Installing Custom PAM Provider Extensions

Before you can begin to use a third party PAM provider with Keyfactor Command, you need to acquire and install the appropriate custom-built PAM extension for your desired PAM provider from the Keyfactor GitHub:

To find a package on GitHub:

  1. Visit the link above to find your desired package, and click either Github Repository or View source on GitHub to go to the package page on GitHub.

    Figure 410: View Packages as Part of a List

    Figure 411: View Packages on Individual Pages

  2. On the GitHub page, on the right-hand side, click the link for the Latest version.

    Figure 412: Find the Latest Version of the Package

  3. On the GitHub version page in the Assets section, click the package name to download the zip file.

    Figure 413: Download the Package Zip File

  4. On the main extension GitHub page, review the documentation for the specific extension. Here you will find supported platforms, prerequisites, and extension-specific installation and configuration instructions. The below instructions only cover where to place the extension files on either the Keyfactor Command or the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and building custom manifest.json files (changes to which aren’t needed for extensions from GitHub unless you are customizing something), but not the details for creation of a PAM provider type in Keyfactor Command for the extension or any other customization specific to a given extension.

Extensions support installation either locally (on the Keyfactor Command server) or remotely (on each instance of the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. that will be accessing PAM secrets). Be sure to follow the installation instructions for the type of installation you wish to do:

Installation on the Keyfactor Command Server

To install a PAM extension on the Keyfactor Command server:

  1. Using the Keyfactor APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., add a PAM provider type in Keyfactor Command for the custom PAM extension. See the Adding a PAM Provider Type instructions for your selected PAM extension. The following is an example request body for a POST /PamProviders/Types request to create a PAM provider type for the Delinea extension:

    Copy
    {
       "Name":"Delinea-SecretServer",
       "Parameters":[
          {
             "Name": "Host",
             "DisplayName":"Secret Server URL", 
             "InstanceLevel":false,
             "DataType": "string"
          },
          {
             "Name":"Username",
             "DisplayName":"Secret Server Username", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"Password",
             "DisplayName":"Secret Server Password", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"SecretId",
             "DisplayName":"Secret Server Secret ID", 
             "InstanceLevel":true,
             "DataType": "string"
          },
          {
             "Name":"SecretFieldName",
             "DisplayName":"Secret Field Name", 
             "InstanceLevel":true,
             "DataType": "string"
          }
       ]
    }
  2. On the Keyfactor Command server, locate the \WebAgentServices\Extensions\PamProviders directory within the install directory. By default, this is:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Extensions\PamProviders
  3. Under the Pam Providers directory, create a new directory with an appropriate name for the PAM extension (e.g. CyberArk). This name is for reference only and does not need to match any names used elsewhere.
  4. Place the files you downloaded for the PAM extension in the new directory.
  5. In the directory for the PAM extension, locate the file called manifest.json. The manifest.json file should be placed in the same directory as the DLL(s) for the extension.
  6. Using a text editor, open the manifest.json file for editing and configure it appropriately for the extension, if needed. See the Configuring the Server Side manifest.json File instructions for your selected PAM extension for exact details. The following Delinea manifest.json file is provided as an example. Things to note:

    • Areas on lines 4-6, below, will vary between manifest.json files.

    • When you add your PAM provider into Keyfactor Command, the name you give it must match the name in the equivalent of your line 4 (for your manifest.json file), below (e.g. Delinea).

    • In most cases, server-side files should not need customization.

    Copy
    {
       "extensions": {
          "Keyfactor.Platform.Extensions.IPAMProvider": {
             "PAMProviders.Delinea.PAMProvider": {
                "assemblyPath": "delinea-secretserver-pam.dll",
                "TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
             }
          }
       }
    }
  7. If you’ll be using PAM to store secrets for uses other than certificate stores, repeat the above steps for the PamProviders directories found here, by default:

    C:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\Extensions\PamProviders
    C:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\Extensions\PamProviders
    C:\Program Files\Keyfactor\Keyfactor Platform\CAConnectorAPI\Extensions\PamProviders (for local PAM providers)
    C:\Program Files\Keyfactor\Keyfactor CA Connector\Extensions\PamProviders (or /opt/keyfactor-ca-connector/extensions, for Linux) (for remote PAM providers)
    Note:  Step 1 (add a PAM provider type into Keyfactor Command) does not need to be repeated. The same PAM provider type and PAM provider may be used from multiple areas of the product.
  8. Restart the web server services (iisreset) on the Keyfactor Command to complete the implementation.
Installation on the Keyfactor Universal Orchestrator Server

To install a PAM extension on a Universal Orchestrator for use by that orchestrator only:

  1. Using the Keyfactor API, add a PAM provider type in Keyfactor Command for the custom PAM extension. See the Adding a PAM Provider Type instructions for your selected PAM extension. The following is an example request body for a POST /PamProviders/Types request to create a PAM provider type for the Delinea extension:

    Copy
    {
       "Name":"Delinea-SecretServer",
       "Parameters":[
          {
             "Name": "Host",
             "DisplayName":"Secret Server URL", 
             "InstanceLevel":false,
             "DataType": "string"
          },
          {
             "Name":"Username",
             "DisplayName":"Secret Server Username", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"Password",
             "DisplayName":"Secret Server Password", 
             "InstanceLevel":false,
             "DataType": "secret"
          },
          {
             "Name":"SecretId",
             "DisplayName":"Secret Server Secret ID", 
             "InstanceLevel":true,
             "DataType": "string"
          },
          {
             "Name":"SecretFieldName",
             "DisplayName":"Secret Field Name", 
             "InstanceLevel":true,
             "DataType": "string"
          }
       ]
    }
  2. On the Universal Orchestrator server, locate the extensions directory within the install directory. By default, this is:

    C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions
  3. Under the extensions directory, create a new directory with an appropriate name for the PAM extension (e.g. CyberArk). This name is for reference only and does not need to match any names used elsewhere.
  4. Place the files you downloaded for the PAM extension in the new directory.
  5. In the directory for the PAM extension, locate the file called manifest.json. The manifest.json file should be placed in the same directory as the DLL(s) for the extension.
  6. Using a text editor, edit the manifest.json file and configure it appropriately for the extension. See the Configuring the Client Side manifest.json File instructions for your selected PAM extension for exact details. The following Delinea manifest.json file is provided as an example. Things to note:

    • Areas in lines 4-6 and 10-14, below, will vary between manifest.json files.

    • Areas shown in red text are examples of items that need to be customized for your environment.

    • When you add your PAM provider into Keyfactor Command, the name you give it must match the name in the equivalent of your line 4 (for your manifest.json file), below (e.g. Delinea-SecretServer).

    Copy
    {
       "extensions": {
          "Keyfactor.Platform.Extensions.IPAMProvider": {
             "PAMProviders.Delinea-SecretServer.PAMProvider": {
                "assemblyPath": "delinea-secretserver-pam.dll",
                "TypeFullName": "Keyfactor.Extensions.Pam.Delinea.SecretServerPam"
             }
          }
       },
       "Keyfactor:PAMProviders:Delinea-SecretServer:InitializationInfo": {
          "Host": "http://127.0.0.1:8200",
          "Path": "v1/secret/data",
          "Token": "xxxxxx"
       }
    }
  7. Restart the Universal Orchestrator service (see Start the Universal Orchestrator Service).