Orchestrator Job Overview
Keyfactor orchestrators can be used to perform a wide variety of jobs. Out of the box, orchestrators can manage certificate stores, manage SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. keys, perform SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scanning, fetch system logs, and synchronize certificates from CAs in remote forests. Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. jobs fall into these broad types:
-
Certificate Store Jobs
This type of job includes the built-in jobs for managing certificate stores, based on the type(s) of certificate stores supported by the orchestrator, and custom-built certificate store jobs that can be added with an extension (see Installing Custom-Built Extensions) or script (see Configuring Script-Based Certificate Store Jobs).
Certificate store jobs (built-in or custom-built), are managed in Keyfactor Command with certificate store types. If you're adding a custom-built certificate store job, you'll need to add a user-defined certificate store type to go with it (see Certificate Store Types and Certificate Store Types).
-
Custom Jobs
This type of job is intended to implement just about anything else you need an orchestrator to do other than manage certificate stores. The built-in fetch logs job is an example of a custom job.
Custom jobs are managed in Keyfactor Command with custom job types. If you're adding a custom job, you'll need to add a custom job type to go with it (see Custom Job Types).
Custom jobs are supported only by the Keyfactor Universal Orchestrator.
-
Other Jobs
This type of job includes the built-in jobs for SSL scanning and certificate synchronization from remote CAs.
Prescripts and Postscripts
All of the job types supported by the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers.—including the built-in jobs—support executing a prescript and/or postscript as part of the job. A prescript might be used to fetch credentials from a privilege access management (PAM) solution to pass in to the username and password parameters for a certificate store. A postscript might be used to restart the web service (e.g. Apache) after performing a management job to replace the certificate in the certificate store for the web server. Prescripts and postscripts for all types of jobs are configured similarly to the description provided for installing custom-built extensions (see Installing Custom-Built Extensions).
Orchestrator Job Flow
An orchestrator job begins when an orchestrator queries Keyfactor Command to ask for jobs and the Keyfactor Command orchestrator API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. returns a list of the jobs the orchestrator needs to run. The flow continues as shown in the following chart.
Figure 567: Orchestrator Job Flow