Privileged Access Management (PAM)

Privileged access management (PAM) functionality in Keyfactor Command allows for configuration of third party PAM providers to secure certificate stores, credentials for accessing certificate authorities, and similar. PAM functionality is provided using custom PAM extensions. Keyfactor provides several PAM extensions on the publicly-facing Keyfactor GitHub:

https://keyfactor.github.io/integrations-catalog/content/pam

The Keyfactor Command PAM solution is made up of these elements:

Install an appropriate custom PAM provider extension (see Installing Custom PAM Provider Extensions).
Create a PAM provider record in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
Apply PAM provider security to individual certificate stores (see Adding or Modifying a Certificate Store), certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. records and other locations as needed in Keyfactor Command.

PAM Extensions support installation either locally (on the Keyfactor Command server) or remotely (on each instance of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. that will be accessing PAM secrets). You will need to make a determination as to which installation type best meets your needs:

Local (on the Keyfactor Command server) installations support any type of PAM secret storage supported by Keyfactor Command, including certificate stores and certificate authority secrets, but may require greater accessibility between the Keyfactor Command server and the PAM provider than is desired for your environment.
Remote (on the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores.) installations support PAM secret storage only for the certificate stores managed by the Universal Orchestrator where the PAM extension is installed, but may be a better choice in terms of network accessibility for your environment.

Tip: Click the help icon (

) next to the Privileged Access Management (PAM) page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).

Version v12.2

On this page: