Installing Custom PAM Provider Extensions

Before you can begin to use a third party PAM provider with Keyfactor Command, you need to acquire and install the appropriate custom-built PAM extension for your desired PAM provider from the Keyfactor GitHub:

To find a package on GitHub:

  1. Visit the link above to find your desired package, and click either Github Repository or View source on GitHub to go to the package page on GitHub.

    Figure 449: View Packages as Part of a List

    Figure 450: View Packages on Individual Pages

  2. On the GitHub page, on the right-hand side, click the link for the Latest version.

    Figure 451: Find the Latest Version of the Package

  3. On the GitHub version page in the Assets section, click the package name to download the zip file.

    Figure 452: Download the Package Zip File

  4. On the main extension GitHub page, review the documentation for the specific extension. Here you will find supported platforms, prerequisites, and extension-specific installation and configuration instructions. The below instructions only cover where to place the extension files on either the Keyfactor Command or the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. connector or orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and building custom manifest.json files (changes to which aren’t needed for extensions from GitHub unless you are customizing something), but not the details for creation of a PAM provider type in Keyfactor Command for the extension or any other customization specific to a given extension.

Extensions support installation either locally (on the Keyfactor Command server) or remotely (on each instance of the Keyfactor CA ConnectorClosed The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. or Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. that will be accessing PAM secrets). Be sure to follow the installation instructions for the type of installation you wish to do:

Local PAM Extensions on the Keyfactor Command Server
Windows Installations Under IIS

To install a PAM extension on the Keyfactor Command server:

  1. Using the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., add a PAM provider type in Keyfactor Command for the custom PAM extension. See the Adding a PAM Provider Type instructions for your selected PAM extension. The following is an example request body for a POST /PamProviders/Types request to create a PAM provider type for the Delinea extension:

    Copy
    {
       "Name":"Delinea-SecretServer",
       "Parameters":[
          {
             "Name": "Host",
             "DisplayName":"Secret Server URL", 
             "InstanceLevel":false,
             "DataType": "string"
          },
          {
             "Name":"Username",
             "DisplayName":"Secret Server Username", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"Password",
             "DisplayName":"Secret Server Password", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"SecretId",
             "DisplayName":"Secret Server Secret ID", 
             "InstanceLevel":true,
             "DataType": "string"
          },
          {
             "Name":"SecretFieldName",
             "DisplayName":"Secret Field Name", 
             "InstanceLevel":true,
             "DataType": "string"
          }
       ]
    }
  2. On the Keyfactor Command server, locate the \WebAgentServices\Extensions\PamProviders directory within the install directory. By default, this is:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Extensions\PamProviders
  3. Under the Pam Providers directory, create a new directory with an appropriate name for the PAM extension (e.g. CyberArk). This name is for reference only and does not need to match any names used elsewhere.
  4. Place the files you downloaded for the PAM extension in the new directory.
  5. In the directory for the PAM extension, locate the file called manifest.json. The manifest.json file should be placed in the same directory as the DLL(s) for the extension.
  6. Using a text editor, open the manifest.json file for editing and configure it appropriately for the extension, if needed. See the Configuring the Server Side manifest.json File instructions for your selected PAM extension for exact details. The following Delinea manifest.json file is provided as an example. Things to note:

    • Areas on lines 4-6, below, will vary between manifest.json files.

    • When you add your PAM provider into Keyfactor Command, the name you give it must match the name in the equivalent of your line 4 (for your manifest.json file), below (e.g. Delinea).

    • In most cases, server-side files should not need customization.

    Copy
    {
       "extensions": {
          "Keyfactor.Platform.Extensions.IPAMProvider": {
             "PAMProviders.Delinea.PAMProvider": {
                "assemblyPath": "delinea-secretserver-pam.dll",
                "TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
             }
          }
       }
    }
  7. If you’ll be using PAM to store secrets for uses other than certificate stores, repeat the above steps for the PamProviders directories found here, by default:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\Extensions\PamProviders
    C:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\Extensions\PamProviders
    C:\Program Files\Keyfactor\Keyfactor Platform\CAConnectorAPI\Extensions\PamProviders (for local PAM providers)
    C:\Program Files\Keyfactor\Keyfactor CA Connector\Extensions\PamProviders (or /opt/keyfactor-ca-connector/extensions, for Linux) (for remote PAM providers)
    Note:  Step 1 (add a PAM provider type into Keyfactor Command) does not need to be repeated. The same PAM provider type and PAM provider may be used from multiple areas of the product.
  8. Restart the web server services (iisreset) on the Keyfactor Command to complete the implementation.
Container Installations Under Kubernetes

To install a PAM extension:

  1. Using the Keyfactor API, add a PAM provider type in Keyfactor Command for the custom PAM extension. See the Adding a PAM Provider Type instructions for your selected PAM extension. The following is an example request body for a POST /PamProviders/Types request to create a PAM provider type for the Delinea extension:

    Copy
    {
       "Name":"Delinea-SecretServer",
       "Parameters":[
          {
             "Name": "Host",
             "DisplayName":"Secret Server URL", 
             "InstanceLevel":false,
             "DataType": "string"
          },
          {
             "Name":"Username",
             "DisplayName":"Secret Server Username", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"Password",
             "DisplayName":"Secret Server Password", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"SecretId",
             "DisplayName":"Secret Server Secret ID", 
             "InstanceLevel":true,
             "DataType": "string"
          },
          {
             "Name":"SecretFieldName",
             "DisplayName":"Secret Field Name", 
             "InstanceLevel":true,
             "DataType": "string"
          }
       ]
    }
  2. On your Kubernetes server, create a manifest.json file containing the customized contents of the manifest.json file for the PAM extension you are installing. The following Delinea manifest.json file is provided as an example:

    Copy
    {
      "extensions": {
        "Keyfactor.Platform.Extensions.IPAMProvider": {
          "PAMProviders.Delinea.PAMProvider": {
            "assemblyPath": "delinea-secretserver-pam.dll",
            "TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
          }
        }
      }
    }
  3. Create a PersistentVolume in Kubernetes to contain your manifest.json file, the dll it references, and any supporting files. The steps for this will vary depending on your Kubernetes implementation and the intended storage location used by your PersistentVolume.

    Tip:  You can create a PersistentVolume in the local file system for testing purposes as follows:
    1. Create a directory that your PersistentVolume will reference and which will contain the files to be mounted via the persistent volume. For example:

      mkdir /opt/files/pam
    2. Create a YAML file to define the PersistentVolume similar to the following:

      apiVersion: v1
      kind: PersistentVolume
      metadata:
        name: pam-pv
      spec:
        storageClassName: manual
        capacity:
          storage: 10Gi
      accessModes:
        - ReadWriteOnce
      hostPath:
        path: "/opt/files/pam"
    3. Create the PersistentVolume based on the yaml file you created. For example:

      sudo kubectl apply --filename=/opt/files/pam-pv.yaml

      PersistentVolumes are cluster-scoped resources, meaning they are not associated with a specific namespace.

    4. Create a YAML file to define a PersistentVolumeClaim associated with the PersistentVolume similar to the following:

      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: pam-pvc
      spec:
        storageClassName: manual
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
    5. Create the PersistentVolumeClaim based on the yaml file you created. For example:

      sudo kubectl apply --filename=/opt/files/pam-pvc.yaml --namespace keyfactor-command

      Unlike PersistentVolumes, PersistentVolumeClaims are associated with a specific namespace.

    6. Place the files that should be mounted in the container into the directory you specified in the file system. For example:

      /opt/files/workflow/manifest.json
      /opt/files/workflow/delinea-secretserver-pam.deps.json
      /opt/files/workflow/delinea-secretserver-pam.dll

    Important:  This method should not be used for a production PersistentVolume.

  4. Edit your values file to add a volume and volumeMount for the PersistentVolume containing the manifest.json file, dll, and any supporting files. For example, the following values file section shows the example root trusts volume (see Install Keyfactor Command in Containers Under Kubernetes) and the pam-custom-volume. Your PersistentVolume claim name should match the claimName referenced here.

    volumes:
      - name: root-cas
        configMap:
          name: ca-roots
          items:
            - key: ca-certificates.crt
              path: ca-certificates.crt
      - name: pam-custom-volume
        persistentVolumeClaim:
          claimName: pam-pvc
    volumeMounts:
      - name: root-cas
        mountPath: /etc/ssl/certs/ca-certificates.crt
        subPath: ca-certificates.crt
      - name: pam-custom-volume
        mountPath: /app/Extensions/my-custom-pam
  5. Load the new values, referencing the deployment name, namespace, your customized values file, the helm chart, and version. For example:

    sudo helm upgrade Helm_Deployment_Name --namespace keyfactor-command --values values-local.yaml oci://repo.keyfactor.com/charts/command --version 2.0.0
Remote PAM Extensions on the Keyfactor Universal Orchestrator Server (Windows or Linux)

To install a PAM extension on a Universal Orchestrator for use by that orchestrator only for a Windows or Linux install:

  1. Using the Keyfactor API, add a PAM provider type in Keyfactor Command for the custom PAM extension. See the Adding a PAM Provider Type instructions for your selected PAM extension. The following is an example request body for a POST /PamProviders/Types request to create a PAM provider type for the Delinea extension:

    Copy
    {
       "Name":"Delinea-SecretServer",
       "Parameters":[
          {
             "Name": "Host",
             "DisplayName":"Secret Server URL", 
             "InstanceLevel":false,
             "DataType": "string"
          },
          {
             "Name":"Username",
             "DisplayName":"Secret Server Username", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"Password",
             "DisplayName":"Secret Server Password", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"SecretId",
             "DisplayName":"Secret Server Secret ID", 
             "InstanceLevel":true,
             "DataType": "string"
          },
          {
             "Name":"SecretFieldName",
             "DisplayName":"Secret Field Name", 
             "InstanceLevel":true,
             "DataType": "string"
          }
       ]
    }
  2. On the Universal Orchestrator server, locate the extensions directory within the install directory. By default, this is:

    Windows: C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions
    Linux: /opt/keyfactor/orchestrator/extensions
  3. Under the extensions directory, create a new directory with an appropriate name for the PAM extension (e.g. CyberArk). This name is for reference only and does not need to match any names used elsewhere.
  4. Place the files you downloaded for the PAM extension in the new directory.
  5. In the directory for the PAM extension, locate the file called manifest.json. The manifest.json file should be placed in the same directory as the DLL(s) for the extension.
  6. Using a text editor, edit the manifest.json file and configure it appropriately for the extension. See the Configuring the Client Side manifest.json File instructions for your selected PAM extension for exact details. The following Delinea manifest.json file is provided as an example. Things to note:

    • Areas in lines 4-6 and 10-14, below, will vary between manifest.json files.

    • Areas shown in red text are examples of items that need to be customized for your environment.

    • When you add your PAM provider into Keyfactor Command, the name you give it must match the name in the equivalent of your line 4 (for your manifest.json file), below (e.g. Delinea-SecretServer).

    Copy
    {
       "extensions": {
          "Keyfactor.Platform.Extensions.IPAMProvider": {
             "PAMProviders.Delinea-SecretServer.PAMProvider": {
                "assemblyPath": "delinea-secretserver-pam.dll",
                "TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
             }
          }
       },
       "Keyfactor:PAMProviders:Delinea-SecretServer:InitializationInfo": {
          "Host": "http://127.0.0.1:8200",
          "Path": "v1/secret/data",
          "Token": "xxxxxx"
       }
    }
  7. Restart the Universal Orchestrator service (see Start the Universal Orchestrator Service).
Remote PAM Extensions on the Keyfactor Universal Orchestrator Server (Container)

To install a PAM extension on a Universal Orchestrator for use by that orchestrator only for a container install:

  • Docker: Follow the instructions as per Custom Extensions with Docker referencing the PAM extension of your choosing.
  • Kubernetes without Helm: Follow the instructions as per Kubernetes Custom Extensions without Helm referencing the PAM extension of your choosing with the following addition:

    • In addition to the ConfigMap created for the extension-downloader, create a custom manifest.json file with an accompanying a ConfigMap:

      kubectl create configmap custom-manifest-configmap --namespace keyfactor-orchestrators --from-file=manifest.json=/opt/kyf_orch1/manifest.json
    • Reference this ConfigMap in your Kubernetes deployment file. For example, for Delinea (this shows only a portion of the file):

      # Initial portion of file not shown
      spec:
            initContainers:
              # The below block provides an example of adding a custom extension
              - command:
                - /bin/sh
                - -c
                - python /tmp/install.py --extension delinea-secretserver-pam --version 1.0.1
                  --out /app/extensions/delinea-secretserver-pam
                image: python:3.11.10
                imagePullPolicy: IfNotPresent
                name: extensiondownloader
                resources: {}
                terminationMessagePath: /dev/termination-log
                terminationMessagePolicy: File
                volumeMounts:
                - mountPath: /tmp
                  name: extensiondownloader
                - mountPath: /app/extensions/delinea-secretserver-pam
                  name: plugin
            containers:
              # Initial content of containers section not shown
      
              volumeMounts:
                - mountPath: /etc/ssl/certs/ca-certificates.crt
                  name: root-ca
                  readOnly: true
                  subPath: ca-certificates.crt
                - mountPath: /app/extensions/delinea-secretserver-pam
                  name: plugin
                  readOnly: false
                - mountPath: /app/extensions/delinea-secretserver-pam/manifest.json
                  name: custom-manifest
                  readOnly: false
                  subPath: manifest.json
      
            volumes:
              - configMap:
                  items:
                  - key: ca-certificates.crt
                    path: ca-certificates.crt
                  name: ca-roots
                name: root-ca
              - configMap:
                  defaultMode: 420
                  name: extension-downloader-configmap
                name: extensiondownloader
              - emptyDir: {}
                name: plugin
              - configMap:
                  items:
                    - key: manifest.json
                      path: manifest.json
                  name: custom-manifest-configmap
                name: custom-manifest
      
              # Remainder of file not shown
  • Kubernetes with Helm: Follow the instructions as per Kubernetes Custom Extensions with Helm referencing the PAM extension of your choosing.

    • In addition to the ConfigMap created for the extension-downloader, create a custom manifest.json file with an accompanying a ConfigMap:

      kubectl create configmap custom-manifest-configmap --namespace keyfactor-orchestrators --from-file=manifest.json=/opt/kyf_orch1/manifest.json
    • Reference this ConfigMap in your Kubernetes deployment file. For example, for Delinea (this shows only a portion of the file):

      # Initial portion of file not shown
      volumeMounts:
        - mountPath: /app/extensions/delinea-secretserver-pam
          name: plugin
        - mountPath: /app/extensions/delinea-secretserver-pam/manifest.json
          name: custom-manifest
          readOnly: false
          subPath: manifest.json
        - mountPath: /etc/ssl/certs/ca-certificates.crt
          name: root-ca
          readOnly: true
          subPath: ca-certificates.crt
      
      volumes:
        - configMap:
            defaultMode: 420
            name: extension-downloader-configmap
          name: extensiondownloader
        - emptyDir: {}
          name: plugin
        - configMap:
            items:
              - key: manifest.json
                path: manifest.json
            name: custom-manifest-configmap
          name: custom-manifest
        - configMap:
            name: ca-roots
            items:
            - key: ca-certificates.crt
              path: ca-certificates.crt
          name: root-ca
      
      initContainers:
        - command:
          - /bin/sh
          - -c
          - python /tmp/install.py --extension delinea-secretserver-pam --version 1.0.1
            --out /app/extensions/delinea-secretserver-pam
          image: python:3.11.10
          imagePullPolicy: IfNotPresent
          name: extensiondownloader
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
          - mountPath: /tmp
            name: extensiondownloader
          - mountPath: /app/extensions/delinea-secretserver-pam
            name: plugin
      
      # Remainder of file not shown

Be sure to use the remote version of the manifest.json file and give the PAM provider a unique name for the orchestrator. The provider name is Delinea-SecretServer-Orch1 in the following example. Use this same name when creating a PAM provider in Keyfactor Command for use with this orchestrator.

Copy
Delinea Remote manifest.json Example
{
  "extensions": {
    "Keyfactor.Platform.Extensions.IPAMProvider": {
      "Delinea-SecretServer-Orch1": {
        "assemblyPath": "delinea-secretserver-pam.dll",
        "TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
      }
    }    
  },
 "Keyfactor:PAMProviders:Delinea-SecretServer-Orch1:InitializationInfo": {
    "Host": "https://YOUR-DELINEA-URL/SecretServer",
    "Username": "YOUR-DELINEA-USERNAME",
    "Password": "YOUR-DELINEA-PASSWORD"
 } 
}
Remote PAM Extensions on the CA Connector Client (Windows or Linux)

To install a PAM extension on a CA Connector Client for use by that connector only for a Windows or Linux install:

  1. Follow the instructions as per Remote PAM Extensions on the Keyfactor Universal Orchestrator Server (Windows or Linux).

  2. On the CA Connector Client server, the extensions directory within the install directory is by default:

    Windows: C:\Program Files\Keyfactor\Keyfactor CA Connector\extensions
    Linux: /opt/keyfactor/ca-connector/extensions
  3. Restart the CA Connector Client service (see Start the Service).
Remote PAM Extensions on the CA Connector Client (Container)

To install a PAM extension on a CA Connector Client for use by that connector only for a container install, follow the instructions as per Remote PAM Extensions on the Keyfactor Universal Orchestrator Server (Container).