Mistake on this page? Email us

Setting up a Secure Factory CLI workstation

To set up a Secure Factory CLI workstation, you must:

  1. Initialize and pair a hardware token to a workstation.

    You initialize a hardware token and pair the token to a workstation at the Secure Factory Workstation Initializer station using the Secure Factory Workstation Initializer CLI tool (init_workstation.exe).

    The initialization and pairing process:

    • Sets up the token with the signing keys that the Secure Factory Service uses to register the workstation.
    • Sends a workstation registration request to Secure Factory Service with the workstation-token pairing information and keys to enable Secure Factory Service to identify the workstation and authenticate communication with the workstation using the paired token.
  2. Configure the Secure Factory CLI workstation.

    Configuring the workstation enables a user with the paired hardware token to perform operations from the workstation.

Requirements

Before you set up a Secure Factory CLI workstation, you must:

Initializing and pairing a hardware token to a workstation

To initialize and pair a hardware token to a workstation:

  1. Insert the YubiKey into the USB port of the initialization station.

  2. Use the Workstation Initializer CLI tool to initialize your hardware token and register the workstation:

    init_workstation --prepare-hw-token --pin <your-pin-code> --register-workstation --host-url=https://your-secure-factory:8443 --workstation-name "MyWsName" --workstation-description "My Workstation"
    

    This command sets the unique workstation name, workstation description, and the hardware token PIN code.

    This is an example of the output for a successful request:

    YubiKey initialized and ready
    Workstation registered successfully
    
    Please contact Pelion Secure Factory Service administrator.
    Registration request info:
        Workstation Name: MyWsName
        Workstation Description:
                    My Workstation
        Certificate:
                    -----BEGIN CERTIFICATE-----
                    MIICzDCCAbSgAwIBAgIUa7DBvKTMmYn/xwne1kHKfA5xTQ8wDQYJKoZIhvcNAQEL
                    BQAwIDEeMBwGA1UEAwwVIkZhY3RvcnktWUstMTAxMjE3NDgiMB4XDTE5MTAwMzEx
                    MjE1MVoXDTIwMTAwMjExMjE1MVowIDEeMBwGA1UEAwwVIkZhY3RvcnktWUstMTAx
                    MjE3NDgiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnAN7M7apTw5
                    4hTxRJObrl1lue0NtJ6HQpnfzW5N2q/9meHNMWPo6rQ0A72GwRz90FzrHAjvI7SW
                    0yoQ+NVopRc2Hx3l0Zw0WzpDtl3vOKIZZnUrGSWwY0om8whrReseVxg9R//kjHqv
                    ylvBrh1N+TmUHSJeTGkrZIXfghKCRRsL8kldcZ+6MD9qCfA1haTncAuwcoubRyvs
                    +IHtq0EKzQio9hol4Ys1H0RNLihRmdCWBBHEnMBo4UCDVYPZtzp3D6GcPXxwTgf6
                    x2zE7YxCQGUqgpzuAvHi3+2PIZsI+ECNskj6v2Dsv4HB2DnKdGodEzWCwOhO/BSZ
                    7kJtXl41rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAU51y4mFmcjKJGZrD4KfYi
                    7MCs1drLV/Tbjj39HgC61Mzj/Wo/qGRM/GYkwM6DpNVDOF3xCXBb51FUfUBoX7+6
                    gowqqsPWkgcGGGAfwE4adMlJDHFOjDcH3NREmpog3qAk5qmhoUTkkjuDbGg+WDYh
                    MtXtlXk0jItVWC/xLkwiFdIQRgiV+LM/ULI7uZOHNs8CWgffglPRCahZTu1jQG8I
                    Wd1G/1Y4P8hSGOl3jUJvtHxBXWnfJ05yIXHAgbFLAmsu/s0znOvYccUkgRuNtz7+
                    PdFNs4/JPSGOMEVzQIMlVUqbQwi2plldLLXsdMvmNvEakF3Lf2UCAg+CpMAS22CU
                    -----END CERTIFICATE-----
    
    You also need to update the Secure Factory Client configuration as follows:
        Connect your YubiKey
        Update 'factory_tool.ini' file with values of:
            GENERAL/FACTORY_WORKSTATION_ID and PKCS11/PIN
    

    Note: You can also use separate commands to initialize a hardware token and register a workstation. For more information about how to use the Workstation Initializer CLI tool, see Workstation Initializer CLI tool usage options and Workstation Initializer CLI tool usage examples.

    Secure Factory Workstation Initializer generates a key and certificate on the YubiKey, and sends a registration request to the Secure Factory Service with the workstation name, workstation description and the YubiKey certificate.

  3. Make sure to note:

    • Which YubiKey belongs to which workstation.
    • The PIN code for the YubiKey.

    You'll need this information when you configure the Secure Factory CLI workstation.

  4. Contact the Secure Factory Service administrator and request approval for your registration request.

Workstation Initializer CLI tool usage options

The Workstation Initializer CLI tool enables you to prepare hardware tokens and register workstations as separate or combined operations.

Use this structure for all CLI commands:

init_workstation [options]
Option Description
--prepare-hw-token Force reset hardware token and prepare it for workstation registration.
--register-workstation Register workstation and pair it to a key.
--pin <text> Set the PIN for the hardware token and workstation. The PIN must consist of six to eight numbers. An existing PIN is deleted when you reset a hardware token.
--workstation-name <name> Unique name of the workstation you are registering.
When you try to register a workstation for which there is already a registration request:
  • If the previous request is in PENDING status, the new request overrides the previous request.
  • If the previous request is in APPROVED OR REVOKED status, the new request is rejected.
  • --workstation-description <description> Description of the workstation you are registering.
    --ykman <path> Path to the YubiKey Manager ykman.exe installation.
    --cert-validity-days <number of days> Validity period, in days, for the generated hardware token certificate.
    Warning: When the hardware token certificate expires, you will no longer be able to use the hardware token and paired workstation. Choose a validity period that is greater than the expected lifetime of the hardware token.
    --host-url <text> URL to Secure Factory Service host.
    -v, --verbose Add verbosity to log.
    --version Show the version and exit.
    --help Show help and exit.

    Workstation Initializer CLI tool usage examples

    Help:

    init_workstation --help
    

    Preparing your YubiKey:

    init_workstation --prepare-hw-token --pin <your PIN code>
    

    Registering a workstation:

    init_workstation --register-workstation --pin <your PIN code> --host-url=https://your-secure-factory:8443 --workstation-name ws-1 --workstation-description "Workstation 1"
    

    Combined:

    init_workstation --prepare-hw-token --pin <your PIN code> --register-workstation --host-url=https://your-secure-factory:8443 --workstation-name "MyWsName" --workstation-description "My Workstation"
    

    Configuring a Secure Factory CLI workstation

    To configure a workstation:

    1. At the workstation, open the factory_tool.ini workstation configuration file.

    2. Set PIN to the hardware token PIN code that you defined during workstation registration.

      Note: The PKCS11_LIB parameter is automatically set during the Secure Factory CLI installation process.

    3. Set FACTORY_WORKSTATION_ID to the name of your Secure Factory CLI workstation that you defined during workstation registration.

    4. Set ALLOWED_HOSTS to a comma-separated list of URLs to your Secure Factory Service hosts.

    5. For each of the URLs you set in ALLOWED_HOSTS:

      1. Copy the server CA certificate (ca.crt) from the <installation path>/keystore/ directory of the server to the workstation. You can find the path to the ca.crt file by running ./sfn status on one of the Secure Factory Service nodes.

      2. Add a [<host-url>] line to create a new section in the factory_tool.ini file for host-specific configurations.

        For example:

        [https://10.10.10.221:8443]
        
      3. Set a FT_SERVER_CERTIFICATE_FILE parameter to the path to your server CA certificate.

      Workstation configuration file example

      [PKCS11]
      PIN = <your PIN code>
      PKCS11_LIB = C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
      
      [GENERAL]
      FACTORY_WORKSTATION_ID = <name of your Secure Factory CLI workstation>
      ALLOWED_HOSTS=https://10.10.10.221:8443,https://10.10.10.222:8443
      
      [https://10.10.10.221:8443]
      FT_SERVER_CERTIFICATE_FILE = <path to your server cert>\ca1.crt
      
      [https://10.10.10.222:8443]
      FT_SERVER_CERTIFICATE_FILE = <path to your server cert>\ca2.crt
      

      Note: If both hosts share the same certificate file, you can list the FT_SERVER_CERTIFICATE_FILE parameter once in the [GENERAL] section of the configuration file.

    6. After the Secure Factory Service administrator approves the workstation registration request, you can verify the secure connection to the service using the CLI status command.