The Imperva Orchestrator Extension allows for the management of SSL certificates bound to web sites managed by the Imperva cloud-based firewall.
This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
Imperva is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
Operation | Win | Linux |
---|---|---|
Supports Management Add | ✓ | ✓ |
Supports Management Remove | ✓ | ✓ |
Supports Create Store | ||
Supports Discovery | ||
Supports Renrollment | ||
Supports Inventory | ✓ | ✓ |
This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider.
The secrets that this orchestrator extension supports for use with a PAM Provider are:
Name | Description |
---|---|
StorePassword | The Keyfactor certificate store password contains the Imperva API Id and API Key concatenated with a comma (,). For example: 12345,12345678-1234-1234-1234-123456789ABC. Please refer to your Imperva documentation to learn more about creating API Ids and Keys. |
It is not necessary to use a PAM Provider for all of the secrets available above. If a PAM Provider should not be used, simply enter in the actual value to be used, as normal.
If a PAM Provider will be used for one of the fields above, start by referencing the Keyfactor Integration Catalog. The GitHub repo for the PAM Provider to be used contains important information such as the format of the json
needed. What follows is an example but does not reflect the json
values for all PAM Providers as they have different "instance" and "initialization" parameter names and values.
General PAM Provider Configuration
To use a PAM Provider to resolve a field, in this example the Server Password will be resolved by the Hashicorp-Vault
provider, first install the PAM Provider extension from the Keyfactor Integration Catalog on the Universal Orchestrator.
Next, complete configuration of the PAM Provider on the UO by editing the manifest.json
of the PAM Provider (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here:
"Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": {
"Host": "http://127.0.0.1:8200",
"Path": "v1/secret/data",
"Token": "xxxxxx"
}
After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions.
With the PAM Provider configured as an extenion on the UO, a json
object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the Keyfactor Integration Catalog for the specific format of the json
object.
To have the Server Password field resolved by the Hashicorp-Vault
provider, the corresponding json
object from the Hashicorp-Vault
extension needs to be copied and filed in with the correct information:
{"Secret":"my-kv-secret","Key":"myServerPassword"}
This text would be entered in as the value for the Server Password, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the Server Password. If PAM should not be used, just directly enter in the value for the field.
The version number of a the Imperva Orchestrator Extension can be verified by right clicking on the Imperva.dll file in the Extensions/Imperva installation folder, selecting Properties, and then clicking on the Details tab.
- Create the Imperva certificate store type manually in Keyfactor Command by clicking on Settings (the gear icon on the top right) => Certificate Store Types => Add and then entering the settings described in the next section - Certificate Store Type Settings, OR by utilizing the CURL script found under the Certificate Store Type CURL Script folder in this repo.
- Stop the Keyfactor Universal Orchestrator Service for the orchestrator you plan to install this extension to run on.
- In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "Imperva" (you may choose to use a different name if you wish).
- Download the latest version of the Imperva Orchestrator Extension from GitHub. Click on the "Latest" release link on the right hand side of the main page and download the first zip file.
- Copy the contents of the download installation zip file to the folder created in Step 3.
- (Optional) If you decide to create the certificate store type with a short name different than the suggested value of "Imperva", edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the certificate store type in Keyfactor Command. If you created it with the suggested value, this step can be skipped.
- Start the Keyfactor Universal Orchestrator Service.
- In Keyfactor Command, go to Orchestrators => Management and approve the Keyfactor Orchestrator containing the Imperva capability that you just installed by selecting the orchestrator and clicking APPROVE.
Below are the values you need to enter if you choose to manually create the Imperva certificate store type in the Keyfactor Command UI (related to Step 1 of Imperva Orchestrator Extension Installation above).
Basic Tab:
- Name – Required. The display name you wish to use for the new certificate store type. Suggested value - Imperva
- ShortName - Required. Suggested value - Imperva. If you choose to use a different value, please refer to Step 6 under Imperva Orchestrator Extension Installation above.
- Custom Capability - Unchecked
- Supported Job Types - Inventory, Add, and Remove should all be checked.
- Needs Server - Unchecked
- Blueprint Allowed - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature.
- Uses PoserShell - Unchecked
- Requires Store Password - Checked.
- Supports Entry Password - Unchecked.
Advanced Tab:
- Store Path Type - Freeform
- Supports Custom Alias - Required
- Private Key Handling - Required
- PFX Password Style - Default
Custom Fields Tab: None
Entry Parameters:
None
To create a Keyfactor Command certificate store of certificate store type Imperva, go to Locations => Certificate Stores and click ADD. Then enter the following:
- Category - Imperva (or the alternate ShortName value you entered when creating your certificate store type).
- Container - Optional. Refer to Keyfactor Command documentation about this feature.
- Client Machine - The URL that will be used as the base URL for Imperva endpoint calls. Should be https://my.imperva.com
- Store Path - Your Imperva account id. Please refer to the Imperva documentation as to how to find your Imperva account id.
- Store Password - Your Imperva API id and API key concatenated with a comma (,}. For example: 12345,12345678-1234-1234-1234-123456789ABC. Please refer to the Imperva documentation as to how to create an API id and key.