Certificate Store Discovery

To use the certificate store discovery feature:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Store page, select the Discover tab.
3. On the Discover tab, click Schedule.

4. In the Schedule Discovery dialog, select the type of certificate store job in the Category dropdown. The values that appear here are the display names for the built-in certificate store types and any custom certificate store types you entered to match your custom extensions.

   

   Figure 290: Schedule Java Keystore Discover Job for Remote File Extension

   

   Figure 291: Schedule F5 SSL Discover Job for F5 Extension

5. In the Orchestrator field, select the fully qualified domain name of the approved Keyfactor Universal Orchestrator managing the scanning. This field is required.
6. In the Schedule dropdown, select either Immediate, to run the discover job within a few minutes of saving it, or Exactly Once, to select a date and time for the job. The default is Immediate.
7. In the Client Machine field, enter the fully qualified domain name or IP address of the target server or device to be scanned.

8. Click Set Server Username and, in the Server Username dialog, choose the source from which to load a user valid on the target server or device with sufficient permissions to read the store locations and open files (for F5 this should be Administrator permissions). In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets and F5 devices.

   Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., the F5 methods that use the REST API require full Administrator permissions.

   Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

   Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

   Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

   Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

   Keyfactor Command Local Database

   Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

   • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

   Close

   CyberArk

   Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
   • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

   Close

   Delinea/Thycotic

   Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

   Close

   Hashicorp

   Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
   • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

   Close

9. Click Set Server Password and, in the Server Password dialog, choose the source from which to load the password for the user specified with Set Server Username. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets and F5 devices.

   Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

   Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

   Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

   Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

   Keyfactor Command Local Database

   Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

   • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

   Close

   CyberArk

   Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
   • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

   Close

   Delinea/Thycotic

   Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

   Close

   Hashicorp

   Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
   • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

   Close

10. In the Directories to search field, specify the directory or directories to search. Multiple directories should be separated by commas. The data to enter here will vary depending on the certificate store(s) being discovered. For Keyfactor GitHub extensions, check the extension documentation for more information. This field is required.

    In general:

    • Java, PEM, PKCS12, DER, IMB

      Enter at a minimum either "/" for a Linux server or "c:\" for a Windows server (without the quotation marks).

    • F5

      Enter "/" (without the quotation marks). (This field is required but ignored by the discovery job for F5, so any value entered here will do.)

11. Populate the remaining optional fields as needed. See Table 23: Discovery Options.
12. Click Save to schedule the discovery task. Once the scan begins, it may take several minutes to complete.
13. Return to the Discover tab for the results of the scan. Check the Orchestrator Jobs page (see Orchestrator Job Status) to review jobs in progress.

To manage discovered certificate stores:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Discover tab.
3. On the Discover tab, highlight one or more store row(s) in the grid and click Manage at the top of the grid or right-click the store in the grid and choose Manage from the right-click menu. Discovered certificate stores that require entry of either a server username and password or store password (or PAM credential access information) during the approval process must all share the same password or PAM information if you select more than one for approval at the same time. The right-click menu supports operations on only one store at a time.

   

   Figure 292: Discovered Certificate Stores

4. The fields that appear on the Manage Certificate Stores dialog will vary depending on the certificate store type. If you’re using a Keyfactor custom-built extension from GitHub, be sure to consult the documentation on GitHub for the specific extension. The following are some examples.

   Java Keystore with the Remote File Extension

   • If desired, select a Container from the dropdown.

   • Click the Set Password button for the Keystore Password to enter the password for the keystore. In the Password dialog, the options are No Value, Load From Keyfactor Secrets, and Load From PAM Provider.

     Select No Value if your keystore does not have a password configured.

     

     Figure 293: Java Keystore Set Password to Keyfactor Secret

     Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

     

     Figure 294: Java Keystore Set Password to PAM Provider

     Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     Keyfactor Command Local Database

     Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

     • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

     Close

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
     • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

     Close

     Delinea/Thycotic

     Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

     Close

     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

     Close
   • The Linux File Permissions on Store Creation and Linux File Owner on Store Creation fields apply to the creation of new certificate stores on the target, and do not apply to discovered stores. These fields may be left blank.

   • Click Set Server Username and, in the Server Username dialog, choose the source from which to load a user valid on the target server or device with sufficient permissions to read the store locations and open files. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets.

     

     Figure 295: Set Server Username to Load from Keyfactor Secret for JKS

     Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

     

     Figure 296: Set Server Username to Load from PAM Provider for JKS

     Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     Keyfactor Command Local Database

     Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

     • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

     Close

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
     • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

     Close

     Delinea/Thycotic

     Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

     Close

     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

     Close

   • Click Set Server Password and, in the Server Password dialog, choose the source from which to load the password for the user specified with Set Server Username. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets.

     

     Figure 297: Set Server Password to Load from Keyfactor Secret for JKS

     Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

     

     Figure 298: Set Server Password to Load from PAM Provider for JKS

     Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     Keyfactor Command Local Database

     Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

     • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

     Close

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
     • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

     Close

     Delinea/Thycotic

     Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

     Close

     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

     Close
   • In the Use SSL section, select True to use SSL to communicate with the remote target, if desired. For more information, see Table 23: Discovery Options.
   • The Linux File Permissions On Store Creation and Linux File Owner On Store Creation fields are not relevant when managing existing stores.

   

   Figure 299: Manage a Discovered Certificate Store

   Close
   F5 SSL Profile Certificate with the F5 Extension

   • If desired, select a Container from the dropdown.
   • In the Primary Node Online Required section, select True to enable primary node functionality, if desired. This will enable three additional fields (which appear above the Version of F5):
     • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.
       Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
     • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
     • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.

   • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.

     Tip:  Select v15 for version 15 and above.
   • In the Ignore SSL Warning section, select True to continue jobs even if a warning is received indicating there is some problem with the SSL connection to the F5 device.
   • Configure the Use Token Authentication as appropriate for your environment. Set this to False to use basic authentication for all communications with the F5 device. Set it to True to use basic authentication for the initial connection to the F5 device to acquire an authentication token which will be used for all subsequent API requests.

   • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

     

     Figure 300: F5 SSL Profiles Set Username to Keyfactor Secret

     Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

     

     Figure 301: F5 SSL Profiles Set Username using PAM

     Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     Keyfactor Command Local Database

     Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

     • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

     Close

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
     • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

     Close

     Delinea/Thycotic

     Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

     Close

     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

     Close

   • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     

     Figure 302: F5 SSL Profiles Set Password to Keyfactor Secret

     Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

     

     Figure 303: F5 SSL Profiles Set Password using PAM

     Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     Keyfactor Command Local Database

     Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

     • Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

     Close

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir).
     • PrivateArk Protected Password Name —The name of the username or password to use for this instance.

     Close

     Delinea/Thycotic

     Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server.

     Close

     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

     Close
   • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. For more information, see Table 23: Discovery Options.

   

   Figure 304: Manage a Discovered F5 SSL Profile Certificate

   Close

5. Select an Inventory Schedule option from the Inventory Schedule dropdown. The choices are:

   • Select Off to disable the inventory job.

   • If you select Immediate, the inventory will run within a few minutes of saving the record and will run only once. After this, the inventory schedule will be cleared.

   • If you select Interval, you can select a scan frequency of anywhere from every 1 minute to every 12 hours.

   • If you select Daily, you can set the time of day when the inventory should begin every day.

   • If you select Weekly, you can select the day, or days, of the week at a specified time.

   • If you select Exactly Once, you can select a date and time at which to run the inventory job. After the job has run, the inventory schedule will be cleared.

Discovered certificate stores can be deleted one at a time or in multiples.

To delete a discovered certificate store:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Discover tab.
3. On the Discover tab, highlight the row(s) in the discover grid of the store(s) to delete and click Delete at the top of the grid or right-click the store location in the grid and choose Delete from the right-click menu. The right-click menu supports operations on only one store at a time.
4. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.