Privileged access management (PAM) functionality in Keyfactor Command allows for configuration of third party or Keyfactor Command local PAM providers to secure certificate stores, credentials for accessing certificate authorities, and similar. Third-party PAM functionality is provided using custom PAM extensions. Keyfactor provides several PAM extensions on the publicly-facing Keyfactor GitHub:
The Keyfactor Command PAM solution is made up of these elements:
- Install an appropriate custom PAM provider extension if using a third-party solution (see Installing Custom PAM Provider Extensions).
- Create a PAM provider record in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
- Create secret entries for your required needs in the PAM database. If you’re using a Keyfactor Command local PAM database, this can be done in the Keyfactor Command Management Portal (see Managing Secrets for a Local Keyfactor Command PAM Provider) or by using the POST /PamProviders/Local/{providerId}/Entries Keyfactor API
An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoint An endpoint is a URL that enables the API to gain access to resources on a server. (see POST PAM Providers Local ID Entries). - Apply PAM provider security to individual certificate stores (see Adding or Modifying a Certificate Store), certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. records and other locations as needed in Keyfactor Command.
PAM Extensions support installation either locally (on the Keyfactor Command server) or remotely (on each instance of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. that will be accessing PAM secrets). You will need to make a determination as to which installation type best meets your needs:
-
Local (on the Keyfactor Command server) installations support any type of PAM secret storage supported by Keyfactor Command, including certificate stores and certificate authority secrets, but may require greater accessibility between the Keyfactor Command server and the PAM provider than is desired for your environment.
-
Remote (on the orchestrator
Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores.) installations support PAM secret storage only for the certificate stores managed by the Universal Orchestrator where the PAM extension is installed, but may be a better choice in terms of network accessibility for your environment.
) next to the You can also find the help icon (
) at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.
Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).