diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 6e26a91..61ea7a0 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -1,42 +1,20 @@ -name: Starter Workflow -on: [workflow_dispatch, push, pull_request] +name: Keyfactor Bootstrap Workflow -jobs: - call-create-github-release-workflow: - uses: Keyfactor/actions/.github/workflows/github-release.yml@main - - get-manifest-properties: - runs-on: windows-latest - outputs: - update_catalog: ${{ steps.read-json.outputs.prop }} - steps: - - uses: actions/checkout@v3 - - name: Read json - id: read-json - shell: pwsh - run: | - $json = Get-Content integration-manifest.json | ConvertFrom-Json - echo "::set-output name=prop::$(echo $json.update_catalog)" - - call-dotnet-build-and-release-workflow: - needs: [call-create-github-release-workflow] - uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main - with: - release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} - release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: Fortigate/bin/Release - secrets: - token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' - call-generate-readme-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 secrets: - token: ${{ secrets.APPROVE_README_PUSH }} - - call-update-catalog-workflow: - needs: get-manifest-properties - if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') - uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main - secrets: - token: ${{ secrets.SDK_SYNC_PAT }} + token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} + scan_token: ${{ secrets.SAST_TOKEN }} diff --git a/Certificate Store Type CURL Script/Imperva.curl b/Certificate Store Type CURL Script/Imperva.curl deleted file mode 100644 index c269023..0000000 --- a/Certificate Store Type CURL Script/Imperva.curl +++ /dev/null @@ -1,45 +0,0 @@ -###CURL script to create Fortigate certificate store type - -###Replacement Variables - Manually replace these before running### -# {URL} - Base URL for your Keyfactor deployment -# {UserName} - User name with access to run Keyfactor APIs -# {UserPassword} - Password for the UserName above - -curl -X POST {URL}/keyfactorapi/certificatestoretypes -H "Content-Type: application/json" -H "x-keyfactor-requested-with: APIClient" -u {UserName}:{UserPassword} -d '{ - "Name": "Fortigate", - "ShortName": "Fortigate", - "Capability": "Fortigate", - "ServerRequired": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required", - "PowerShell": false, - "PrivateKeyAllowed": "Required", - "SupportedOperations": { - "Add": true, - "Create": false, - "Discovery": false, - "Enrollment": false, - "Remove": true - }, - "PasswordOptions": { - "Style": "Default", - "EntrySupported": false, - "StoreRequired": true - }, - "Properties": [], - "EntryParameters": [] -}' -Footer -© 2022 GitHub, Inc. -Footer navigation -Terms -Privacy -Security -Status -Docs -Contact GitHub -Pricing -API -Training -Blog -About diff --git a/Fortigate/Fortigate.csproj b/Fortigate/Fortigate.csproj index 9a9e58f..2d7f9a1 100644 --- a/Fortigate/Fortigate.csproj +++ b/Fortigate/Fortigate.csproj @@ -1,23 +1,20 @@ - false - netcoreapp3.1 + true + net6.0;net8.0 true + disable - - - - + + + Always + - - - - diff --git a/Fortigate/FortigateResponse.cs b/Fortigate/FortigateResponse.cs deleted file mode 100644 index 7648d43..0000000 --- a/Fortigate/FortigateResponse.cs +++ /dev/null @@ -1,18 +0,0 @@ - - -namespace Keyfactor.Extensions.Orchestrator.GCP.Api -{ - public class FortigateResponse - { - "http_method":"GET", - "results":[] -"vdom":"root", - "path":"system", - "name":"available-certificates", - "action":"", - "status":"success", - "serial":"FGVM02TM21009640", - "version":"v7.0.0", - "build":66 - } -} \ No newline at end of file diff --git a/Fortigate/FortigateStore.cs b/Fortigate/FortigateStore.cs index be5baae..d33363d 100644 --- a/Fortigate/FortigateStore.cs +++ b/Fortigate/FortigateStore.cs @@ -33,6 +33,7 @@ using Microsoft.Extensions.Logging; using Keyfactor.Orchestrators.Common.Enums; using System.Reflection.Metadata; +using System.Linq.Expressions; namespace Keyfactor.Extensions.Orchestrator.Fortigate { @@ -80,16 +81,26 @@ public FortigateStore(string fortigateHost, string accessToken) public void Delete(string alias) { - logger = LogHandler.GetClassLogger(this.GetType()); - - var result = DeleteResource(delete_certificate_api + alias); + logger.MethodEntry(LogLevel.Debug); - logger.MethodExit(LogLevel.Debug); + try + { + DeleteResource(delete_certificate_api + alias); + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error deleting certificate {alias}: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } } public bool Exists(string alias) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); try { @@ -106,12 +117,11 @@ public bool Exists(string alias) { logger.MethodExit(LogLevel.Debug); } - } public void UpdateUsage(string alias, string path, string name, string attribute) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); var attributeValue = new Dictionary(); attributeValue.Add("q_origin_key", alias); @@ -122,99 +132,130 @@ public void UpdateUsage(string alias, string path, string name, string attribute var parameters = new Dictionary(); parameters.Add("vdom", "root"); - var result = PutAsJson(endpoint, main, parameters); - logger.LogDebug(result); - logger.MethodExit(LogLevel.Debug); + try + { + PutAsJson(endpoint, main, parameters); + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error updating usage for {alias}: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } } public Usage Usage(string alias) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); var parameters = new Dictionary(); parameters.Add("vdom", "root"); parameters.Add("scope", "global"); parameters.Add("mkey", alias); parameters.Add("qtypes", "[160]"); - var result = GetResource(cert_usage_api, parameters); - var response = JsonConvert.DeserializeObject>(result); - logger.MethodExit(LogLevel.Debug); - return response.results; + try + { + var result = GetResource(cert_usage_api, parameters); + var response = JsonConvert.DeserializeObject>(result); + return response.results; + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error checking usage for {alias}: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } } public void Insert(string alias, string cert, string privateKey, bool overwrite, string password = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); - if (overwrite) + try { - var tmpAlias = alias + "_kftmp"; - var existing = Exists(alias); - var tmpExisting = Exists(tmpAlias); - - //if there is an existing record - if (existing) + if (overwrite) { - //check to see if it's in use - var existingUsage = Usage(alias); + var tmpAlias = alias + "_kftmp"; + var existing = Exists(alias); + var tmpExisting = Exists(tmpAlias); - //if it's currently in use - if (existingUsage.currently_using.Length > 0) + //if there is an existing record + if (existing) { - //if we don't have a tmp create a temp - if (!tmpExisting) - { - //create tmp - Insert(tmpAlias, cert, privateKey); - - tmpExisting = true; - } + //check to see if it's in use + var existingUsage = Usage(alias); - foreach (var existingUsing in existingUsage.currently_using) + //if it's currently in use + if (existingUsage.currently_using.Length > 0) { - UpdateUsage(tmpAlias, existingUsing.path, existingUsing.name, existingUsing.attribute); + //if we don't have a tmp create a temp + if (!tmpExisting) + { + //create tmp + Insert(tmpAlias, cert, privateKey); + + tmpExisting = true; + } + + foreach (var existingUsing in existingUsage.currently_using) + { + UpdateUsage(tmpAlias, existingUsing.path, existingUsing.name, existingUsing.attribute); + } } - } - logger.LogDebug("Deleting alias:" + alias); - Delete(alias); - } + logger.LogDebug("Deleting alias:" + alias); + Delete(alias); + } - logger.LogDebug("Inserting alias:" + alias); - Insert(alias, cert, privateKey, password); + logger.LogDebug("Inserting alias:" + alias); + Insert(alias, cert, privateKey, password); - //if we have an existing temp record - if (tmpExisting) - { - //check to see if it has any binds - var tmpUsage = Usage(tmpAlias); - if (tmpUsage.currently_using.Length > 0) + //if we have an existing temp record + if (tmpExisting) { - //transfer binds back to original - foreach (var tmpUsing in tmpUsage.currently_using) + //check to see if it has any binds + var tmpUsage = Usage(tmpAlias); + if (tmpUsage.currently_using.Length > 0) { - UpdateUsage(alias, tmpUsing.path, tmpUsing.name, tmpUsing.attribute); + //transfer binds back to original + foreach (var tmpUsing in tmpUsage.currently_using) + { + UpdateUsage(alias, tmpUsing.path, tmpUsing.name, tmpUsing.attribute); + } } + logger.LogDebug("Deleting alias:" + tmpExisting); + Delete(tmpAlias); } - logger.LogDebug("Deleting alias:" + tmpExisting); - Delete(tmpAlias); + } + else + { + //no overwrite so we just try to insert + logger.LogDebug("Inserting certificate with alias: " + alias); + Insert(alias, cert, privateKey, password); } } - else + catch (Exception ex) { - //no overwrite so we just try to insert - logger.LogDebug("Inserting certificate with alias: " + alias); - Insert(alias, cert, privateKey, password); + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error inserting/replacing certificate {alias}: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); } - - logger.MethodExit(LogLevel.Debug); } private void Insert(string alias, string cert, string privateKey, string password = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); var cert_resource = new cmdb_certificate_resource() { @@ -226,108 +267,126 @@ private void Insert(string alias, string cert, string privateKey, string passwor type = "regular" }; - logger.LogDebug(alias); - logger.LogDebug("key_file_content:" + privateKey); - logger.LogDebug("file_content:" + cert); - - Insert(cert_resource); - - logger.MethodExit(LogLevel.Debug); - } - - private void Insert(cmdb_certificate_resource cert) - { - logger = LogHandler.GetClassLogger(this.GetType()); - var parameters = new Dictionary(); parameters.Add("vdom", "root"); - var result = PostAsJson(import_certificate_api, cert, parameters); - logger.LogDebug(result); - - logger.MethodExit(LogLevel.Debug); + try + { + PostAsJson(import_certificate_api, cert_resource, parameters); + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error inserting certificate {alias}: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } } public List List() { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); List items = new List(); - var result = GetResource(available_certificates); - var response = JsonConvert.DeserializeObject>(result); + try + { + var result = GetResource(available_certificates); + var response = JsonConvert.DeserializeObject>(result); - foreach( var cert in response.results) - { - if (cert.type == "local-cer") + foreach( var cert in response.results) { - var certFile = DownloadFileAsString(cert.name, cert.type); - - var item = new CurrentInventoryItem() + if (cert.type == "local-cer") { - Alias = cert.name, - Certificates = new string[] { certFile }, - ItemStatus = OrchestratorInventoryItemStatus.Unknown, - PrivateKeyEntry = true, - UseChainLevel = false - }; - - items.Add(item); - } - } + var certFile = DownloadFileAsString(cert.name, cert.type); - logger.MethodExit(LogLevel.Debug); + var item = new CurrentInventoryItem() + { + Alias = cert.name, + Certificates = new string[] { certFile }, + ItemStatus = OrchestratorInventoryItemStatus.Unknown, + PrivateKeyEntry = true, + UseChainLevel = false + }; + + items.Add(item); + } + } - return items; + return items; + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, "Error retrieving certificate list: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } } private string DownloadFileAsString(string mkey, string type) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); var parameters = new Dictionary(); parameters.Add("mkey", mkey); parameters.Add("type", type); - var response = client.GetAsync(GetUrl(download_certificate, parameters)).GetAwaiter().GetResult(); - var content = response.Content.ReadAsStringAsync().GetAwaiter().GetResult(); - if (!response.IsSuccessStatusCode) - throw new Exception($"Error retrieving certificate {mkey}: {content}"); + try + { + var response = client.GetAsync(GetUrl(download_certificate, parameters)).GetAwaiter().GetResult(); + var content = response.Content.ReadAsStringAsync().GetAwaiter().GetResult(); + if (!response.IsSuccessStatusCode) + throw new Exception($"Error retrieving certificate {mkey}: {content}"); - logger.MethodExit(LogLevel.Debug); - return content; + return content; + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error retrieving downloading file {mkey}: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } } private String PostAsJson(string endpoint, cmdb_certificate_resource obj, Dictionary additionalParams = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); string content = ""; + var url = GetUrl(endpoint, additionalParams); + var stringContent = new StringContent(JsonConvert.SerializeObject(obj), Encoding.UTF8, "application/json"); + stringContent.Headers.ContentType = new MediaTypeHeaderValue("application/json"); + try { - var url = GetUrl(endpoint, additionalParams); - logger.LogDebug("postAsJson to url:" + url); - var stringContent = new StringContent(JsonConvert.SerializeObject(obj), Encoding.UTF8, "application/json"); - stringContent.Headers.ContentType = new MediaTypeHeaderValue("application/json"); HttpResponseMessage responseMessage = client.PostAsync(url, stringContent).GetAwaiter().GetResult(); - logger.LogDebug("response message received"); content = responseMessage.Content.ReadAsStringAsync().GetAwaiter().GetResult(); - logger.LogDebug("Ensuring status code.."); if (!responseMessage.IsSuccessStatusCode) throw new Exception($"Error adding certificate {obj.certname}: {content}"); - logger.MethodExit(LogLevel.Debug); return responseMessage.StatusCode.ToString(); } - catch (HttpRequestException e) + catch (HttpRequestException ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, "Error performing POST: ")); + throw; + } + finally { - logger.LogError("Error performing post resource: " + e.Message); - throw e; + logger.MethodExit(LogLevel.Debug); } } - private String DeleteResource(string endpoint, Dictionary additionalParams = null) + private void DeleteResource(string endpoint, Dictionary additionalParams = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); try { @@ -335,53 +394,54 @@ private String DeleteResource(string endpoint, Dictionary additi string content = responseMessage.Content.ReadAsStringAsync().GetAwaiter().GetResult(); if (!responseMessage.IsSuccessStatusCode) throw new Exception($"Error removing certificate: {content}"); - - logger.MethodExit(LogLevel.Debug); - return responseMessage.StatusCode.ToString(); } - catch (HttpRequestException e) + catch (HttpRequestException ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, "Error performing DELETE: ")); + throw; + } + finally { - logger.LogError("Error performing deleting resource: " + e.Message); - throw e; + logger.MethodExit(LogLevel.Debug); } } - private String PutAsJson(string endpoint, Object obj, Dictionary additionalParams = null) + private void PutAsJson(string endpoint, Object obj, Dictionary additionalParams = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); + + var stringContent = new StringContent(JsonConvert.SerializeObject(obj), Encoding.UTF8, "application/json"); + stringContent.Headers.ContentType = new MediaTypeHeaderValue("application/json"); try { - var stringContent = new StringContent(JsonConvert.SerializeObject(obj), Encoding.UTF8, "application/json"); - stringContent.Headers.ContentType = new MediaTypeHeaderValue("application/json"); - HttpResponseMessage responseMessage = client.PutAsync(GetUrl(endpoint, additionalParams), stringContent).GetAwaiter().GetResult(); string content = responseMessage.Content.ReadAsStringAsync().GetAwaiter().GetResult(); if (!responseMessage.IsSuccessStatusCode) throw new Exception(content); - - logger.MethodExit(LogLevel.Debug); - return responseMessage.StatusCode.ToString(); } - catch (HttpRequestException e) + catch (HttpRequestException ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, "Error performing PUT: ")); + throw; + } + finally { - logger.LogError("Error performing put resource: " + e.Message); - throw e; + logger.MethodExit(LogLevel.Debug); } } private String GetUrl(string endpoint, Dictionary additionalParams = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); + logger.MethodExit(LogLevel.Debug); return AddQueryParams("https://" + FortigateHost + endpoint, additionalParams); - - logger.MethodExit(LogLevel.Debug); } private String AddQueryParams(string endpoint, Dictionary additionalParams = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); var parameters = new Dictionary(); parameters.Add("access_token", AccessToken); @@ -393,36 +453,28 @@ private String AddQueryParams(string endpoint, Dictionary additi } } - try - { - var queryString = endpoint + "?" + string.Join("&", parameters.Select(kvp => $"{HttpUtility.UrlEncode(kvp.Key)}={HttpUtility.UrlEncode(kvp.Value)}")); - - logger.LogDebug("QueryString:" + queryString); + var queryString = endpoint + "?" + string.Join("&", parameters.Select(kvp => $"{HttpUtility.UrlEncode(kvp.Key)}={HttpUtility.UrlEncode(kvp.Value)}")); + logger.MethodExit(LogLevel.Debug); - logger.MethodExit(LogLevel.Debug); - return queryString; - } - catch (Exception e) - { - logger.LogDebug("Exception occured while creating query string", e); - throw e; - } + return queryString; } private string GetResource(string endpoint, Dictionary additionalParams = null) { - logger = LogHandler.GetClassLogger(this.GetType()); + logger.MethodEntry(LogLevel.Debug); try { - logger.MethodExit(LogLevel.Debug); - return client.GetStringAsync(GetUrl(endpoint, additionalParams)).GetAwaiter().GetResult(); } - catch(HttpRequestException e) + catch(HttpRequestException ex) { - logger.LogError("Error performing get resource: " + e.Message); - throw e; + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error performing get resource: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); } } } diff --git a/Fortigate/Management.cs b/Fortigate/Management.cs index 2044d9e..7ebd5ff 100644 --- a/Fortigate/Management.cs +++ b/Fortigate/Management.cs @@ -32,6 +32,8 @@ public class Management : IManagementJobExtension { public IPAMSecretResolver _resolver; public string ExtensionName => string.Empty; + + ILogger logger; public Management(IPAMSecretResolver resolver) { @@ -41,7 +43,8 @@ public Management(IPAMSecretResolver resolver) //Job Entry Point public JobResult ProcessJob(ManagementJobConfiguration config) { - ILogger logger = LogHandler.GetClassLogger(this.GetType()); + logger = LogHandler.GetClassLogger(this.GetType()); + logger.LogDebug($"Begin {config.Capability} for job id {config.JobId}..."); logger.LogDebug($"Client Machine: {config.CertificateStoreDetails.ClientMachine}"); @@ -81,6 +84,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config) private (byte[], byte[]) GetPemFromPFX(byte[] pfxBytes, char[] pfxPassword) { + logger.MethodEntry(LogLevel.Debug); + Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder(); Pkcs12Store p = storeBuilder.Build(); p.Load(new MemoryStream(pfxBytes), pfxPassword); @@ -108,6 +113,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config) Func pemify = null; pemify = (ss => ss.Length <= 64 ? ss : ss.Substring(0, 64) + "\n" + pemify(ss.Substring(64))); String certPem = certStart + pemify(Convert.ToBase64String(p.GetCertificate(alias).Certificate.GetEncoded())) + certEnd; + + logger.MethodExit(LogLevel.Debug); return (Encoding.ASCII.GetBytes(certPem), Encoding.ASCII.GetBytes(privateKeyString)); } } diff --git a/docsource/content.md b/docsource/content.md new file mode 100644 index 0000000..dc15197 --- /dev/null +++ b/docsource/content.md @@ -0,0 +1,49 @@ +## Overview + +The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below: + +- CA Bundles + - Discovery + - Inventory* + - Management (Add and Remove) +- Web Server Device Certificates + - Inventory* + - Management (Add, but replacement/renewal of existing certificate only) +- SSL Certificates + - Discovery + - Inventory* + - Management (Add and Remove) + +*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores. + + +## Requirements + +An administrator account must be set up in F5 to be used with this orchestrator extension. This F5 user id is what must be used as credentials when setting up a Keyfactor Command certificate store pointing to the F5 device intending to be managed. + + +## Discovery + +For SSL Certificate (F5-SL-REST) and CA Bundle (F5-CA-REST) store types, discovery jobs can be scheduled to find F5 partitions that can be configured as Keyfactor Command certificate stores. + +First, in Keyfactor Command navigate to Certificate Locations =\> Certificate Stores. Select the Discover tab and then the Schedule button. Complete the dialog and click Done to schedule. +![](images/image14.png) + +- **Category** - Required. The F5 store type you wish to find stores for. + +- **Orchestrator** - Select the orchestrator you wish to use to manage this store + +- **Client Machine & Credentials** - Required. The server name or IP Address and login credentials for the F5 device. The credentials for server login can be any of: + + - UserId/Password + - PAM provider information to pass the UserId/Password or UserId/SSH private key credentials + + When entering the credentials, UseSSL ***must*** be selected. + +- **When** - Required. The date and time when you would like this to execute. + +- **Directories to search** - Required but not used. This field is not used in the search to Discover certificate stores, but ***is*** a required field in this dialog, so just enter any value. It will not be used. + +- **Directories to ignore/Extensions/File name patterns to match/Follow SymLinks/Include PKCS12 Files** - Not used. Leave blank. + +Once the Discovery job has completed, a list of F5 certificate store locations should show in the Certificate Stores Discovery tab in Keyfactor Command. Right click on a store and select Approve to bring up a dialog that will ask for the remaining necessary certificate store parameters described in Step 2a. Complete those and click Save, and the Certificate Store should now show up in the list of stores in the Certificate Stores tab. diff --git a/docsource/fortigate.md b/docsource/fortigate.md new file mode 100644 index 0000000..ed37e8e --- /dev/null +++ b/docsource/fortigate.md @@ -0,0 +1 @@ +## Overview diff --git a/integration-manifest.json b/integration-manifest.json index 7a58675..6fb53eb 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -7,28 +7,15 @@ "link_github": false, "support_level": "community", "update_catalog": false, + "release_project": "Fortigate/Fortigate.csproj", + "release_dir": "Fortigate/bin/Release", "about": { "orchestrator": { "UOFramework": "10.1", "pam_support": true, - "win": { - "supportsCreateStore": false, - "supportsDiscovery": false, - "supportsManagementAdd": true, - "supportsManagementRemove": true, - "supportsReenrollment": false, - "supportsInventory": true - }, - "linux": { - "supportsCreateStore": false, - "supportsDiscovery": false, - "supportsManagementAdd": true, - "supportsManagementRemove": true, - "supportsReenrollment": false, - "supportsInventory": true - }, - "store_types": { - "Fortigate": { + "keyfactor_platform_version": "10.4", + "store_types": [ + { "Name": "Fortigate", "ShortName": "Fortigate", "Capability": "Fortigate", @@ -47,12 +34,17 @@ "PasswordOptions": { "Style": "Default", "EntrySupported": false, - "StoreRequired": true - }, - "Properties": [], - "EntryParameters": [] - } - } + "StoreRequired": true, + "StorePassword": { + "Description": "Enter the Fortigate API Token here", + "IsPAMEligible": true + }, + "Properties": [], + "EntryParameters": [], + "ClientMachineDescription": "The IP address or DNS of the Fortigate server", + "StorePathDescription": "This is not used in this integration, but is a required field in the UI. Just enter any value here" + } + ] } } } \ No newline at end of file diff --git a/readme-src/readme-pam-support.md b/readme-src/readme-pam-support.md deleted file mode 100644 index 630cab4..0000000 --- a/readme-src/readme-pam-support.md +++ /dev/null @@ -1,4 +0,0 @@ -|Name|Description| -|----|-----------| -|StorePassword|The Fortigate API Access Token used to execute Fortigate API requests| - diff --git a/readme_source.md b/readme_source.md deleted file mode 100644 index fcd07dc..0000000 --- a/readme_source.md +++ /dev/null @@ -1,69 +0,0 @@ -## Use Cases Supported and Limitations - -The Fortigate Orchestrator Extension supports the following use cases: -1. Inventory of local user and factory cerificates -2. Ability to add new local certificates -3. Ability to renew **unbound** local user certificates -4. Ability to delete **unbound** local user certificates - -The Fortigate Orchestrator Extension DOES NOT support the following use cases: -1. The renewal or removal of certificates enrolled through the internal Fortigate CA -2. The renewal or removal of factory certificates -3. The renewal or removal of ANY certificate bound to a Fortigate object -4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case) - -## Fortigate Version Supported - -The Fortigate Orchestrator Extension was tested using Fortigate, version 7.2.4 - -## Fortigate Orchestrator Extension Versioning - -The version number of a the Fortigate Orchestrator Extension can be verified by right clicking on the Fortigate.dll file in the Extensions/Fortigate installation folder, selecting Properties, and then clicking on the Details tab. - -## Fortigate Orchestrator Extension Installation - -1. Create the Fortigate certificate store type. This can be done either: a) using the Keyfactor Command UI to manually set up the certificate store type (please refer to the Keyfactor Command Reference Guide for more information on how to do this), or b) by using the Keyfactor Command API to automate the creation of the store type. Please see the provided CURL script [here](Certificate%20Store%20Type%20CURL%20Script/Fortigate.curl). A detailed description of how the Fortigate certificate store type should be configured can be found in the Fortigate Certificate Store Type section below. -2. Stop the Keyfactor Orchestrator Service on the server hosting the Keyfactor Orchestrator. -3. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "extensions" folder. Underneath that, create a new folder. The name doesn't matter, but something descriptive like "Fortigate" would probably be best. -4. Download the latest version of the Fortigate Orchestrator from [GitHub](https://github.com/Keyfactor/fortigate-orchestrator). -5. Copy the contents of the download installation zip file to the folder created in step 1. -6. Start the Keyfactor Orchestrator Service on the server hosting the Keyfactor Orchestrator. - -## Fortigate Setup - -The Fortigate Orchestrator Extension requires an API token be created in the Fortigate environment being managed. Please review the following [instructions](https://docs.fortinet.com/document/forticonverter/7.0.1/online-help/866905/connect-fortigate-device-via-api-token) for creating an API token to be used in this integration. - -## Certificate Store Type Settings - -Below are the values you need to enter if you choose to manually create the Fortigate certificate store type in the Keyfactor Command UI (related to Step 1 of Fortigate Orchestrator Extension Installation above). - -*Basic Tab:* -- **Name** – Required. The display name you wish to use for the new certificate store type. Suggested value - Fortigate -- **ShortName** - Required. Suggested value - Fortigate. If you choose to use a different value, you will need to modify the manifest.json file accordingly. -- **Custom Capability** - Unchecked -- **Supported Job Types** - Inventory, Add, and Remove should all be checked. -- **Needs Server** - Unchecked -- **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. -- **Uses PoserShell** - Unchecked -- **Requires Store Password** - Checked. -- **Supports Entry Password** - Unchecked. - -*Advanced Tab:* -- **Store Path Type** - Freeform -- **Supports Custom Alias** - Required -- **Private Key Handling** - Required -- **PFX Password Style** - Default - -*Custom Fields Tab:* -None - -*Entry Parameters:* -None - -## Certificate Store Setup - -Please refer to the Keyfactor Command Reference Guide for information on creating certificate stores in Keyfactor Command. However, there are a few fields that are important to highlight here: -- Category - Select "Fortigate" or whatever ShortName you chose for the store type. -- Client Machine - The IP address or DNS for your Fortigate server. -- Store Path - This is not used in this integration, but is a required field in the UI. Just enter any value here. -- Password - Click the button here and enter the Fortigate API Token you previously set up (See Fortigate Setup earlier in this README).