Privileged Access Management (PAM)

Privileged access management (PAM) functionality in Keyfactor Command allows for configuration of third party PAM providers to secure certificate stores, credentials for accessing certificate authorities, and similar. PAM functionality is provided using custom PAM extensions. Keyfactor provides several PAM extensions on the publicly-facing Keyfactor GitHub:

The Keyfactor Command PAM solution is made up of three elements:

• Install an appropriate custom PAM provider extension (see Installing Custom PAM Provider Extensions).
• Create a PAM provider record in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
• Apply PAM provider security to individual certificate stores (see Adding or Modifying a Certificate Store), certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. records and other locations as needed in Keyfactor Command.

PAM Extensions support installation either locally (on the Keyfactor Command server) or remotely (on each instance of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. that will be accessing PAM secrets). You will need to make a determination as to which installation type best meets your needs:

• Local (on the Keyfactor Command server) installations support any type of PAM secret storage supported by Keyfactor Command, including certificate stores and certificate authority secrets, but may require greater accessibility between the Keyfactor Command server and the PAM provider than is desired for your environment.

• Remote (on the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores.) installations support PAM secret storage only for the certificate stores managed by the Universal Orchestrator where the PAM extension is installed, but may be a better choice in terms of network accessibility for your environment.