Certificate Store Discovery

The certificate store discovery feature is used to scan machines and devices for existing certificates and certificate stores, which can then be configured for management in Keyfactor Command. Certificate store discovery is supported for the following built-in features:

The small number that appears on the tab to the right of the word Discover indicates how many discovered stores there are, if any. This acts as a reminder to check the discover tab for stores after a discovery job is complete.

Tip:  The following permissions (see Security Overview) are required to use this feature:

Certificate Store Management: Read
Certificate Store Management: Schedule
Certificate Store Management: Modify
Privileged Access Management: Read

To use the certificate store discovery feature:

  1. On the Certificate Store page, select the Discover tab.
  2. On the Discover tab, click Schedule.

  3. In the Schedule Discovery dialog, select Java KeystoreClosed A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., PEM File, F5 CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Bundles REST, or F5 SSL Profiles REST in the Category field dropdown. The remaining fields in the dialog will vary slightly depending on the category you selected.

    Figure 246: Schedule Java Keystore Discover Job

    Figure 247: Schedule PEM Certificate Store Discover Job

    Figure 248: Schedule F5 CA Bundle Certificate Discover Job

    Figure 249: Schedule F5 SSL Profile Certificate Discover Job

  4. In the Schedule Discovery dialog, select Java KeystoreClosed A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., PEM File, F5 CA Bundles REST, or F5 SSL Profiles REST in the Category field dropdown. The remaining fields in the dialog will vary slightly depending on the category you selected.
  5. In the Orchestrator field, select the fully qualified domain name of the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.1, Windows OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores., or Java Agent machine managing the scanning. In the case of Java Agents, this is also the machine you wish to scan for stores. This field is required.
  6. In the Schedule dropdown, select either Immediate, to run the discover job within a few minutes of saving it, or Exactly Once, to select a date and time for the job. The default is Immediate.
  7. For F5 discovery jobs, in the Client Machine field enter the fully qualified domain name or IP address of the F5 device to be scanned.
  8. For F5 discovery jobs, click Set Server Username and, in the Server Username dialog, choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are ClosedLoad From Keyfactor Secrets or ClosedLoad From PAM Provider. The No Value option is typically not supported for F5 stores.
    Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

    A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

    Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

    Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

  9. For F5 discovery jobs, click Set Server Password and, in the Server Password dialog, choose the source from which to load the password for the user specified with Set Server Username. In the Server Password dialog, the options are ClosedLoad From Keyfactor Secrets or ClosedLoad From PAM Provider. The No Value option is typically not supported for F5 stores.

    A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

    Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

    Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

  10. In the Directories to search field, specify the directory or directories to search. Multiple directories should be separated by commas. This field is required.

    For Java discovery, enter at a minimum either "/" for a Linux server or "c:\" for a Windows server (without the quotation marks).

    For PEM discovery, enter at a minimum either "/" for a Linux server or "c:\" for a Windows server (without the quotation marks).

    For F5 discovery, enter "/" (without the quotation marks).

  11. For F5 discovery jobs, check the Use SSL box to use SSL to communicate with the F5 device or cluster. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).
  12. Populate the remaining optional fields as needed. See Table 18: Discovery Options.
  13. Click Save to schedule the discovery task. Once the scan begins, it may take several minutes to complete.
  14. Return to the Discover tab for the results of the scan. Check the Orchestrator Jobs page (see Orchestrator Job Status) to review jobs in progress.

Table 18: Discovery Options

Option

Description
Category Select the type of certificate store to scan.

Orchestrator

Select the fully qualified domain name of the Keyfactor Universal Orchestrator, Windows Orchestrator, or Java Agent machine managing the scanning. In the case of Java Agents, this is also the machine to be scanned for certificate stores. This field is required.

Schedule

Specify the schedule for the scan—Immediate or Exactly Once. If you select Exactly Once, select a date and time for the scan. The default is Immediate.
Client Machine For F5 devices, enter the fully qualified domain name or IP address of the F5 device or cluster to be scanned for certificates. This option applies only to F5 CA bundle and F5 SSL profile discover jobs. This field is required.
Server Username For F5 devices, set the username used to authenticated to the device or cluster.
Server Password For F5 devices, set the password used to authenticated to the device or cluster.

Directories to search

Specify the directory or directories to be searched. Multiple directories should be separated by commas. All directories specified to which the service account user (the user account that the Java agent is operating as or the user configured for the F5 device using the Change Credentials option) has read rights will be searched other than the excluded directories specified using the Directories to ignore option. It is not necessary to use quotation marks around directory paths containing spaces. For F5, the path should be specified as "/" (without the quotation marks). This field is required.

Directories to ignore

Specify any directories that should not be included in the search. Multiple directories should be separated by commas. It is not necessary to use quotation marks around directory paths containing spaces.

Extensions

Specify file extensions for which to search. For example, search for files with the extension jks but not txt. The dot should not be included when specifying extensions.

File name patterns to match

Specify all or part of a string against which to compare the file names of certificate store files and return only those that contain the specified string. It is not necessary to use quotation marks around strings containing spaces.

Follow SymLinks

If this option is specified, the tool will follow symbolic links on Linux and UNIX operating systems and report both the actual location of a found certificate store file in addition to the symbolic link pointing to the file. This option is ignored for searches of Windows-based Java Agents.

Include PKCS12 Files

If this option is specified, the tool will use the compatibility mode introduced in Java version 1.8 to locate both JKS and PKCS12 type files. This option applies only to Java keystore discover jobs.
Use SSL For F5 devices, use SSL to communicate to the device or cluster.
Tip:  The following permissions (see Security Overview) are required to use this feature:

Certificate Store Management: Read
Certificate Store Management: Modify
Privileged Access Management: Read

To manage discovered certificate stores:

  1. In the Management Portal, browse to Locations > Certificate Stores.
  2. On the Certificate Stores page, select the Discover tab.
  3. On the Discover tab, highlight one or more store row(s) in the grid and click Manage at the top of the grid or right-click the store in the grid and choose Manage from the right-click menu. Java keystores require entry of the store password or PAM credential access information during the approval process. If you select more than one Java keystore for approval at the same time, they must all share the same password or PAM information. The right-click menu supports operations on only one store at a time.

    Figure 250: Discovered Certificate Stores

    In the Approve Certificate Stores dialog configure the following fields:

    • If desired, select a Container from the dropdown.

    • Click the Set Password button to enter the password for the keystore. In the Password dialog, the options are ClosedNo Value, ClosedLoad From Keyfactor Secrets, and ClosedLoad From PAM Provider.

      Select No Value if your keystore does not have a password configured.

      A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

      Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

      Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

    • Select a Type from the dropdown. The default is JKSClosed A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption..

    Figure 252: Manage a Discovered Java Certificate Store

    In the Approve Certificate Stores dialog configure the following fields:

    Figure 253: Manage a Discovered PEM Certificate Store

    In the Approve Certificate Store dialog configure the following fields:

    • If desired, select a Container from the dropdown.
    • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.
      Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
    • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
    • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
    • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.
      Tip:  Select v15 for version 15 and above.

    • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are ClosedLoad From Keyfactor Secrets or ClosedLoad From PAM Provider. The No Value option is typically not supported for F5 stores.

      Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

    • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are ClosedLoad From Keyfactor Secrets or ClosedLoad From PAM Provider. The No Value option is typically not supported for F5 stores.

      A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

      Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

      Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

    • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

    Figure 255: Manage a Discovered F5 CA Bundle Certificate

    In the Approve Certificate Store dialog configure the following fields:

    • If desired, select a Container from the dropdown.
    • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.
      Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
    • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
    • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
    • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.
      Tip:  Select v15 for version 15 and above.

    • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are ClosedLoad From Keyfactor Secrets or ClosedLoad From PAM Provider. The No Value option is typically not supported for F5 stores.

      Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

    • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are ClosedLoad From Keyfactor Secrets or ClosedLoad From PAM Provider. The No Value option is typically not supported for F5 stores.

      A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

      Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

      Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

    • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

    Figure 257: Manage a Discovered F5 SSL Profile Certificate

Discovered certificate stores can be deleted one at a time or in multiples.

Tip:  The following permissions (see Security Overview) are required to use this feature:

Certificate Store Management: Read
Certificate Store Management: Modify

To delete a discovered certificate store:

  1. In the Management Portal, browse to Locations > Certificate Stores.
  2. On the Certificate Stores page, select the Discover tab.
  3. On the Discover tab, highlight the row(s) in the discover grid of the store(s) to delete and click Delete at the top of the grid or right-click the store location in the grid and choose Delete from the right-click menu. The right-click menu supports operations on only one store at a time.
  4. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.