Installing Custom PAM Provider Extensions
Before you can begin to use a third party PAM provider with Keyfactor Command, you need to acquire and install the appropriate custom-built PAM extension for your desired PAM provider from the Keyfactor GitHub:
To find a package on GitHub:
-
Visit the link above to find your desired package, and click either Github Repository or View source on GitHub to go to the package page on GitHub.
Figure 417: View Packages as Part of a List
Figure 418: View Packages on Individual Pages
-
On the GitHub page, on the right-hand side, click the link for the Latest version.
Figure 419: Find the Latest Version of the Package
-
On the GitHub version page in the Assets section, click the package name to download the zip file.
Figure 420: Download the Package Zip File
- On the main extension GitHub page, review the documentation for the specific extension. Here you will find supported platforms, prerequisites, and extension-specific installation and configuration instructions. The below instructions only cover where to place the extension files on the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and building custom manifest.json files (changes to which aren’t needed for extensions from GitHub unless you are customizing something), but not the details for creation of a PAM provider type in Keyfactor Command for the extension or any other customization specific to a given extension.
Installation on the Keyfactor Universal Orchestrator Server
To install a PAM extension on a Universal Orchestrator for use by that orchestrator only:
-
Using the Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., add a PAM provider type in Keyfactor Command for the custom PAM extension. See the Adding a PAM Provider Type instructions for your selected PAM extension. The following is an example request body for a POST /PamProviders/Types request to create a PAM provider type for the Delinea extension:
Copy{
"Name":"Delinea-SecretServer",
"Parameters":[
{
"Name": "Host",
"DisplayName":"Secret Server URL",
"InstanceLevel":false,
"DataType": "string"
},
{
"Name":"Username",
"DisplayName":"Secret Server Username",
"InstanceLevel":false,
"DataType": "secret"
},
{
"Name":"Password",
"DisplayName":"Secret Server Password",
"InstanceLevel":false,
"DataType": "secret"
},
{
"Name":"SecretId",
"DisplayName":"Secret Server Secret ID",
"InstanceLevel":true,
"DataType": "string"
},
{
"Name":"SecretFieldName",
"DisplayName":"Secret Field Name",
"InstanceLevel":true,
"DataType": "string"
}
]
} -
On the Universal Orchestrator server, locate the extensions directory within the install directory. By default, this is:
C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions - Under the extensions directory, create a new directory with an appropriate name for the PAM extension (e.g. CyberArk). This name is for reference only and does not need to match any names used elsewhere.
- Place the files you downloaded for the PAM extension in the new directory.
- In the directory for the PAM extension, locate the file called manifest.json. The manifest.json file should be placed in the same directory as the DLL(s) for the extension.
-
Using a text editor, edit the manifest.json file and configure it appropriately for the extension. See the Configuring the Client Side manifest.json File instructions for your selected PAM extension for exact details. The following Delinea manifest.json file is provided as an example. Things to note:
-
Areas in lines 4-6 and 10-14, below, will vary between manifest.json files.
-
Areas shown in red text are examples of items that need to be customized for your environment.
-
When you add your PAM provider into Keyfactor Command, the name you give it must match the name in the equivalent of your line 4 (for your manifest.json file), below (e.g. Delinea-SecretServer).
Copy{
"extensions": {
"Keyfactor.Platform.Extensions.IPAMProvider": {
"PAMProviders.Delinea-SecretServer.PAMProvider": {
"assemblyPath": "delinea-secretserver-pam.dll",
"TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
}
}
},
"Keyfactor:PAMProviders:Delinea-SecretServer:InitializationInfo": {
"Host": "http://127.0.0.1:8200",
"Path": "v1/secret/data",
"Token": "xxxxxx"
}
} -
- Restart the Universal Orchestrator service (see Start the Universal Orchestrator Service).