# Docker on Linux
## Docker on Linux
This guide provides step-by-step instructions to publish Keeper Automator on any Linux instance that can run Docker.
{% hint style="info" %}
Make sure you already have your SSL Certificate! If not, please follow the steps in the [Create SSL Certificate](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/custom-ssl-certificate) page. Save the SSL certificate private keys and .pfx files in the Keeper vault.
{% endhint %}
### Setup
**(1) Install Docker**
If you don't have Docker installed, set it up per the instructions on your platform. For example, if you use the yum package installer:
```
sudo yum install docker
```
Start the Docker service if it's not running
```
sudo service docker start
```
Then configure the service to start automatically
```
sudo systemctl enable docker.service
```
To allow non-root users to run Docker (and if this meets your security requirements), run this command:
```
sudo chmod 666 /var/run/docker.sock
```
**(2) Pull the Automator image**
Use the `docker pull` command to get the latest Keeper Automator image.
```
docker pull keeper/automator
```
**(3) Start the service**
Use the command below to start the service. This example below is listening to port 443.
```
docker run -d -p443:443/tcp \
--name "Keeper-Automator" \
--restart on-failure:3 \
keeper/automator
```
**(4) Update the certificate**
Inside the docker container, create a "config" folder.
```
docker exec -it Keeper-Automator mkdir /usr/mybin/config
```
Copy the `ssl-certificate.pfx` file created in the [Certificate Guide](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/custom-ssl-certificate) into the container.
```
docker cp ssl-certificate.pfx \
Keeper-Automator:/usr/mybin/config/ssl-certificate.pfx
```
If your .pfx file is protected by a passphrase, you also need to create a file called `ssl-certificate-password.txt`
```
echo "my_pfx_password..." > ssl-certificate-password.txt
```
...and place it into the docker container:
```
docker cp ssl-certificate-password.txt \
Keeper-Automator:/usr/mybin/config/ssl-certificate-password.txt
```
Make sure that the `ssl_mode` parameter in the keeper.properties file within the container is set to `certificate`.
{% code overflow="wrap" %}
```
docker exec -it Keeper-Automator sed -i 's/^ssl_mode=.*/ssl_mode=certificate/' settings/keeper.properties
```
{% endcode %}
**(5) Restart the container with the SSL cert**
Now that the certificate is installed, restart the Docker container:
```
docker restart "Keeper-Automator"
```
**(6) Install Keeper Commander**
At this point, the service is running but it is not able to communicate with Keeper yet.
On your workstation, server or any computer, install the Keeper Commander CLI. The installation instructions including binary installers are here:\
[**Installing Keeper Commander**](https://docs.keeper.io/keeperpam/commander-cli/commander-installation-setup)\
\
After Commander is installed, you can type `keeper shell` to open the session, then login using the `login` command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
```
$ keeper shell
My Vault> login admin@company.com
.
.
My Vault>
```
**(7) Initialize with Commander**
Login to Keeper Commander and activate the Automator using a series of commands, starting with `automator create`
```
automator create --name="My Automator" --node="Azure Cloud"
```
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
```
Automator ID: 1477468749950
Name: My Automator
URL:
Enabled: No
Initialized: No
Skills: Device Approval
```
Note that the "URL" is not populated yet. This is the public URL which the Keeper backend will communicate with. For example, automator.mycompany.com.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (`team`, `team_for_user` and `device`).
{% code overflow="wrap" %}
```
automator edit --url https:// --skill=team --skill=team_for_user --skill=device "My Automator"
```
{% endcode %}
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
```
automator setup "My Automator"
```
Initialize the Automator with the new configuration
```
automator init "My Automator"
```
Enable the service
```
automator enable "My Automator"
```
At this point, the configuration is complete.
For automated health checks, you can use the below URL:
**https\://\/health**
Example:
```
$ curl https://automator.lurey.com/health
OK
```
#### For environments using AD FS ...
When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:
* Login to the Keeper Admin Console
* Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
* Click on "Export SP Cert".
* In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
* On the "Encryption" tab, replace the old certificate with this new cert.
* On the "Signature" tab, Add/Replace the new SP certificate with this new cert.
### Securing the Service
We recommend restricting network access to the service. Please see the [Ingress Requirements](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/ingress-requirements) page for a list of IP addresses to allow.
## Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
## Service Restart
When you stop/start the Keeper Automator service, the Docker service will automatically retain state.
```
docker restart "Keeper-Automator"
```
## Upgrading the Container
When a new version of Keeper Automator is available, you can update your Automator service by repeating steps 2-7 above.
For example:
```
docker pull keeper/automator
docker stop Keeper-Automator
docker rm Keeper-Automator
docker run -d -p443:443/tcp \
--name "Keeper-Automator" \
--restart on-failure:3 \
keeper/automator
docker exec -it Keeper-Automator mkdir /usr/mybin/config
docker cp ssl-certificate.pfx \
Keeper-Automator:/usr/mybin/config/ssl-certificate.pfx
docker cp ssl-certificate-password.txt \
Keeper-Automator:/usr/mybin/config/ssl-certificate-password.txt
docker exec -it Keeper-Automator \
sed -i 's/^ssl_mode=.*/ssl_mode=certificate/' settings/keeper.properties
docker restart "Keeper-Automator"
```
Then, run the Keeper Commander commands:
```
automator setup "My Automator"
automator init "My Automator"
automator enable "My Automator"
```
## Troubleshooting
#### Service not starting
Please check the Keeper Automator logs. This usually describes the issue. In the Docker environment, you can tail the log file using this command:
```
docker logs -f "Keeper-Automator"
```
Connecting to the container to check the log file is possible using the below command:
```
docker exec -it "Keeper-Automator" /bin/sh
```
