With the custom handler system of auto-registration, a handler module is written and compiled into a DLL, which is then registered in the Keyfactor Command configuration and called whenever a new orchestrator
Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. performs an initial registration request, provided there are sufficient licenses available to support the orchestrator. The handler then has the flexibility to call out to an external system such as a database or web service or use any other means to determine whether the orchestrator should be approved and what values should be applied for the blueprint A snapshot of the certificate stores and scheduled jobs on one orchestrator, which can be used to create matching certificate stores and jobs on another orchestrator with just a few clicks., metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates., and orchestrator ClientID.
When an orchestrator first connects to Keyfactor Command, available registration handlers run in sequence to determine if the orchestrator can be automatically approved. A handler will return one of three results: Allow, Deny, and Defer. Handlers are executed in order of registration until one returns Allow or Deny or until all handlers have been executed. Whenever an executed handler returns a response of Defer, the next registered handler will be executed. If any executed handler returns a response of Deny, further processing will cease and the orchestrator will be moved into a Disapproved state. In both of these cases, values returned by the output parameters will be ignored by Keyfactor Command.
Allow Response
In the event of an Allow response, the following actions will occur:
- The orchestrator will be set to an Approved state.
- If the value for blueprintName corresponds to a valid orchestrator blueprint that can be applied to this orchestrator, it is applied. Otherwise, the response is rejected, the orchestrator is left with a state of New, and an error is logged.
- If the value for ClientID is non-null, it will be permanently associated with this orchestrator approval. The orchestrator will be expected to provide this value for the ClientMachine field on all future calls.
- If the CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. attribute was provided to the handler, it will be submitted for issuance and the resulting certificate will be returned to the orchestrator.
- If the request results in an issued certificate and the metadata output parameter A parameter or argument is a value that is passed into a function in an application. has values, the valid metadata field values will be associated with the issued certificate.
- If ClientParameters has a value, the parameters will be returned to the orchestrator (but will not be used by Keyfactor Command).
If no handler returns a response aside from Defer, the process will continue to the built-in auto-registration system, and if the orchestrator is not approved at the conclusion of that, the orchestrator will be left in the New state for manual approval.
Figure 270: Orchestrator Auto-Registration Flow