PAM Provider Configuration in Keyfactor Command

The PAM provider configuration can be edited at any time, even if it is used on existing records.

To define a new PAM provider or modify an existing one:

1. In the Management Portal, browse to System Settings Icon > Privileged Access Management.

2. On the PAM Providers page, click Add to create a new provider, or, to modify an existing provider, double-click the provider, right-click the provider and choose Edit from the right-click menu, or highlight the row in the providers grid and click Edit at the top of the grid.

   

   Figure 439: Add PAM Provider

3. In the PAM Providers dialog, check the Remote Provider box if you are adding a third-party PAM provider for a PAM extension installed on a Universal Orchestrator.

   A remote PAM provider generally exists outside the local network of the Keyfactor Command server. This option allows you to specify the secret information in Keyfactor Command in the same way as you would with a local PAM provider without needing to enter PAM provider configurations in Keyfactor Command (other than a base remote provider link). The PAM provider configuration information is, instead, supplied in the orchestrator's PAM manifest (see Installing Custom PAM Provider Extensions). Remote PAM providers are only supported for use with certificate stores and the Keyfactor Universal Orchestrator version 10.0 or greater. From Keyfactor Command version 12.0, support for Remote PAM providers is also available with a Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. using CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. and OAuth authentication method.

4. Select a Provider Type in the dropdown. This is the name of the software vendor that provides your Privilege Access Management solution. For a Keyfactor Command local PAM database, select LocalDB. This field cannot be modified on an edit.

   Note:  If a provider type does not already exist for the PAM provider you are adding, you will need to create a new supported type before completing this step (see Installing Custom PAM Provider Extensions).

5. In the Name field, enter a name for the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

   Important:  For a third-party PAM provider, the name you give to your PAM provider in Keyfactor Command must match the name of the PAM provider as referenced in the manifest.json file (see Installing Custom PAM Provider Extensions).
6. The remainder of the fields in the dialog will vary depending on the provider type selected. If you checked Remote Provider or a selected a type of LocalDB, no further configuration is needed in this dialog. For example:
   CyberArk Extension (Central Credential Provider)

   • Application ID: The name/ID of the application created for Keyfactor Command.
   • CyberArk Host and Port: The hostname The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). or IP address where CyberArk is hosted, including port. Do not include http/https.

   • CyberArk API Site: The web server site name to which CyberArk has been deployed. By default, this is AIMWebService.

     

     Figure 440: Create a Local CyberArk Provider

   Close
   Delinea Extension

   • Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g. https://websrvr38.keyexample.com/SecretServer).
   • Secret Server Username: The username of the user that will be used to connect to SecretServer.

   • Secret Server Password: The password of the user that will be used to connect to SecretServer.

     

     Figure 441: Create a Local Delinea PAM Provider

   Close
   HashiCorp Extension

   • Vault Host: The URL to the vault instance, including port number if applicable (e.g. https://websrvr35.keyexample.com:8200).
   • Vault Token: The access token for the vault (assuming Kerberos authentication is not used).

   • KV Engine Path: The path to the vault secrets. The default is v1/secret/data.

     

     Figure 442: Create a Local HashiCorp PAM Provider

   Close
7. Click Save to save the provider.

To add a secret for a local Keyfactor Command PAM provider:

1. In the Management Portal, browse to System Settings Icon > Privileged Access Management.
2. On the PAM providers page, add a new PAM provider of type LocalDB if one does not already exist.
3. In the Pam providers grid, right-click the local Keyfactor Command PAM provider and choose Open Command Secret Provider from the right-click menu or highlight the row in the providers grid and click Open Command Secret Provider at the top of the grid.
4. On the [Provider Name] Command Secret Provider Management page, click Add to create a new secret, or, to modify an existing secret, double-click the secret, right-click the secret and choose Edit from the right-click menu, or highlight the row in the secret grid and click Edit at the top of the grid.
5. Enter a Secret Name for the secret. This name will be used in Keyfactor Command interfaces where you reference the PAM secret. Spaces are supported in the name. This field cannot be modified on an edit.
6. Enter a Description for the secret.

7. Enter and confirm the Secret value. On an edit if you wish to change the secret value, toggle the Change Secret option to enable the secret fields.

   

   Figure 443: Add a New Local Keyfactor Command PAM Secret

8. Click Save to save the secret.

To delete a secret, highlight the row in the secrets grid and click Delete at the top of the grid or right-click the secret in the grid and choose Delete from the right-click menu.

To delete a provider, highlight the row in the providers grid and click Delete at the top of the grid or right-click the provider in the grid and choose Delete from the right-click menu.