---
title: "On-premises Scanner Configuration File"
slug: "fortanix-key-insight-on-premises-scanner-configuration-file"
updated: 2026-05-15T04:37:19Z
published: 2026-05-15T09:36:57Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# On-premises Scanner Configuration File

## 1.0 Introduction

This article provides detailed information about configuring the Fortanix On-premises Scanner using a configuration file to enable secure and efficient scanning of cryptographic materials within your on-premises infrastructure types.

It also describes:

- Using the configuration file types.
- Configuring the configuration file parameters.
- Using the TLS configuration help script for secure communication setup.

## 2.0 On-premises Scanner Configuration File

The Fortanix On-premises Scanner requires a configuration file in YAML format to define on-premises infrastructure parameters.

> [!NOTE]
> NOTE
> 
> Sensitive credentials (such as API keys, tokens, usernames, and passwords) should not be stored in plain text, as this increases the risk of accidental exposure. When storing credentials in configuration files or environment variables, **you can use Base64 encoding** to hide the values and reduce the risk of accidental exposure.
> 
> Example:
> 
> Run the following command to generate a Base64-encoded password value:
> 
> ```bash
> echo -n "your_password_value" | base64
> ```
> 
> Use it in the configuration file:
> 
> ```bash
> password:
>   value: "cGFzc3dvcmQK | base64"
> ```

The Fortanix On-premises Scanner can securely retrieve credentials from environment variables or a separate secrets file instead of storing them directly in the main configuration file, helping protect sensitive information and simplifying integration with secrets managers.

Two types of configuration files can be used, depending on the context:

- Credentials stored directly in the configuration file. *For more information, refer to*[*Section 2.1: Type 1 - Credentials Stored Directly in Configuration File*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#21-type-1-credentials-stored-directly-in-configuration-file)*.*
- Credentials loaded using environment variables. *For more information, refer to*[*Section 2.2: Type 2 - Credentials Loaded Using Environment Variables*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#22-type-2-credentials-loaded-using-environment-variables)*.*

> [!NOTE]
> NOTE
> 
> - The Fortanix On-premises Scanner reads configuration files sequentially in the order specified. When multiple configuration files define the same setting, the value from the later file overrides earlier ones.
> - If you are using a configuration file created prior to the Fortanix Key Insight 25.09 release, it will remain compatible. However, to scan Fortanix DSM on-premises environments, source code repositories, containers, file systems, and CyberArk on-premises connections, you must use the updated configuration file described above.

*If you use secret manager tools (for example, Hashicorp Vault) to manage credentials, refer to*[*On-premises Scanner Integration with Hashicorp Vault*](/v1/docs/fortanix-key-insight-on-premises-scanner-integration-with-hashicorp-vault)*for on-premises scanner configuration.*

### 2.1 Type 1 - Credentials Stored Directly in Configuration File

In this type, the API key (or other credentials) is written directly inside the configuration file.

This type is:

- Very simple to set up.
- Less secure than externalized secrets, even when Base64-encoded, because credentials reside in the configuration file.

In the following****`config.yaml`****file,

- Include only the required sections (**Databases, Source Code, Containers, File Systems**, **Fortanix DSM,**or**CyberArk On-premises**) with the appropriate connection details (ID and API Key). To enable a section, **remove the comment symbol (**`#`**)** at the beginning of the lines.
- Replace placeholders (`YOUR_XXX_XX`**)**with actual credentials or valid file paths before use. Ensure sensitive credentials are handled securely (for example, using Base64-encoded values) before adding them to the configuration file.

[](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/config(18).yaml)config5.82 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/config(18).yaml)

*For information on configuring the configuration file parameters, refer to*[*Section 3.0: Configure the On-premises Scanner Parameters*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#30-configure-the-onpremises-scanner-parameters)*.*

### 2.2 Type 2 - Credentials Loaded Using Environment Variables

In this type, sensitive data (credentials) are not stored directly in the configuration file. Instead, the configuration file references the name of an environment variable (for example, `ARMOR_API_KEY_1`), and the actual secret is set in the system environment. The application automatically reads the value from the environment variable at runtime.

- Before running the application, you must set or export the environment variables in your system. Once set, the application will automatically read the value from the environment variable referenced in the configuration file.

Only credential fields can use `env_var` (API keys, usernames, passwords, certificate keys/certificates). Ensure sensitive credentials are handled securely (for example, using Base64-encoded values) before being set as an environment variable.

For example, in Linux, run the following command to set the environment variable for the API Key (`ARMOR_API_KEY_1`): Here, replace `"your-secret-api-key"` with your actual API key value.

```bash
export ARMOR_API_KEY_1="$(echo -n"your-secret-api-key" | base64)"
```
- All other fields (`connection_id, app_id, branch, subfolder`, and so on) are plain strings.

This type helps to:

- Keep sensitive data out of configuration files.
- Enable secure separation between code and secrets.

In the following `config.yaml`****file, include only the required sections (**Databases, Source Code, Containers, File Systems**, **Fortanix DSM,**or**CyberArk On-premises**) with the appropriate connection details (ID and API Key). To enable a section, **remove the comment symbol (**`#`**)** at the beginning of the lines.

[](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/config(19).yaml)config5.75 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/config(19).yaml)

*For information on configuring the configuration file parameters, refer to*[*Section 3.0: Configure the On-premises Scanner Parameters*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#30-configure-the-onpremises-scanner-parameters)*.*

## 3.0 Configure the On-premises Scanner Parameters

Configuring the scanner requires specifying the necessary parameters in the `.yaml` configuration file, as explained in [*Section 2.0: On-premises Scanner Configuration File*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#20-onpremises-scanner-configuration-file). This file specifies how the scanner connects to Fortanix Key Insight, Fortanix DSM, source code repositories, containers, file systems, target databases, and CyberArk on-premises environments.

The following sections describe each section of the configuration file along with its corresponding fields:

### 3.1 Armor URL and Region

This section explains the Fortanix Armor platform endpoint and region used by the Fortanix On-premises Scanner for secure communication.

- `url`: Specifies the Fortanix Armor URL used by the Fortanix On-premises Scanner. The URL value must be `https://api.armor.fortanix.com`.
- `region`: Specifies the Fortanix Armor geographical region used by the Fortanix On-premises Scanner. Supported values are `north_america` and `european_union`.

If this field is not specified, the region defaults to `european_union`.

### 3.2 Proxy

The configuration file allows you to specify an HTTP or HTTPS proxy with optional authentication for outbound connections made by the Fortanix On-premises Scanner. Proxy settings can be applied for communication with the Fortanix Armor platform or other configurable sections (such as Source Code repositories) in the configuration file.

> [!NOTE]
> NOTE
> 
> Proxy configuration applies only to `http(s)` URLs and is optional.

- `proxy`: Indicates that proxy configuration is enabled.
  - `url`: Specifies the HTTP or HTTPS proxy endpoint. For example, `http://localhost:8888`.
  - `credential`: Defines the basic authentication method. Include `credential` details in the configuration file only if basic authentication is enabled in your proxy settings.
    - `type`: Specifies the authentication type. Currently, only `basic` is supported.
    - `username` and `password`: Specify the proxy credentials. The `username` or `password` values can be provided as:
      - `value`: Directly in the configuration file.
      - `file`: Path to a file containing the credential.
      - `env_var`: Environment variable storing the credential. For example, `PROXY_USER` and `PROXY_PASSWORD`.

> [!NOTE]
> NOTE
> 
> If the same proxy must be used for all code repositories and the Fortanix Armor platform, the configuration file supports YAML anchors and aliases to reuse the proxy configuration block. *For more information, refer to*[*Section 4.0: Reusing Configuration Fille Components*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#40-reusing-configuration-file-components)*.*

### 3.3 Logging

The configuration file allows you to configure the log file path, maximum log file size, and number of archived log files to retain.

- `folder`: Directory path where log files are stored. The file name is always `audit.log`.

The **default values** are:
  - **Linux**: `/var/log/fortanix/scanner`

> [!NOTE]
> NOTE
> 
> If audit logs are not created on Linux, ensure the configured log directory exists and is owned by the `fortanix` user and group.
> 
> Run the following command to update ownership of the configured log path:
> 
> ```bash
> sudo chown -R fortanix:fortanix <configured_log_path>
> ```
> 
> Example:
> 
> ```bash
> sudo chown -R fortanix:fortanix /var/log/fortanix/scanner
> ```
  - **Windows**: `C:\ProgramData\Fortanix\KI\Logs`

> [!NOTE]
> NOTE
> 
> If audit logs are not created on Windows, ensure the configured log directory exists. If the directory does not exist, create it manually at the configured path.
> 
> Example: `C:\ProgramData\Fortanix\KI\Logs`

- `file_size_mb`: Maximum size (in megabytes) of the log file before it is rotated. The default value is `50`.
- `max_files`: Number of rotated or archived log files to retain. The default value is `5`.
- `level`: The parameter that controls the verbosity (level of detail) in the logs. Valid values are `error`, `warn`, `info`, and `debug`.

The log levels in **increasing order** of verbosity are:

Each level includes logs at that level and all less verbose levels. For example, setting the level to `warn` logs both `warn` and `error`.
  - `error`
  - `warn`
  - `info`
  - `debug`

### 3.4 External Key Source (Fortanix DSM On-premises) Connection

Each `connection` entry defines the authentication details for either an external key source connection (Fortanix DSM on-premises instance) or an on-premises environment to be scanned.

- `connection_id`: Unique identifier for the Fortanix DSM on-premises connection in Fortanix Key Insight.
- `type`: Specifies the authentication method for Fortanix Key Insight; use `apikey`. For example, the API key can be stored in the environment variable `ARMOR_API_KEY_2`.

You can obtain the `connection ID` and `API key` from the Fortanix DSM on-premises connection details page. *For more information, refer to*[*Getting Started with External Key Source Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-external-key-source-connection#63-add-fortanix-dsm-onpremises-connection)*.*
- `dsm`: Defines the Fortanix DSM on-premises environment details:

> [!NOTE]
> NOTE
> 
> The parameters in this section are used by the **Fortanix On-premises Scanner to authenticate directly to the Fortanix DSM on-prem instance**. These credentials are created and managed in Fortanix DSM, and are independent of the API key generated in the Fortanix Key Insight UI, which is used only for Fortanix On-premises Scanner to Fortanix Key Insight authentication.
  - `url`: URL of the Fortanix DSM on-premises instance.
  - `app_id`: Fortanix DSM administrator (admin) application (app) ID used for scanning. *For more information on obtaining the Fortanix DSM admin app ID, refer to*[*Authentication*](https://support.fortanix.com/docs/users-guide-authentication#71-create-administrative-apps).

> [!NOTE]
> NOTE
> 
> For Fortanix DSM on-premises scanning, the Fortanix On-premises Scanner authenticates to Fortanix DSM using **TLS client certificate authentication**. The associated admin app must have **Certificate** authentication enabled before the scanner is run. The admin app may be initially created using **API Key** authentication to obtain the Admin App ID (`APP_UUID`); after the TLS client certificate is generated with the `APP_UUID` as the Common Name (`CN`), the admin app authentication method must be changed to **Certificate**.
  - `credential`: Specifies the certificate-based (TLS client certificate) authentication used by the Fortanix On-premises Scanner to access the Fortanix DSM on-prem instance. *For more information on obtaining the certificate credentials, refer to*[*Authentication*](https://support.fortanix.com/docs/users-guide-authentication?highlight=authentication#42-using-a-tls-client-certificate).
    - `authentication_key`: Path to, or environment variable containing, the externally generated TLS client private key associated with the Fortanix DSM admin app.
    - `authentication_cert`: Path to, or environment variable containing, the externally generated TLS client certificate associated with the Fortanix DSM admin app.

> [!TIP]
> Important
> 
> Fortanix DSM does not automatically generate the TLS client private key or certificate. The TLS client certificate must be generated externally, and the Common Name (`CN`) of the certificate must match the Admin App ID (`APP_UUID`).

Both parameters can be provided either as a file path to the corresponding key or certificate, or as an environment variable.

> [!NOTE]
> NOTE
> 
> When using environment variables, the value must contain the complete contents of the key or certificate file, not just the file path.

### 3.5 On-premises Connection

To scan a on-premises connection, configure the following parameters:

- `connection_id`: Unique identifier for the on-premises connection in Fortanix Key Insight.
- `type`: Specifies the authentication method. It is `apikey` for Fortanix Key Insight access. For example, the API key required for authenticating with Fortanix Key Insight is available in the environment variable `ARMOR_API_KEY_1`.

You can obtain the connection ID and API key from the on-premises connection details page. *For more information, refer to****Step 5****of*[*Getting Started with On-premises Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-on-premises-connection#55-select-external-key-source)*.*

- `databases`: List of databases to be scanned, with URI and credentials. *For more information on the database parameters, refer to*[*Section 3.5.1: Scan Databases*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#351-scan-databases)*.*
- `code_repos`: List of source code repositories to be scanned. *For more information on the source code parameters, refer to Section*[*3.5.2: Scan Source Code*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#352-scan-source-code)*.*
- `accumulator `or` fs_accumulator`: Configuration for the file systems and network scanning, including server settings, queue management, and the datastore path for scanned file system and network data. *For more information on the file system parameters, refer to*[*Section 3.5.3: Scan File System*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#353-scan-file-system)*.*
- `container_images`: Configuration for scanning container images, including definitions of image artifacts, pull requirements, and the container engine used for retrieval. Each artifact entry specifies the repository image, tag, and daemon settings used during the scan process. *For more information on container image parameters, refer to*[*Section 3.5.4: Scan Containers*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#354-scan-containers)*.*

#### 3.5.1 Scan Databases

To scan databases in an on-premises connection, configure the following parameters:

- `databases`: List of databases to be scanned, with URI and credentials.
  - `uri`: Database connection string in the following formats:
    - **Oracle**: `oracle://&lt;host&gt;:&lt;port&gt;/&lt;db name&gt; `

For example, `oracle://host:port/db`
    - **MSSQL**: `mssql://&lt;host&gt;:&lt;port&gt;/`

For example, `mssql://host:port`
  - `credential`: Specifies the authentication methods based on the `type`. You can reuse credentials in the configuration file using YAML anchors and aliases. *For more information, refer to*[*Section 4.0: Reusing Configuration File Components*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#40-reusing-configuration-file-components)*.*
    - `password`: Uses basic username or password authentication. Both MSSQL and Oracle databases use the `password` authentication method to scan databases. The `username` or `password` values can be provided as:
      - `value`: Directly in the config file.
      - `file`: Path to a file containing the credential.
      - `env_var`: Environment variable storing the credential. For example, `DB1_USERNAME` and `DB1_PASSWORD`.
    - `windows_authentication`: Uses Windows integrated authentication. It is supported only for Windows hosts.
    - You can also configure Microsoft Entra (formerly Azure AD) authentication for scanning MSSQL databases in Fortanix Key Insight. Before using any of the following methods, ensure that your MSSQL server is configured to support Entra authentication.

*For more information on enabling and configuring Microsoft Entra authentication in SQL Server, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/configure-azure-ad-authentication-for-sql-vm).
      - `azure_client_secret`: Uses Microsoft Entra ID service principal authentication with Azure `client_id`, `client_secret`, and `tenant_id`. These values can also be provided using the environment variables `DB_CLIENT_ID`, `DB_CLIENT_SECRET`, and `DB_TENANT_ID`, respectively.

*For more information on obtaining these values, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate)*.*
      - `azure_cli`: Uses Azure CLI-based authentication.
      - `azure_managed_identity`: Uses Azure Managed Identity authentication.

*For more information on the above Microsoft Entra authentication types, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview)*.*

*For more information on the Database infrastructure type, refer to*[*Database*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-database)*.*

#### 3.5.2 Scan Source Code

To scan source code repositories in an on-premises connection, configure the following parameters:

- `code_repos`: List of source code repositories to be scanned.
  - `url`: HTTPs URL of the repository (repo). For example, `https://github.com/fortanix/rust-sgx`.
  - `proxy`: *For information on proxy settings and related parameters, refer to*[*Section 3.2: Proxy*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#32-proxy)*.*
  - `branch` (Optional): Specific branch to scan. If omitted, the default branch is scanned.
  - `subfolder` (Optional): Restrict scanning to a specific folder within the repo. For example, `app`.
  - `auth` (Optional): Defines authentication type and credentials for private repositories.
    - `type`: Supports basic authentication (username, password, or personal access token).
    - The `username` or `password` values can be provided as:
      - `value`: Directly in the config file.
      - `file`: Path to a file containing the credential.
      - `env_var`: Environment variable storing the credential. For example, `REPO1_USERNAME` and `REPO1_PASSWORD`.

*For example, refer to the following on how to obtain the authentication credentials for different repositories:*

- [*GitHub official documentation*](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
- [*Bitbucket official documentation*](https://developer.atlassian.com/cloud/bitbucket/rest/intro/#authentication)

*For more information on the Source Code infrastructure type, refer to*[*Source Code*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-source-code)*.*

#### 3.5.3 Scan File System

To perform file system scans in an on-premises environment, the two components must run in the following order:

1. The **Fortanix On-premises Scanner** package (server): This package acts as the central on-premises service. It communicates with Fortanix Key Insight and with the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux) (clients). When the file system scanning service (`accumulator` or `fs_accumulator`) is enabled, this package starts a local HTTPS server to receive data from the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux).

*For more information on how the Fortanix On-premises Scanner interacts with the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux), refer to*[*File System*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-file-system)*.*
2. The **File System Scanner Agent (Windows)** or **File System and Network Scanner Agent (Linux)** package: This is installed on servers with access to the file systems to be scanned. The File System and Network Scanner Agent (Linux) also supports scanning network-accessible locations. This capability must be explicitly enabled in the agent configuration. You can deploy multiple agents, and each must be configured to connect to the IP address and port of the HTTPS server hosted by the Fortanix On-premises Scanner.

*For more information on the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux) installation and configuration, refer to*[*File System Scanner Agent Configuration*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-file-system-scanner-agent-configuration)*.*

To enable and configure the `accumulator` service in the Fortanix On-premises Scanner configuration file, specify the following parameters:

- `accumulator`: Configuration for the File System Accumulator service, including server settings, queues, and datastore path for scanned file system data.

> [!NOTE]
> NOTE
> 
> The parameter `fs_accumulator` is supported for backward compatibility. Existing configurations that use this parameter continue to function without issues.
  - `enabled`: Enables or disables the `accumulator` service. Here, `true` indicates that the service is running, whereas `false` indicates that the service is disabled.
  - `server_configs`: This section defines how the accumulator server listens for incoming connections and how it handles TLS.
    - `binding_ips_and_ports`: Defines one or more IP:PORT combinations where the `accumulator` service should listen. For example,

> [!NOTE]
> NOTE
> 
> Ensure the on-premises service (`accumulator`) is bound either to `0.0.0.0` or the machine’s external or private IP address. Using only `127.0.0.1` will prevent remote File Sytem Agents from connecting.
      - `127.0.0.1:1234` binds the service **locally** and only accepts connections from the same machine.
      - `0.0.0.0:1234` exposes the service on **all network interfaces**, allowing external connections.
    - `tls`: This section enables HTTPs with mutual TLS authentication.
      - `ca_file`: Points to the CA certificate that issued the client certificates, which the on-premises scanner uses to authenticate agents; typically, this is `pki/ca/ca-cert.pem` generated by the script explained in [*Section 5.0: TLS Configuration Help Script*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#50-tls-configuration-help-script).
      - `certificate_chain_file`: Specifies the PEM file containing the server’s certificate chain, starting with the server’s leaf certificate and followed by any intermediates but excluding the root CA; this is `pki/server/server-chain.pem` from the script explained in [*Section 5.0: TLS Configuration Help Script*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#50-tls-configuration-help-script).
      - `certificate_key_file`: Defines the server’s private key in unencrypted PKCS#8 format. This is `pki/server/server-key.pem` from the script explained in [*Section 5.0: TLS Configuration Help Script*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#50-tls-configuration-help-script). The permissions on this file should be restricted for security.
  - `datastore_configs`: Settings related to local storage of scanned data.
    - `datastore_path`: Specifies the local storage path where metadata received from the File System Scanner Agent (Windows) or the File System and Network Scanner Agent (Linux) is temporarily stored before being forwarded to Fortanix Key Insight. These paths can refer to local directories or network locations. For example,`/home/krish/onprem_test/fs-accumulator/database/`.

#### 3.5.4 Scan Containers

To scan container images in an on-premises environment, configure the following parameters:

- `container_images`: Defines the configuration for scanning the container images.
  - `daemons`: A list of container runtime daemons that the scanner can connect to.

Each daemon includes the following parameters:
    - `name`: A unique identifier for the daemon. For example, `docker`.
    - `socket`: The connection endpoint for the container runtime.

Default Docker sockets:
      - Linux: `unix:///var/run/docker.sock`
      - Windows: `npipe:////./pipe/docker_engine`
  - `artifacts`: A list of container image definitions to be processed by the scanner.

Each artifact includes the following parameters:
    - `type`: Specifies the container image source type. For on-premises scanning, the supported value is `daemon_repository_image`, which indicates that the image is retrieved from the local Docker (or similar container runtime).
    - `image`: Specifies the name of the container image to scan. For example, `vault` or `ghcr.io/linuxserver/nginx`.
    - `image_tag`: Specifies the tag of the container image. For example, `1.13.3`.
    - `daemon`: Defines the container runtime daemon from which the image is retrieved.

> [!NOTE]
> NOTE
> 
> The `daemon` specified under `artifacts` must match with one of the daemon `name` defined in the `daemons` section.

*For more information on the container infrastructure type, refer to*[*Containers*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-container)*.*

### 3.6 CyberArk On-premises Connection

This configuration defines how Fortanix Key Insight connects to a CyberArk on-premises environment for certificate scanning and data collection.

- `connections`: Specifies a list of connection definitions. Each entry represents one CyberArk on-premises environment to be scanned.
  - `connection_id`: A unique identifier for the CyberArk on-premises connection in Fortanix Key Insight.
  - `credential`: Defines how the Fortanix On-premises Scanner authenticates to Fortanix Key Insight.

You can obtain the connection ID and API key from the CyberArk on-premises connection details page. *For more information, refer to****Step 3****of*[*Getting Started with Vendor Application Connection*](https://support.fortanix.com/docs/getting-started-with-vendor-application-connection#64-add-fortanix-key-insight-policy)*.*
    - `type`: Specifies the authentication method. Currently, `apikey` authentication is used. For example, the API key can be stored in the environment variable `ARMOR_API_KEY_CYBERARK_CONNECTION`.

> [!NOTE]
> NOTE
> 
> This API key is used only for authentication between the Fortanix On-premises Scanner and Fortanix Key Insight. It is independent of CyberArk certificate management credentials.
  - `clm`: Defines the Certificate Lifecycle Management (CLM) provider and its connection details.
    - `url`: The base URL of the customer-hosted CyberArk on-premises certificate management instance. For example, `https://CyberArk.example.com/`.
    - `provider`: Identifies the CLM provider. For example, `venafi`.
    - `credential`: Specifies how the Fortanix On-premises Scanner authenticates directly to the CyberArk on-premises certificate management instance.

> [!NOTE]
> NOTE
> 
> Contact your CyberArk administrators to obtain the required CyberArk service account credentials and client ID.
      - `type`: Indicates username-password–based authentication.
      - `username` and `password`: The CyberArk certificate management service account credentials. These values can be provided using one of the following methods:
        - `value`: Specified directly in the configuration file.
        - `file`: Path to a file containing the credentials.
        - `env_var`: Environment variable storing the credential. For example, `CYBERARK_USERNAME` and `CYBERARK_PASSWORD`.
      - `client_id`: The client identifier used by CyberArk for API authentication and tracking.

## 4.0 Reusing Configuration File Components

The configuration file supports **YAML Anchors (&)** and **Aliases (*)** for reusing the same configuration across multiple sections. This is useful when the same credentials, proxy settings, or other configurations need to be applied to multiple servers, databases, or services.

Using anchors and aliases ensures that updating a single section automatically propagates the changes wherever it is referenced.

**Example:**

> [!NOTE]
> NOTE
> 
> The following code block is **only a sample example** and not an actual configuration file. *For the complete and accurate configuration details, refer to*[*Section 2.0: On-premises Scanner Configuration File*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-file#20-onpremises-scanner-configuration-file)*.*

```yaml
# MSSQL Credentials Anchor
# Use this anchor to provide default MSSQL credentials across multiple connections.
mssql_default_creds: &mssql_creds
  credential:
    type: password
    username:
      value: <MSSQL_USERNAME>   
    password:
      value: <MSSQL_PASSWORD>   

# Oracle Credentials Anchor
# Use this anchor to provide default Oracle credentials across multiple connections.
oracle_default_creds: &oracle_creds
  credential:
    type: password
    username:
      value: <ORACLE_USERNAME>  
    password:
      value: <ORACLE_PASSWORD>  

# Proxy Configuration Anchor
# Use this anchor to provide default proxy settings across multiple places.
proxy_ref: &proxy_ref
  proxy:
    url: "http(s)://<host>:<port>"
    credential:
      type: basic
      username:
        value: user
      password:
        value: password

armor:
  url: "<ARMOR_SERVICE_URL>"  
  <<: *proxy_ref

connections:
  - connection_id: <CONNECTION_ID>  
    credential:
      type: apikey
      apikey:
        value: <API_KEY>  

    databases:
      - uri: "mssql://<MSSQL_HOST_1>:<PORT>"  
        <<: *mssql_creds

      - uri: "mssql://<MSSQL_HOST_2>:<PORT>" 
        <<: *mssql_creds

      - uri: "oracle://<ORACLE_HOST>/<DB_NAME>"  
        <<: *oracle_creds
```

Here, for example,

- `&amp;mssql_creds`– Specifies the anchor (defines reusable credentials)
- `*mssql_creds` – Specifies the alias (references the anchor)
- `&lt;&lt;:` – Merges the anchor content into each server block.

> [!NOTE]
> NOTE
> 
> Changing credentials in one place automatically updates all servers.

## 5.0 TLS Configuration Help Script

To establish a secure trust relationship between the Fortanix On-premises Scanner (server) and its File System Scanner Agents (clients), certificate, identity, and private key files must be created and managed. Generating these files manually can be error-prone, so the help script automates the process and ensures a consistent setup.

This helper script:

- Creates or reuses a private Certificate Authority (CA) using ECDSA P-256.
- Issues a single server certificate (with DNS name and optional IP SAN).
- Issue one or more client certificates, each unique to an individual File System Scanner Agent.
- Produces all output in a structured pki/ directory, ready for use.

Perform the following steps to use the help script:

> [!NOTE]
> NOTE
> 
> For Windows, you can run the script using [MSYS2](https://www.msys2.org/) tool to generate the required files.

1. Download the following script (`.sh`) file:

[](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix_key_insight_fs_accumulator_tls_configuration(3).sh)fortanix_key_insight_fs_accumulator_tls_configuration5.57 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix_key_insight_fs_accumulator_tls_configuration(3).sh)
2. Run the following command to make the script executable:

```bash
chmod +x fortanix_key_insight_fs_accumulator_tls_configuration.sh
```
3. Run the following command for the first-time setup to generate CA, server certificate, and client identities:

```bash
./fortanix_key_insight_fs_accumulator_tls_configuration.sh \
    --server-dns <SERVER_DNS> \
    --server-ip <SERVER_IP> \
    --clients <CLIENT_NAME_1,CLIENT_NAME_2,...>
```

Example:

```bash
./fortanix_key_insight_fs_accumulator_tls_configuration.sh \ 
    --server-dns scanner.internal \
    --server-ip 10.0.0.5 \
    --clients clientA,clientB
```

Here,
  - `server-dns` is the DNS hostname of the machine where the Fortanix On-premises Scanner is running.
  - `server-ip` is the IP address of the Fortanix On-premises Scanner machine.
  - `clients` is the identifier or hostname of each File System Scanner Agent that will connect to the Fortanix On-premises Scanner. Multiple client names can be provided as a comma-separated list.
4. After running the command, the following files will be generated: Copy these files securely to each server that will run the Fortanix File System Scanner Agent, so they can authenticate with the Fortanix On-premises Scanner.

> [!NOTE]
> NOTE
> 
> - The CA certificate is created only once and reused.
> - Server certificates are created when you provide `--server-dns`.
> - Client certificates are created when you provide `--clients`.
  - **CA** files:
    - `pki/ca/ca-key.pem`: Private key
    - `pki/ca/ca-cert.pem`: CA certificate
  - **Server** files
    - `pki/server/server-key.pem`: Server private key
    - `pki/server/server-cert.pem`: Server certificate
    - `pki/server/server-chain.pem`: Server chain
  - **Client identity** files:
    - `pki/clients/&lt;CLIENT_NAME&gt;/identity.pem` - Combined client key and certificate
5. Run the following command to add more clients later, if required, reusing the same CA and server certificates:

```bash
./fortanix_key_insight_fs_accumulator_tls_configuration.sh \
    --clients <NEW_CLIENT_NAME_1,NEW_CLIENT_NAME_2,...>
```

## 6.0 Troubleshooting

*For information about common issues and troubleshooting steps when configuring and running Fortanix Key Insight in on-premises environments, refer to*[*On-premises Connection Troubleshooting*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-connection-troubleshooting)*.*

The Fortanix On-premises Scanner is a configuration component installed within an organization’s local infrastructure. It is designed to scan, analyze, and manage sensitive cryptographic data using Fortanix Key Insight. The scanner identifies keys, certificates, and compliance information within on-premises systems. It supports both Linux and Windows platforms, allowing for flexible and secure deployment and visibility across different environments.