The IBM DataPower Orchestrator allows for the management of certificates in the IBM Datapower platform. Inventory, Add and Remove functions are supported. This integration can add/replace certificates in any domain\directory combination.
This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
DataPower Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
| Operation | Win | Linux |
|---|---|---|
| Supports Management Add | ✓ | |
| Supports Management Remove | ✓ | |
| Supports Create Store | ||
| Supports Discovery | ||
| Supports Renrollment | ||
| Supports Inventory | ✓ |
This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider.
The secrets that this orchestrator extension supports for use with a PAM Provider are:
| Name | Description |
|---|---|
| Server UserName | The user id that will be used to authenticate into the server hosting the store |
| Server Password | The password that will be used to authenticate into the server hosting the store |
It is not necessary to use a PAM Provider for all of the secrets available above. If a PAM Provider should not be used, simply enter in the actual value to be used, as normal.
If a PAM Provider will be used for one of the fields above, start by referencing the Keyfactor Integration Catalog. The GitHub repo for the PAM Provider to be used contains important information such as the format of the json needed. What follows is an example but does not reflect the json values for all PAM Providers as they have different "instance" and "initialization" parameter names and values.
General PAM Provider Configuration
To use a PAM Provider to resolve a field, in this example the Server Password will be resolved by the Hashicorp-Vault provider, first install the PAM Provider extension from the Keyfactor Integration Catalog on the Universal Orchestrator.
Next, complete configuration of the PAM Provider on the UO by editing the manifest.json of the PAM Provider (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here:
"Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": {
"Host": "http://127.0.0.1:8200",
"Path": "v1/secret/data",
"Token": "xxxxxx"
}After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions.
With the PAM Provider configured as an extenion on the UO, a json object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the Keyfactor Integration Catalog for the specific format of the json object.
To have the Server Password field resolved by the Hashicorp-Vault provider, the corresponding json object from the Hashicorp-Vault extension needs to be copied and filed in with the correct information:
{"Secret":"my-kv-secret","Key":"myServerPassword"}This text would be entered in as the value for the Server Password, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the Server Password. If PAM should not be used, just directly enter in the value for the field.
Cert Store Type Configuration
In Keyfactor Command create a new Certificate Store Type similar to the one below:
| SETTING TAB | CONFIG ELEMENT | DESCRIPTION |
|---|---|---|
| Basic | Name | Descriptive name for the Store Type. IBM Data Power Universal can be used. |
| Basic | Short Name | The short name that identifies the registered functionality of the orchestrator. Must be DataPower |
| Basic | Custom Capability | You can leave this unchecked and use the default. |
| Basic | Job Types | Inventory, Add, and Remove are the supported job types. |
| Basic | Needs Server | Must be checked |
| Basic | Blueprint Allowed | Checked |
| Basic | Requires Store Password | Determines if a store password is required when configuring an individual store. This must be unchecked. |
| Basic | Supports Entry Password | Determined if an individual entry within a store can have a password. This must be unchecked. |
| Advanced | Store Path Type | Determines how the user will enter the store path when setting up the cert store. Freeform |
| Advanced | Supports Custom Alias | Determines if an individual entry within a store can have a custom Alias. This must be Required |
| Advanced | Private Key Handling | Determines how the orchestrator deals with private keys. Optional |
| Advanced | PFX Password Style | Determines password style for the PFX Password. Default |
| NAME | DISPLAY NAME | TYPE | DEFAULT VALUE | DEPENDS ON | REQUIRED | DESCRIPTION |
|---|---|---|---|---|---|---|
| ServerUsername | Server Username | Secret | Unchecked | Yes | Data Power Api User Name | |
| ServerPassword | Server Password | Secret | Unchecked | Yes | Data Power Api Password | |
| ServerUseSsl | Use SSL | Bool | True | Unchecked | Yes | Requires SSL Connection |
| InventoryPageSize | Inventory Page Size | String | 100 | Unchecked | Yes | This will determine the paging level during the inventory process. |
| PublicCertStoreName | Public Cert Store Name | String | pubcert | Unchecked | Yes | Name of the public cert store location on DataPower. |
| Protocol | Protocol Name | String | https | Unchecked | Yes | Prototcol should always be https in production. Might need http in test environment. |
| InventoryBlackList | Inventory Black List | String | Unchecked | No | Comma seperated list of alias values you do not want to inventory from DataPower |
There are no entry parameters used in this integration.
IBM DataPower Certificate Store
In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below.| CONFIG ELEMENT | DESCRIPTION |
|---|---|
| Category | The type of certificate store to be configured. Select category based on the display name configured above "DataPower". |
| Container | This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. |
| Client Machine | The hostname of the Panorama or Firewall. Sample is "dp.cloudapp.azure.com". |
| Store Path | This will the domain\path combination to enroll and inventory to. If it is the default domain just put the path. |
| Orchestrator | This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. |
| Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. |
| Use SSL | This should be checked. |
| User | The Data Power user that has access to the API and enroll and inventory functions in DataPower. |
| Password | Api Password Setup for the user above |
Data Power Test Cases
| Case Number | Case Name | Case Description | Expected Results | Passed |
|---|---|---|---|---|
| 1 | Pubcert Inventory No Black List Default Domain | Should Inventory Everything in the DataPower pubcert directory on the Default Domain | Keyfactor Inventory Matches pubcert default domain inventory | True |
| 1a | Pubcert Inventory No Black List Default Domain using PAM Credentials | Should Inventory Everything in the DataPower pubcert directory on the Default Domain using credentials stored in a PAM Provider | Keyfactor Inventory Matches pubcert default domain inventory | True |
| 1b | Pubcert Inventory With Black List Default Domain | Should Inventory Everything in the DataPower pubcert directory on the Default Domain Outside of Black List Items ex: Test.pem,Test2.pem | Keyfactor Inventory Matches pubcert default domain inventory outside of Black List Items | True |
| 2 | Pubcert Inventory No Black List testdomain\pubcert path | Should Inventory Everything in the DataPower pubcert directory on the testdomain\pubcert path | Keyfactor Inventory Matches pubcert default domain inventory | True |
| 2a | Pubcert Inventory With Black List testdomain\pubcert path | Should Inventory Everything in the DataPower pubcert directory on the testdomain\pubcert path Outside of Black List Items ex: Cert1.pem,Cert2.pem | Keyfactor Inventory Matches pubcert default domain inventory outside of Black List Items | True |
| 3 | Private Key Cert Inventory No Black List Default Domain | Should Inventory Everything in the DataPower cert directory on the Default Domain | Keyfactor Inventory Matches pubcert default domain inventory | True |
| 3a | Private Key Cert Inventory No Black List Default Domain with Credentials Stored in PAM Provider | Should Inventory Everything in the DataPower cert directory on the Default Domain with Credentials Stored in PAM Provider | Keyfactor Inventory Matches pubcert default domain inventory | True |
| 3b | Private Key Cert Inventory With Black List Default Domain | Should Inventory Everything in the DataPower cert directory on the Default Domain Oustide of Black List Items ex: Test.pem,Test2.pem | Keyfactor Inventory Matches cert default domain inventory outside of Black List Items | True |
| 4 | Private Key Cert Inventory No Black List testdomain\cert path | Should Inventory Everything in the DataPower cert directory on the testdomain\cert path | Keyfactor Inventory Matches testdomain\cert path | inventory |
| 4a | Private Key Cert Inventory With Black List testdomain\cert path | Should Inventory Everything in the DataPower cert directory on the testdomain\cert path | Keyfactor Inventory Matches testdomain\cert path Oustide of Black List Items ex: Test,Test2 |
| Case Number | Case Name | Case Description | Overwrite Flag | Alias Name | Expected Results | Passed |
|---|---|---|---|---|---|---|
| 1 | Pubcert Add with Alias Default Domain | Will create new Cert, Key and Pem/crt entry | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created | True |
| 1a | Pubcert Overwrite with Alias Default Domain | Will Replaced Cert, Key and Pem/crt entry | true | cryptoobjs | Crypto Key Replaced, Crypto Cert Replaced, Pem/Crt Replaced | True |
| 1b | Pubcert Add without Alias Default Domain | Will create new Cert, Key and Pem/crt entry with GUID as name | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created with GUID as name | True |
| 2 | Private Key Add with Alias Default Domain | Will create new Cert, Key and Pem/crt entry | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created | True |
| 2a | Private Key Overwrite with Alias Default Domain | Will Replaced Cert, Key and Pem/crt entry | true | cryptoobjs | Crypto Key Replaced, Crypto Cert Replaced, Pem/Crt Replaced | True |
| 2b | Private Key Add without Alias Default Domain | Will create new Cert, Key and Pem/crt entry with GUID as name | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created with GUID as name | True |
| 2c | Private Key Cert Add with Alias testdomain\cert path | Will create new Cert, Key and Pem/crt entry in testdomain\cert path | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created in testdomain\pubcert path | True |
| 2d | Private Key Cert Add with Alias testdomain\cert path | Will create new Cert, Key and Pem/crt entry in testdomain\cert path with PAM Credentials | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created in testdomain\pubcert path gettting credentials from a PAM Provider | True |
| 3a | Private Key Cert Overwrite with Alias testdomain\cert path | Will Replaced Cert, Key and Pem/crt entry in testdomain\cert path | true | cryptoobjs | Crypto Key Replaced, Crypto Cert Replaced, Pem/Crt Replaced in testdomain\pubcert path | True |
| 3b | Private Key Cert Add without Alias testdomain\cert path | Will create new Cert, Key and Pem/crt entry with GUID as name in testdomain\cert path | False | cryptoobjs | Crypto Key Created, Crypto Cert Created, Pem/Crt created with GUID as name in testdomain\cert path | True |
| 4 | Remove Private Key and Cert From Default Domain | Remove Private Key and Cert From Default Domain | False | cryptoobjs | Crypto Certificate, Crypto Key and Pem/Crt are removed from Data Power | True |
| 4a | Remove Private Key and Cert From testdomain\cert path | Remove Private Key and Cert From testdomain\cert path | False | cryptoobjs | Crypto Certificate, Crypto Key and Pem/Crt are removed from Data Power testdomain\cert path | True |
| 4b | Remove PubCert | Remove PubCert | False | cryptoobjs | Error Occurs, cannot remove Public Certs | True |
| 4c | Remove Private Key and Cert From testdomain\cert path with PAM Credentials | Remove Private Key and Cert From testdomain\cert path using credentials stored in a PAM Provider | False | cryptoobjs | Crypto Certificate, Crypto Key and Pem/Crt are removed from Data Power testdomain\cert path | True |