PAM Provider Configuration in Keyfactor Command

Any third-party privilege access management (PAM) providers you wish to configure for use with Keyfactor Command must be defined first on the PAM Providers page before they can be assigned to certificate stores (see Certificate Stores) or used for explicit credentials on a CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (see Adding or Modifying a CA Record). You can create a single provider for each provider type (e.g. CyberArk), however, if you have opted to organize your certificate stores into containers, you will need to create multiple providers to match your container organization structure (see Certificate Store Containers). The container field in the PAM provider definition is not required, but if one is supplied when creating a PAM provider, the PAM provider can only be used with certificate stores in the matching container and it cannot be used with a CA. Likewise, a PAM provider defined with no container would be available for selection when setting passwords for any certificate store that also did not specify a container. A PAM provider configured in this way could be used across a variety of certificate stores or with a CA.

Tip:  The following permissions (see Security Overview) are required to use this feature:

Privileged Access Management: Read
Privileged Access Management: Modify
Certificate Store Management: Modify

Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions in the Keyfactor Command Reference Guide for more information about global vs container permissions.

To define a new PAM provider or modify an existing one:

  1. In the Management Portal, browse to System Settings Icon > Privileged Access Management.
  2. On the PAM Providers page, click Add to create a new provider, or, to modify an existing provider, double-click the provider, right-click the provider and choose Edit from the right-click menu, or highlight the row in the providers grid and click Edit at the top of the grid.
  3. In the PAM Providers dialog, select a Provider Type in the dropdown. This is the name of the software vendor that provides your Privilege Access Management Solution. This field cannot be modified on an edit.
  4. In the Name field, enter a name to be used to identify the PAM provider throughout Keyfactor Command.
  5. In the Container field, select an existing certificate store container in the dropdown, if desired. If you select a certificate store container, the PAM provider will be available to select when creating a certificate store with that same container. If you leave this field blank the PAM provider will be available to select when creating a certificate store without a container or when setting explicit credentials for a CA.
  6. The remainder of the fields in the dialog will vary depending on the provider type selected:
    • PrivateArk Safe: Enter the name of the safe containing the certificate store password you wish to use (see Create a CyberArk Safe).
    • Application ID: Enter the name of the application created for Keyfactor Command (see Create a CyberArk Application User).

      Figure 399: CyberArk Provider with Associated Container

  7. Click Save to save the provider.

To delete a provider, highlight the row in the providers grid and click Delete at the top of the grid or right-click the provider in the grid and choose Delete from the right-click menu.

Tip:  If a PAM provider has been associated with any certificate stores or CAs, it cannot be deleted.