|
||Register workstation and pair it to a key.|
||Set the PIN for the hardware token and workstation. The PIN must consist of six to eight numbers. An existing PIN is deleted when you reset a hardware token.|
||Unique name of the workstation you are registering.
When you try to register a workstation for which there is already a registration request:
||Description of the workstation you are registering.|
||Path to the YubiKey Manager
||Validity period, in days, for the generated hardware token certificate.
Warning: When the hardware token certificate expires, you will no longer be able to use the hardware token and paired workstation. Choose a validity period that is greater than the expected lifetime of the hardware token.
||URL to Secure Factory Service host.|
||Add verbosity to log.|
||Show the version and exit.|
||Show help and exit.|
Workstation Initializer CLI tool usage examples
Preparing your YubiKey:
init_workstation --prepare-hw-token --pin <your PIN code>
Registering a workstation:
init_workstation --register-workstation --pin <your PIN code> --host-url=https://your-secure-factory:8443 --workstation-name ws-1 --workstation-description "Workstation 1"
init_workstation --prepare-hw-token --pin <your PIN code> --register-workstation --host-url=https://your-secure-factory:8443 --workstation-name "MyWsName" --workstation-description "My Workstation"
Configuring a Secure Factory CLI workstation
To configure a workstation:
At the workstation, open the
factory_tool.iniworkstation configuration file.
PINto the hardware token PIN code that you defined during workstation registration.
PKCS11_LIBparameter is automatically set during the Secure Factory CLI installation process.
FACTORY_WORKSTATION_IDto the name of your Secure Factory CLI workstation that you defined during workstation registration.
ALLOWED_HOSTSto a comma-separated list of URLs to your Secure Factory Service hosts.
For each of the URLs you set in
Copy the server CA certificate (
ca.crt) from the
<installation path>/keystore/directory of the server to the workstation. You can find the path to the
ca.crtfile by running
./sfn statuson one of the Secure Factory Service nodes.
[<host-url>]line to create a new section in the
factory_tool.inifile for host-specific configurations.
FT_SERVER_CERTIFICATE_FILEparameter to the path to your server CA certificate.
Workstation configuration file example
[PKCS11] PIN = <your PIN code> PKCS11_LIB = C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll [GENERAL] FACTORY_WORKSTATION_ID = <name of your Secure Factory CLI workstation> ALLOWED_HOSTS=https://10.10.10.221:8443,https://10.10.10.222:8443 [https://10.10.10.221:8443] FT_SERVER_CERTIFICATE_FILE = <path to your server cert>\ca1.crt [https://10.10.10.222:8443] FT_SERVER_CERTIFICATE_FILE = <path to your server cert>\ca2.crt
Note: If both hosts share the same certificate file, you can list the
FT_SERVER_CERTIFICATE_FILEparameter once in the
[GENERAL]section of the configuration file.
After the Secure Factory Service administrator approves the workstation registration request, you can verify the secure connection to the service using the CLI