PAM Provider Configuration in Keyfactor Command

Any privilege access management (PAM) providers you wish to configure for use with Keyfactor Command must be defined first on the PAM Providers page before they can be assigned to certificate stores (see Certificate Stores), used for explicit credentials on a CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (see HTTPS CAs - Authentication Method Tab or DCOM CAs - Authentication Method Tab), or used to provide authentication in workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. steps (see Invoke REST Request). Keyfactor Command supports local Keyfactor Command PAM databases and provides support for multiple third-party PAM providers with custom-built PAM extensions available on the Keyfactor GitHub:

https://keyfactor.github.io/integrations-catalog/content/pam

Third-party PAM providers can either be local (server side) or remote (client side). When configured locally, the configuration information to connect to the PAM provider exists on the Keyfactor Command server and the PAM provider must be routable from the Keyfactor Command server (for example, on the same network) to retrieve secret information. When configured remotely, the configuration information to connect to the PAM provider exists on the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. managing the certificate stores using the PAM provider and the PAM provider must be routable from the Universal OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores..

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

PAM > Modify
PAM > Read
Certificate Stores > Modify

Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions for more information about global vs container permissions.

The PAM provider configuration can be edited at any time, even if it is used on existing records.

To define a new PAM provider or modify an existing one:

  1. In the Management Portal, browse to System Settings Icon > Privileged Access Management.

  2. On the PAM Providers page, click Add to create a new provider, or, to modify an existing provider, double-click the provider, right-click the provider and choose Edit from the right-click menu, or highlight the row in the providers grid and click Edit at the top of the grid.

    Figure 439: Add PAM Provider

  3. In the PAM Providers dialog, check the Remote Provider box if you are adding a third-party PAM provider for a PAM extension installed on a Universal Orchestrator.

    A remote PAM provider generally exists outside the local network of the Keyfactor Command server. This option allows you to specify the secret information in Keyfactor Command in the same way as you would with a local PAM provider without needing to enter PAM provider configurations in Keyfactor Command (other than a base remote provider link). The PAM provider configuration information is, instead, supplied in the orchestrator's PAM manifest (see Installing Custom PAM Provider Extensions). Remote PAM providers are only supported for use with certificate stores and the Keyfactor Universal Orchestrator version 10.0 or greater. From Keyfactor Command version 12.0, support for Remote PAM providers is also available with a Certificate AuthorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. using CA ConnectorClosed The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. and OAuth authentication method.

  4. Select a Provider Type in the dropdown. This is the name of the software vendor that provides your Privilege Access Management solution. For a Keyfactor Command local PAM database, select LocalDB. This field cannot be modified on an edit.

    Note:  If a provider type does not already exist for the PAM provider you are adding, you will need to create a new supported type before completing this step (see Installing Custom PAM Provider Extensions).

  5. In the Name field, enter a name for the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

    Important:  For a third-party PAM provider, the name you give to your PAM provider in Keyfactor Command must match the name of the PAM provider as referenced in the manifest.json file (see Installing Custom PAM Provider Extensions).
  6. The remainder of the fields in the dialog will vary depending on the provider type selected. If you checked Remote Provider or a selected a type of LocalDB, no further configuration is needed in this dialog. For example:
    • Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g. https://websrvr38.keyexample.com/SecretServer).
    • Secret Server Username: The username of the user that will be used to connect to SecretServer.

    • Secret Server Password: The password of the user that will be used to connect to SecretServer.

      Figure 441: Create a Local Delinea PAM Provider

    • Vault Host: The URL to the vault instance, including port number if applicable (e.g. https://websrvr35.keyexample.com:8200).
    • Vault Token: The access token for the vault (assuming Kerberos authentication is not used).

    • KV Engine Path: The path to the vault secrets. The default is v1/secret/data.

      Figure 442: Create a Local HashiCorp PAM Provider

  7. Click Save to save the provider.

To add a secret for a local Keyfactor Command PAM provider:

  1. In the Management Portal, browse to System Settings Icon > Privileged Access Management.
  2. On the PAM providers page, add a new PAM provider of type LocalDB if one does not already exist.
  3. In the Pam providers grid, right-click the local Keyfactor Command PAM provider and choose Open Command Secret Provider from the right-click menu or highlight the row in the providers grid and click Open Command Secret Provider at the top of the grid.
  4. On the [Provider Name] Command Secret Provider Management page, click Add to create a new secret, or, to modify an existing secret, double-click the secret, right-click the secret and choose Edit from the right-click menu, or highlight the row in the secret grid and click Edit at the top of the grid.
  5. Enter a Secret Name for the secret. This name will be used in Keyfactor Command interfaces where you reference the PAM secret. Spaces are supported in the name. This field cannot be modified on an edit.
  6. Enter a Description for the secret.

  7. Enter and confirm the Secret value. On an edit if you wish to change the secret value, toggle the Change Secret option to enable the secret fields.

    Figure 443: Add a New Local Keyfactor Command PAM Secret

  8. Click Save to save the secret.

To delete a secret, highlight the row in the secrets grid and click Delete at the top of the grid or right-click the secret in the grid and choose Delete from the right-click menu.

Tip:  If a PAM secret has been associated with any certificate stores, CAs, or workflows, it cannot be deleted.

To delete a provider, highlight the row in the providers grid and click Delete at the top of the grid or right-click the provider in the grid and choose Delete from the right-click menu.

Tip:  If a PAM provider has been associated with any certificate stores, CAs, or workflows it cannot be deleted.