diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 61ea7a0..bd5f384 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -1,4 +1,4 @@ -name: Keyfactor Bootstrap Workflow +name: Keyfactor Bootstrap Workflow on: workflow_dispatch: @@ -11,10 +11,17 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 + uses: keyfactor/actions/.github/workflows/starter.yml@v4 + with: + command_token_url: ${{ vars.COMMAND_TOKEN_URL }} + command_hostname: ${{ vars.COMMAND_HOSTNAME }} + command_base_api_path: ${{ vars.COMMAND_API_PATH }} secrets: token: ${{ secrets.V2BUILDTOKEN}} - APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} scan_token: ${{ secrets.SAST_TOKEN }} + entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} + entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} + command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} + command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index d13be5c..42bb291 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +v1.3.0 +- Add support for renewing certificate bound to the HTTPS server + v1.2.0 - Allow for the management (renew/replace) of bound certificates diff --git a/Fortigate/Api/HttpsUsage.cs b/Fortigate/Api/HttpsUsage.cs new file mode 100644 index 0000000..26e77f7 --- /dev/null +++ b/Fortigate/Api/HttpsUsage.cs @@ -0,0 +1,36 @@ +//Copyright 2023 Keyfactor +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + +using Newtonsoft.Json; +using System.Text.Json.Serialization; + +namespace Keyfactor.Extensions.Orchestrator.Fortigate.Api +{ + public class HttpsUsage + { + [JsonProperty("admin-server-cert")] + public string AdminServerCert { get; set; } + } + + public class HttpUsageRequest + { + [JsonProperty("admin-server-cert")] + public OriginKey AdminServerCert { get; set; } + } + + public class OriginKey + { + [JsonProperty("q_origin_key")] + public string QOriginKey { get; set; } + } +} diff --git a/Fortigate/Fortigate.csproj b/Fortigate/Fortigate.csproj index 2d7f9a1..5871c00 100644 --- a/Fortigate/Fortigate.csproj +++ b/Fortigate/Fortigate.csproj @@ -1,4 +1,4 @@ - + true @@ -8,7 +8,7 @@ - + diff --git a/Fortigate/FortigateStore.cs b/Fortigate/FortigateStore.cs index ccc21d2..aff8593 100644 --- a/Fortigate/FortigateStore.cs +++ b/Fortigate/FortigateStore.cs @@ -29,6 +29,7 @@ using System.Text; using System.Net.Http.Headers; using Microsoft.Extensions.Logging; +using Org.BouncyCastle.Asn1.Ocsp; namespace Keyfactor.Extensions.Orchestrator.Fortigate { @@ -53,6 +54,7 @@ public class FortigateStore private static readonly string delete_certificate_api = "/api/v2/cmdb/vpn.certificate/local/"; private static readonly string cert_usage_api = "/api/v2/monitor/system/object/usage"; + private static readonly string https_usage_api = "/api/v2/cmdb/system/global"; private readonly HttpClientHandler handler = new HttpClientHandler() { @@ -149,6 +151,46 @@ public Usage Usage(string alias, int qtype) } } + public string HttpsServerUsage() + { + logger.MethodEntry(LogLevel.Debug); + + try + { + var result = GetResource(https_usage_api, new Dictionary()); + return JsonConvert.DeserializeObject>(result).results.AdminServerCert; + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error checking https bindings: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } + } + + public void UpdateHttpsServerUsage(string alias) + { + logger.MethodEntry(LogLevel.Debug); + HttpUsageRequest request = new HttpUsageRequest() { AdminServerCert = new OriginKey() { QOriginKey = alias } }; + + try + { + PutAsJson(https_usage_api, request, new Dictionary()); + } + catch (Exception ex) + { + logger.LogError(FortigateException.FlattenExceptionMessages(ex, $"Error updating https server binding: ")); + throw; + } + finally + { + logger.MethodExit(LogLevel.Debug); + } + } + public void Insert(string alias, string cert, string privateKey, bool overwrite, string password = null) { logger.MethodEntry(LogLevel.Debug); @@ -170,9 +212,10 @@ public void Insert(string alias, string cert, string privateKey, bool overwrite, //check to see if it's in use existingUsage = Usage(alias, certItem.q_type); + bool existingHttpsUsage = HttpsServerUsage() == alias; //if it's currently in use - if (existingUsage != null && existingUsage.currently_using != null && existingUsage.currently_using.Length > 0) + if ((existingUsage != null && existingUsage.currently_using != null && existingUsage.currently_using.Length > 0) || existingHttpsUsage) { //if newAlias exists, end with error if (byNewAlias.Length > 0) @@ -184,10 +227,18 @@ public void Insert(string alias, string cert, string privateKey, bool overwrite, logger.LogDebug("Inserting alias:" + newAlias); Insert(newAlias, cert, privateKey, password); - foreach (var existingUsing in existingUsage.currently_using) + if (existingUsage != null && existingUsage.currently_using != null && existingUsage.currently_using.Length > 0) + { + foreach (var existingUsing in existingUsage.currently_using) + { + logger.LogDebug($"Update binding for path/name/attribute {existingUsing.path}/{existingUsing.name}/{existingUsing.attribute} for new alias {newAlias}"); + UpdateUsage(newAlias, existingUsing.path, existingUsing.name, existingUsing.attribute); + } + } + + if (existingHttpsUsage) { - logger.LogDebug($"Update binding for path/name/attribute {existingUsing.path}/{existingUsing.name}/{existingUsing.attribute} for new alias {newAlias}"); - UpdateUsage(newAlias, existingUsing.path, existingUsing.name, existingUsing.attribute); + UpdateHttpsServerUsage(newAlias); } logger.LogDebug("Deleting alias:" + alias); diff --git a/README.md b/README.md index c3946df..d0c19f5 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,9 @@ The Fortigate Orchestrator Extension DOES NOT support the following use cases: 4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case) \* Because the Fortigate API does not allow for updating certificates in place, and to avoid temporary outages, when replacing local certificates that are bound, it is necessary to create a new name (alias) for the certificate. The new name is created using the first 8 characters of the previous name (larger names truncated due to Fortigate name length constraints) allong with a suffix comprised of "--" and a 15 character hash of the current date/time. The replaced certificate with the old name is then removed from the Fortigate instance. For example, a bound certificate with the name "CertName" would be replaced and the name would then be "CertName--8DD76A97A98E4C1". The existing bindings would remain in place with the new name. At no point during the management job would any of the bound objects be left without a valid certificate binding. +Currently, the ability to renew bound certificates is limited to these binding types: +- The HTTPS server certificate found under Global, System => Settings +- The VPN server certificate found under Root, VPN => SSL-VPN Settings @@ -52,9 +55,9 @@ The Fortigate Orchestrator Extension DOES NOT support the following use cases: This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later. ## Support -The Fortigate Universal Orchestrator extension is open source and there is **no SLA**. Keyfactor will address issues as resources become available. Keyfactor customers may request escalation by opening up a support ticket through their Keyfactor representative. - -> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +The Fortigate Universal Orchestrator extension is community open source and there is **no SLA**. Keyfactor will address issues as resources become available. + +> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab. ## Requirements & Prerequisites @@ -64,84 +67,120 @@ Before installing the Fortigate Universal Orchestrator extension, we recommend t The Fortigate Orchestrator Extension requires an API token be created in the Fortigate environment being managed. Please review the following [instructions](https://docs.fortinet.com/document/forticonverter/7.0.1/online-help/866905/connect-fortigate-device-via-api-token) for creating an API token to be used in this integration. -## Create the Fortigate Certificate Store Type +## Fortigate Certificate Store Type To use the Fortigate Universal Orchestrator extension, you **must** create the Fortigate Certificate Store Type. This only needs to happen _once_ per Keyfactor Command instance. -* **Create Fortigate using kfutil**: - ```shell - # Fortigate - kfutil store-types create Fortigate - ``` -* **Create Fortigate manually in the Command UI**: -
Create Fortigate manually in the Command UI - Create a store type called `Fortigate` with the attributes in the tables below: - #### Basic Tab - | Attribute | Value | Description | - | --------- | ----- | ----- | - | Name | Fortigate | Display name for the store type (may be customized) | - | Short Name | Fortigate | Short display name for the store type | - | Capability | Fortigate | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | - | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | - | Needs Server | 🔲 Unchecked | Determines if a target server name is required when creating store | - | Blueprint Allowed | ✅ Checked | Determines if store type may be included in an Orchestrator blueprint | - | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | - | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. | - | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | - The Basic tab should look like this: +#### Supported Operations + +| Operation | Is Supported | +|--------------|------------------------------------------------------------------------------------------------------------------------| +| Add | ✅ Checked | +| Remove | ✅ Checked | +| Discovery | 🔲 Unchecked | +| Reenrollment | 🔲 Unchecked | +| Create | 🔲 Unchecked | + +#### Store Type Creation + +##### Using kfutil: +`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. +For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand Fortigate kfutil details + + ##### Using online definition from GitHub: + This will reach out to GitHub and pull the latest store-type definition + ```shell + # Fortigate + kfutil store-types create Fortigate + ``` + + ##### Offline creation using integration-manifest file: + If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. + You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command + in your offline environment. + ```shell + kfutil store-types create --from-file integration-manifest.json + ``` +
+ + +#### Manual Creation +Below are instructions on how to create the Fortigate store type manually in +the Keyfactor Command Portal +
Click to expand manual Fortigate details + + Create a store type called `Fortigate` with the attributes in the tables below: + + ##### Basic Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Name | Fortigate | Display name for the store type (may be customized) | + | Short Name | Fortigate | Short display name for the store type | + | Capability | Fortigate | Store type name orchestrator will register with. Check the box to allow entry of value | + | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | + | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | + | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Needs Server | 🔲 Unchecked | Determines if a target server name is required when creating store | + | Blueprint Allowed | ✅ Checked | Determines if store type may be included in an Orchestrator blueprint | + | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | + | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. | + | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | + + The Basic tab should look like this: + + ![Fortigate Basic Tab](docsource/images/Fortigate-basic-store-type-dialog.png) - ![Fortigate Basic Tab](docsource/images/Fortigate-basic-store-type-dialog.png) + ##### Advanced Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | + | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | - #### Advanced Tab - | Attribute | Value | Description | - | --------- | ----- | ----- | - | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | - | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + The Advanced tab should look like this: - The Advanced tab should look like this: + ![Fortigate Advanced Tab](docsource/images/Fortigate-advanced-store-type-dialog.png) - ![Fortigate Advanced Tab](docsource/images/Fortigate-advanced-store-type-dialog.png) + > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. - > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. + ##### Custom Fields Tab + Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: - #### Custom Fields Tab - Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + | Name | Display Name | Description | Type | Default Value/Options | Required | + | ---- | ------------ | ---- | --------------------- | -------- | ----------- | - | Name | Display Name | Description | Type | Default Value/Options | Required | - | ---- | ------------ | ---- | --------------------- | -------- | ----------- | + The Custom Fields tab should look like this: - The Custom Fields tab should look like this: + ![Fortigate Custom Fields Tab](docsource/images/Fortigate-custom-fields-store-type-dialog.png) - ![Fortigate Custom Fields Tab](docsource/images/Fortigate-custom-fields-store-type-dialog.png) -
+
## Installation -1. **Download the latest Fortigate Universal Orchestrator extension from GitHub.** +1. **Download the latest Fortigate Universal Orchestrator extension from GitHub.** Navigate to the [Fortigate Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/fortigate-orchestrator/releases/latest). Refer to the compatibility matrix below to determine whether the `net6.0` or `net8.0` asset should be downloaded. Then, click the corresponding asset to download the zip archive. - | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `fortigate-orchestrator` .NET version to download | - | --------- | ----------- | ----------- | ----------- | - | Older than `11.0.0` | | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | - | `11.6` _and_ newer | `net8.0` | | `net8.0` | + + | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `fortigate-orchestrator` .NET version to download | + | --------- | ----------- | ----------- | ----------- | + | Older than `11.0.0` | | | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | + | `11.6` _and_ newer | `net8.0` | | `net8.0` | Unzip the archive containing extension assemblies to a known location. @@ -151,9 +190,9 @@ To use the Fortigate Universal Orchestrator extension, you **must** create the F * **Default on Windows** - `C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions` * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions` - + 3. **Create a new directory for the Fortigate Universal Orchestrator extension inside the extensions directory.** - + Create a new directory called `fortigate-orchestrator`. > The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory. @@ -164,14 +203,14 @@ To use the Fortigate Universal Orchestrator extension, you **must** create the F Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm). -6. **(optional) PAM Integration** +6. **(optional) PAM Integration** The Fortigate Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider. - To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension, and follow the associated instructions to install it on the Universal Orchestrator (remote). + To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote). -> The above installation steps can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). +> The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). @@ -179,85 +218,80 @@ To use the Fortigate Universal Orchestrator extension, you **must** create the F -* **Manually with the Command UI** +### Store Creation + +#### Manually with the Command UI -
Create Certificate Stores manually in the UI +
Click to expand details - 1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** +1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** - Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. + Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. - 2. **Add a Certificate Store.** +2. **Add a Certificate Store.** - Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- | ----------- | - | Category | Select "Fortigate" or the customized certificate store name from the previous step. | - | Container | Optional container to associate certificate store with. | - | Client Machine | The IP address or DNS of the Fortigate server | - | Store Path | This is not used in this integration, but is a required field in the UI. Just enter any value here | - | Orchestrator | Select an approved orchestrator capable of managing `Fortigate` certificates. Specifically, one with the `Fortigate` capability. | - | Store Password | Enter the Fortigate API Token here | + Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - + | Attribute | Description | + | --------- |---------------------------------------------------------| + | Category | Select "Fortigate" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | The IP address or DNS of the Fortigate server | + | Store Path | This is not used in this integration, but is a required field in the UI. Just enter any value here | + | Store Password | Enter the Fortigate API Token here | + | Orchestrator | Select an approved orchestrator capable of managing `Fortigate` certificates. Specifically, one with the `Fortigate` capability. | -
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator +
- If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. - | Attribute | Description | - | --------- | ----------- | - | Store Password | Enter the Fortigate API Token here | - Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. - > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. -
- +#### Using kfutil CLI -
+
Click to expand details -* **Using kfutil** - -
Create Certificate Stores with kfutil - - 1. **Generate a CSV template for the Fortigate certificate store** +1. **Generate a CSV template for the Fortigate certificate store** + + ```shell + kfutil stores import generate-template --store-type-name Fortigate --outpath Fortigate.csv + ``` +2. **Populate the generated CSV file** + + Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + + | Attribute | Description | + | --------- | ----------- | + | Category | Select "Fortigate" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | The IP address or DNS of the Fortigate server | + | Store Path | This is not used in this integration, but is a required field in the UI. Just enter any value here | + | Store Password | Enter the Fortigate API Token here | + | Orchestrator | Select an approved orchestrator capable of managing `Fortigate` certificates. Specifically, one with the `Fortigate` capability. | + +3. **Import the CSV file to create the certificate stores** + + ```shell + kfutil stores import csv --store-type-name Fortigate --file Fortigate.csv + ``` - ```shell - kfutil stores import generate-template --store-type-name Fortigate --outpath Fortigate.csv - ``` - 2. **Populate the generated CSV file** +
- Open the CSV file, and reference the table below to populate parameters for each **Attribute**. - | Attribute | Description | - | --------- | ----------- | - | Category | Select "Fortigate" or the customized certificate store name from the previous step. | - | Container | Optional container to associate certificate store with. | - | Client Machine | The IP address or DNS of the Fortigate server | - | Store Path | This is not used in this integration, but is a required field in the UI. Just enter any value here | - | Orchestrator | Select an approved orchestrator capable of managing `Fortigate` certificates. Specifically, one with the `Fortigate` capability. | - | Store Password | Enter the Fortigate API Token here | - +#### PAM Provider Eligible Fields +
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator -
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator +If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. - If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. - | Attribute | Description | - | --------- | ----------- | - | Store Password | Enter the Fortigate API Token here | + | Attribute | Description | + | --------- | ----------- | + | StorePassword | Enter the Fortigate API Token here | - > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. -
- +Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. +> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. - 3. **Import the CSV file to create the certificate stores** +
- ```shell - kfutil stores import csv --store-type-name Fortigate --file Fortigate.csv - ``` -
-> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). +> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). diff --git a/docsource/content.md b/docsource/content.md index 498a813..a2ad76c 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -13,7 +13,9 @@ The Fortigate Orchestrator Extension DOES NOT support the following use cases: 4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case) \* Because the Fortigate API does not allow for updating certificates in place, and to avoid temporary outages, when replacing local certificates that are bound, it is necessary to create a new name (alias) for the certificate. The new name is created using the first 8 characters of the previous name (larger names truncated due to Fortigate name length constraints) allong with a suffix comprised of "--" and a 15 character hash of the current date/time. The replaced certificate with the old name is then removed from the Fortigate instance. For example, a bound certificate with the name "CertName" would be replaced and the name would then be "CertName--8DD76A97A98E4C1". The existing bindings would remain in place with the new name. At no point during the management job would any of the bound objects be left without a valid certificate binding. - +Currently, the ability to renew bound certificates is limited to these binding types: +- The HTTPS server certificate found under Global, System => Settings +- The VPN server certificate found under Root, VPN => SSL-VPN Settings ## Requirements diff --git a/docsource/images/Fortigate-advanced-store-type-dialog.png b/docsource/images/Fortigate-advanced-store-type-dialog.png index 2b71e8c..7ce7813 100644 Binary files a/docsource/images/Fortigate-advanced-store-type-dialog.png and b/docsource/images/Fortigate-advanced-store-type-dialog.png differ diff --git a/docsource/images/Fortigate-basic-store-type-dialog.png b/docsource/images/Fortigate-basic-store-type-dialog.png index d0b3863..1344d1c 100644 Binary files a/docsource/images/Fortigate-basic-store-type-dialog.png and b/docsource/images/Fortigate-basic-store-type-dialog.png differ diff --git a/docsource/images/Fortigate-custom-fields-store-type-dialog.png b/docsource/images/Fortigate-custom-fields-store-type-dialog.png index 76c8169..50422e9 100644 Binary files a/docsource/images/Fortigate-custom-fields-store-type-dialog.png and b/docsource/images/Fortigate-custom-fields-store-type-dialog.png differ