PAM Provider Configuration in Keyfactor Command

Any third-party privilege access management (PAM) providers you wish to configure for use with Keyfactor Command must be defined first on the PAM Providers page before they can be assigned to certificate stores (see Certificate Stores), used for explicit credentials on a CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (see Adding or Modifying a CA Record), or used to provide authentication in workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. steps (see ). Keyfactor Command supports multiple custom-built PAM providers are available on the Keyfactor GitHub:

https://keyfactor.github.io/integrations-catalog/content/pam

PAM providers can either be local (server side) or remote (client side). When configured locally, the configuration information to connect to the PAM provider exists on the Keyfactor Command server and the PAM provider must be routable from the Keyfactor Command server (for example, on the same network) to retrieve secret information. When configured remotely, the configuration information to connect to the PAM provider exists on the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. managing the certificate stores using the PAM provider and the PAM provider must be routable from the Universal OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores..

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

PAM > Modify
PAM > Read
Certificate Stores > Modify

Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions for more information about global vs container permissions.

The PAM provider configuration can be edited at any time, even if it is used on existing records.

To define a new PAM provider or modify an existing one:

  1. In the Management Portal, browse to System Settings Icon > Privileged Access Management.
  2. On the PAM Providers page, click Add to create a new provider, or, to modify an existing provider, double-click the provider, right-click the provider and choose Edit from the right-click menu, or highlight the row in the providers grid and click Edit at the top of the grid.

  3. In the PAM Providers dialog, check the Remote Provider box if you are adding a PAM provider for a PAM extension installed on a Universal Orchestrator.

    A remote PAM provider generally exists outside the local network of the Keyfactor Command server. This option allows you to specify the secret information in Keyfactor Command in the same way as you would with a local PAM provider without needing to enter PAM provider configurations in Keyfactor Command (other than a base remote provider link). The PAM provider configuration information is, instead, supplied in the orchestrator's PAM manifest (see Installing Custom PAM Provider Extensions). Remote PAM providers are only supported for use with certificate stores and the Keyfactor Universal Orchestrator version 10.0 or greater.

    Figure 393: Remote PAM Provider

  4. Select a Provider Type in the dropdown. This is the name of the software vendor that provides your Privilege Access Management solution. This field cannot be modified on an edit.

    Note:  If a provider type does not already exist for the PAM provider you are adding, you will need to create a new supported type before completing this step (see Installing Custom PAM Provider Extensions).

  5. In the Name field, enter the name for the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

    Important:  The name you give to your PAM provider in Keyfactor Command must match the name of the PAM provider as referenced in the manifest.json file (see Installing Custom PAM Provider Extensions).
  6. The remainder of the fields in the dialog will vary depending on the provider type selected. If you checked Remote Provider, no further configuration is needed in this dialog. For example:
    • Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g. https://websrvr38.keyexample.com/SecretServer).
    • Secret Server Username: The username of the user that will be used to connect to SecretServer.

    • Secret Server Password: The password of the user that will be used to connect to SecretServer.

      Figure 395: Create Delinea PAM Provider

    • Vault Host: The URL to the vault instance, including port number if applicable (e.g. https://websrvr35.keyexample.com:8200).
    • Vault Token: The access token for the vault (assuming Kerberos authentication is not used).

    • KV Engine Path: The path to the vault secrets. The default is v1/secret/data.

      Figure 396: Create HashiCorp PAM Provider

  7. Click Save to save the provider.

To delete a provider, highlight the row in the providers grid and click Delete at the top of the grid or right-click the provider in the grid and choose Delete from the right-click menu.

Tip:  If a PAM provider has been associated with any certificate stores or CAs, it cannot be deleted.