Installing orchestration gateways

The Sectigo orchestration gateway is available for installation on Windows and Linux operating systems, as well as Docker containers.

Installation package Description

Installation package	Description
Windows	The Sectigo orchestration gateway is provided as an `msi` file that can be downloaded from SCM and installed on Windows systems. The `msi` file is digitally signed by Sectigo.
Linux	The Sectigo orchestration gateway is provided as `deb` and `rpm` packages that can be installed using native package managers (`apt` or `dnf`) or downloaded from SCM for manual installation on Linux systems. For `deb` packages, Sectigo digitally signs the `apt` repository metadata using PGP. For `rpm` packages, Sectigo digitally signs the packages using PGP.
Docker	The Sectigo orchestration gateway is provided as a Docker image that can be pulled from a container registry and deployed on systems that support Docker.

Windows

The Sectigo orchestration gateway is provided as an msi file that can be downloaded from SCM and installed on Windows systems.

The msi file is digitally signed by Sectigo.

Linux

The Sectigo orchestration gateway is provided as deb and rpm packages that can be installed using native package managers (apt or dnf) or downloaded from SCM for manual installation on Linux systems.

For deb packages, Sectigo digitally signs the apt repository metadata using PGP. For rpm packages, Sectigo digitally signs the packages using PGP.

Docker

The Sectigo orchestration gateway is provided as a Docker image that can be pulled from a container registry and deployed on systems that support Docker.

Installation requirements

Orchestration gateways require a number of platform-dependent permissions in order to be installed and to perform SSL certificate auto-installation.

Windows
Linux
Docker

To install an orchestration gateway on Windows, the following requirements must be satisfied:

Local administrator rights
Windows Server:
- 2019 (Standard, Datacenter)
- 2022 (Standard, Datacenter)
- 2025 (Standard, Datacenter)
Hardware:
- CPU — 1.4GHz 64-bit (minimum)
- RAM — 2 GB (minimum)
Network access:

If your environment is configured to use non-default ports for remote communication or a proxy, you must ensure that those ports are accessible.
- Outbound network access to the appropriate SCM instance on TCP port 443:
  - https://cert-manager.com
  - https://hard.cert-manager.com
  - https://eu.cert-manager.com
- Node discovery and auto installation: In addition to the general access requirements, specific ports are required based on the orchestration gateway’s connection type.
  - Local — N/A
  - Remote (WinRM) — TCP port 5985
  - Remote (SSH) — TCP port 22
  - Remote (Legacy) — TCP ports 135 and 445
  - Remote (REST) — TCP port 443
- If applicable, your credential store must be accessible from the orchestration gateway machine.
(Optional) Credential store:
- Local store: No additional requirements
- HashiCorp Vault:
  - An active HashiCorp Vault instance
  - Access token or AppRole RoleId and SecretId with permission to read the required secrets
  - Remote endpoint authentication credentials are stored in the HashiCorp Vault secrets engine
  - Secrets must be added as key/value pairs using the following keys:
    
    username — The username for the remote endpoint.
    
    password — The password for the remote endpoint. This cannot be included in a secret containing a private_key_path.
    
    private_key_path — The path to the private key file for the remote endpoint. This cannot be included in a secret containing a password.
    
    pass_phrase — The passphrase for the private key file if one is configured.
- CyberArk Vault:
  - An active CyberArk Vault instance
  - A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
  - (Certificate authentication only) A client private key and its certificate in .p12 format
  - An Application ID representing the orchestration gateway with permission to retrieve credentials
  - Remote endpoint authentication credentials are stored in CyberArk Vault
- Delinea Secret Server:
  - An active Delinea Secret Server instance
  - A user account with permission to read required secrets
  - Remote endpoint authentication credentials are stored in Delinea Secret Server

To install an orchestration gateway on Linux, the following requirements must be satisfied:

sudo permissions
Linux OS:
- CentOS Stream 8, Stream 9
- RHEL 8.x, 9.x
- Debian 11, 12
- Ubuntu 18.04, 20.04, 22.04
Hardware:
- CPU — 1.4GHz 64-bit (minimum)
- RAM — 2 GB (minimum)

Network access:

If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible. Additionally, the ephemeral port range for local connections may vary depending on your Linux distribution.

Outbound network access to the appropriate SCM instance on TCP port 443:
- https://cert-manager.com
- https://hard.cert-manager.com
- https://eu.cert-manager.com
Node discovery and auto installation: In addition to the general access requirements, specific ports are required based on the orchestration gateway’s connection type. The following are the default ports required for each connection type:
- Local — N/A
- Remote (WinRM) — TCP port 5985
- Remote (SSH) — TCP port 22
- Remote (REST) — TCP port 443
If applicable, your credential store must be accessible from the orchestration gateway machine.

(Optional) Credential store:
- Local credential store: No additional requirements
- HashiCorp Vault:
  - An active HashiCorp Vault instance
  - Access token or AppRole RoleId and SecretId with permission to read the required secrets
  - Remote endpoint authentication credentials are stored in the HashiCorp Vault secrets engine
- CyberArk Vault:
  - An active CyberArk Vault instance
  - A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
  - (Certificate authentication only) A client private key and its certificate in .p12 format
  - An application ID representing the orchestration gateway with permission to retrieve credentials
  - Remote endpoint authentication credentials are stored in CyberArk Vault
- Delinea Secret Server:
  - An active Delinea Secret Server instance
  - A user account with permission to read required secrets
  - Remote endpoint authentication credentials are stored in Delinea Secret Server

To run an orchestration gateway on Docker, the following requirements must be satisfied:

Docker engine installed
Hardware:
- CPU — 1.4GHz 64-bit (minimum)
- RAM — 2 GB (minimum)
Network access:

If your environment is configured to use non-default ports for remote communication or proxy, you must ensure that those ports are accessible.
- Outbound network access to the appropriate SCM instance on TCP port 443:
  - https://cert-manager.com
  - https://hard.cert-manager.com
  - https://eu.cert-manager.com
- If applicable, your credential store must be accessible from the orchestration gateway machine.
(Optional) Credential store:
- Local credential store: No additional requirements
- HashiCorp Vault:
  - An active HashiCorp Vault instance
  - Access token or AppRole RoleId and SecretId with permission to read the required secrets
  - Remote endpoint authentication credentials are stored in the HashiCorp Vault secrets engine
- CyberArk Vault:
  - An active CyberArk Vault instance
  - A CyberArk Central Credential Provider instance connecting to the CyberArk Vault
  - (Certificate authentication only) A client private key and its certificate in .p12 format
  - An application ID representing the orchestration gateway with permission to retrieve credentials
  - Remote endpoint authentication credentials are stored in CyberArk Vault
- Delinea Secret Server:
  - An active Delinea Secret Server instance
  - A user account with permission to read required secrets
  - Remote endpoint authentication credentials are stored in Delinea Secret Server

Add an orchestration gateway to SCM

Navigate to Integrations Orchestration Gateways and click the Add icon.
In the Add Orchestration Gateway dialog, provide a name to help identify the gateway.
Click Next.
Copy the registration token for use during installation.
For Windows, download the orchestration gateway installation package from the Windows installation package link. For Linux, downloading the installation package is optional. The orchestration gateway can be installed using APT or DNF.
Click Save.

The orchestration gateway should now be listed on the Orchestration Gateways page with a status of Pending.

Install an orchestration gateway

Windows
Windows ( CLI )
Linux APT ( DEB )
Linux DNF ( RPM )
Docker

(Optional) If required, move the sectigoOG.msi file to the orchestration gateway machine.
Right-click the sectigoOG.msi file and click Install.
In the setup wizard, click Next.
Read the EULA, select I accept the terms in the License Agreement, and click Next.

Click Next, and paste the registration token.

If needed, you can retrieve the registration token from the Edit Orchestration Gateway dialog for your gateway. This token is no longer available once the gateway connects to SCM for the first time.

Click Next.

(Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.

Field	Description
Address	The address of your proxy auto-config (PAC). This file contains your proxy configuration details and can be used instead of manually entering the values.
Port	The port number used by your proxy server.
Username	The username for accessing the proxy server, if configured to use credentials.
Password	The password for accessing the proxy server, if configured to use credentials.

Field

Description

Address

The address of your proxy auto-config (PAC).

This file contains your proxy configuration details and can be used instead of manually entering the values.

Port

The port number used by your proxy server.

Username

The username for accessing the proxy server, if configured to use credentials.

Password

The password for accessing the proxy server, if configured to use credentials.

Click Next.
Click Install to begin the installation.
Click Finish.

For Windows, the orchestration gateway logs are stored in %PROGRAMDATA%\Sectigo-Limited\SectigoOG\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo-Limited\SectigoOG\conf.

Open the Windows command prompt.
In the command line, navigate to the download location of the sectigoOG.msi file.

Modify the installation command as needed.

msiexec /i /q sectigoOG.msi TOKEN= PROXY_TYPE= PROXY_ADDR= PROXY_PORT= PROXY_USER= PROXY_PASSWORD=

Unused options must be removed from the command.

The command options are outlined in the following table.

Option Description

Option	Description
`/i`	Initiates installation of the orchestration gateway.
`/q`	Runs the installation in silent mode so no interaction is required.
`TOKEN`	The mandatory installation token.
`PROXY_TYPE`	Indicates whether you are using a proxy server. `1` (Yes) `0` (No) The default value is `0`.
`PROXY_ADDR`	The hostname or IP address of your proxy server. This option is required if you are using a proxy server.
`PROXY_PORT`	The port number used by your proxy server. This option is required if you are using a proxy server.
`PROXY_USER`	The username for accessing the proxy server. This option is required if your proxy server is configured to use credentials.
`PROXY_PASSWORD`	The password for accessing the proxy server if configured to use credentials. This option is required if your proxy server is configured to use credentials.

/i

Initiates installation of the orchestration gateway.

/q

Runs the installation in silent mode so no interaction is required.

TOKEN

The mandatory installation token.

PROXY_TYPE

Indicates whether you are using a proxy server.

1 (Yes)
0 (No)

The default value is 0.

PROXY_ADDR

The hostname or IP address of your proxy server.

This option is required if you are using a proxy server.

PROXY_PORT

The port number used by your proxy server.

This option is required if you are using a proxy server.

PROXY_USER

The username for accessing the proxy server.

This option is required if your proxy server is configured to use credentials.

PROXY_PASSWORD

The password for accessing the proxy server if configured to use credentials.

This option is required if your proxy server is configured to use credentials.

Run the modified installation command.

For Windows, the orchestration gateway logs are stored in %PROGRAMDATA%\Sectigo-Limited\SectigoOG\logs and the configuration files are stored in %PROGRAMDATA%\Sectigo-Limited\SectigoOG\conf.

Linux native packages do not support auto-update.

Update the local package index.
```
sudo apt-get update
```

Install the orchestration gateway.

sudo apt install sectigo-orchestration-gateway

Add the register token to the orchestration gateway.

sudo /opt/sectigo-orchestration-gateway/bin/sectigo-og register --token <token>

Restart the service.

sudo service sectigo-orchestration-gateway restart

Validate the connection.

sudo /opt/sectigo-orchestration-gateway/bin/sectigo-og info

To update proxy settings, see Update proxy settings for an orchestration gateway.

For Linux, the orchestration gateway logs are stored in /var/log/sectigo-orchestration-gateway and the configuration files are stored in /opt/sectigo-orchestration-gateway/config/.

To configure a local or supported third-party credential store, see Configuring credential stores.

Linux native packages do not support auto-update.

Install the orchestration gateway.

sudo dnf install sectigo-orchestration-gateway

Add the register token to the orchestration gateway.

sudo /opt/sectigo-orchestration-gateway/bin/sectigo-og register --token <token>

Restart the service.

sudo systemctl restart sectigo-orchestration-gateway

Validate the connection.

sudo /opt/sectigo-orchestration-gateway/bin/sectigo-og info

To update proxy settings, see Update proxy settings for an orchestration gateway.

For Linux, the orchestration gateway logs are stored in /var/log/sectigo-orchestration-gateway and the configuration files are stored in /opt/sectigo-orchestration-gateway/config/.

To configure a local or supported third-party credential store, see Configuring credential stores.

The Docker container does not support auto-update.

Create a directory on your Docker host machine for orchestration gateway data.
```
sudo mkdir -p sog_data/log
```
Go to the created directory.
```
cd sog_data
```

Run the command to setup a manual machine identity.

cat /proc/sys/kernel/random/uuid | tr -d '-' > machine-key

Run the command to extract the default config.json file from the Docker image.

docker run -ti --rm \
  --entrypoint sh \
  sectigoinc/sog:latest \
  -c "cat /opt/sectigo-orchestration-gateway/config/config.json" > config.json

Run the command to register the orchestration gateway with the Sectigo backend. Replace <token> with the registration token copied when adding an orchestration gateway to SCM.

docker run -ti --rm \
  -v <sog data dir>:/opt/sectigo-orchestration-gateway/config \
  -v <sog data dir>/machine-key:/etc/machine-id \
  -v <sog data dir>/log:/var/log/sectigo-orchestration-gateway \
  sectigoinc/sog:latest register --token <token>

Run the command to start the docker container.

docker run -d \
  --name sog \
  -v <sog data dir>:/opt/sectigo-orchestration-gateway/config \
  -v <sog data dir>/machine-id:/etc/machine-id \
  -v <sog data dir>/log:/var/log/sectigo-orchestration-gateway \
  sectigoinc/sog:latest

You need to restart the Docker image after installing orchestration gateway.

Once your orchestration gateway is installed, you must complete the following steps:

Add at least one keystore. For more information, see Add a keystore.
Add at least one endpoint. For more information, see Add an endpoint.