Merge branch 'merge-workflows' of https://github.com/Keyfactor/iis-orchestrator into merge-workflows

Michael Henderson · Michael Henderson · commit 70d5206338dd · 2022-07-05T12:56:24.000-07:00
diff --git a/README.md b/README.md
@@ -1,15 +1,29 @@
 # IIS Orchestrator
-## Orchestrator
 
 The IIS Orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator that ships with Keyfactor Command (which did not support binding.)
 
-<!-- add integration specific information below -->
-*** 
-**IIS Binding Orchestrator Configuration**
+#### Integration status: Production - Ready for use in production environments.
+
+## About the Keyfactor Universal Orchestrator Capability
+
+This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” &mdash; collections of certificates and roots of trust that are found within and used by various applications.
+
+The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
+
+The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
+
+---
+
+
+
+
+---
+
+**IIS Orchestrator Configuration**
 
 **Overview**
 
-The IIS Binding Orchestrator remotely manages certificates in a Windows Server local machine certificate store.
+The IIS Orchestrator remotely manages certificates in a Windows Server local machine certificate store.
 The "Personal" (My) and "Web Hosting" Stores are supported.
 Only certificates that are bound to an IIS web site are managed.
 Unbound certificates are ignored.
@@ -19,15 +33,17 @@ This agent implements three job types – Inventory, Management Add, and Managem
 WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow
 the server running the orchestrator to manage the server running IIS.
 
-**1. Create the New Certificate Store Type for the IIS Binding Orchestrator**
+**Note if you are upgrading from version 1.1.2 you must run the IISWBin 1.1.3 upgrade script.sql SQL Script**
+
+**1. Create the New Certificate Store Type for the IIS Orchestrator**
 
 In Keyfactor Command create a new Certificate Store Type similar to the one below:
 
 #### STORE TYPE CONFIGURATION
 CONFIG ELEMENT	| DESCRIPTION
 ------------------|------------------
 Name	|Descriptive name for the Store Type
-Short Name	|The short name that identifies the registered functionality of the orchestrator. Must be IISBinding
+Short Name	|The short name that identifies the registered functionality of the orchestrator. Must be IISWBin
 Custom Capability|Store type name orchestrator will register with. Must be "IISBindings".
 Needs Server	|Must be checked
 Blueprint Allowed	|Unchecked
@@ -44,7 +60,7 @@ Job Types	|Inventory, Add, and Remove are the supported job types.
 ![](images/screen1.gif)
 
 **Advanced Settings:**
-- **Custom Alias** – Can make Required, Optional or Forbidden based on the client preference
+- **Custom Alias** – Forbidden
 - **Private Key Handling** – Required
 
 ![](images/screen1-a.gif)
@@ -53,9 +69,11 @@ Job Types	|Inventory, Add, and Remove are the supported job types.
 
 - **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
 
-Parameter Name|Parameter Type|Default Value|Required
----|---|---|---
-spnwithport|Boolean|false|No
+Parameter Name|Display Name|Parameter Type|Default Value|Required|Description
+---|---|---|---|---|---
+spnwithport|SPN With Port?|Boolean|false|No|An SPN is the name by which a client uniquely identifies an instance of a service
+WinRm Protocol|WinRm Protocol|Multiple Choice|http|Yes|Protocol that WinRM Runs on
+WinRm Port|WinRm Port|String|5985|Yes|Port that WinRM Runs on
 
 ![](images/screen1-b.gif)
 
@@ -66,7 +84,7 @@ This section must be configured with binding fields. The parameters will be popu
 - **IP Address** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The IP address for the web site being bound to. Default is &quot;\*&quot; for all IP Addresses.
 - **Port** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The port for the web site being bound to. Default is &quot;443&quot;.
 - **Host Name** – Optional. The host name for the web site being bound to.
-- *Protocol* - Required (Adding an entry, Removing an entry, Reenrolling an entry) 
+- **Protocol** - Required (Adding an entry, Removing an entry, Reenrolling an entry) 
    - https
    - http
 - **Sni Flag** – Optional. Set the SNI flag associated with the binding being created. Default is "0". Acceptable values are:
@@ -94,13 +112,41 @@ See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation.  Get from your
 In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in &quot;Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent&quot;.
 
 ![](images/screen2.gif)
+![](images/screen2-a.gif)
 
 #### STORE CONFIGURATION 
 CONFIG ELEMENT	|DESCRIPTION
 ----------------|---------------
 Category	|The type of certificate store to be configured. Select category based on the display name configured above.
 Container	|This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store.
 Client Machine	|The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
+Credentials |Local or domain admin account that has permissions to manage iis (Has to be admin)
 Store Path	|My or WebHosting
+WinRm Protocol|http or https
+WinRm Port |Port to run WinRm on Default for http is 5985
 Orchestrator	|This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. 
 Inventory Schedule	|The interval that the system will use to report on what certificates are currently in the store. 
+
+
+#### TEST CASES
+Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot
+----|------------------------|------------------------------------|--------------|----------------|-------------------------
+1	|New Cert Enrollment To New Binding|**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsite.com<br/>**Sni Flag:** 0 - No SNI<br/>**Protocol:** https|New Binding Created with Enrollment Params specified|True|![](images/TestCase1Results.gif)
+2   |New Cert Enrollment To Existing Binding|**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsite.com<br/>**Sni Flag:** 0 - No SNI<br/>**Protocol:** https|Existing Binding From Case 1 Updated with New Cert|True|![](images/TestCase2Results.gif)
+3   |New Cert Enrollment To Existing Binding Enable SNI |**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsite.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Will Update Site In Case 2 to Have Sni Enabled|True|![](images/TestCase3Results.gif)
+4   |New Cert Enrollment New IP Address|**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.firstsite.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|New Binding Created With New IP and New SNI on Same Port|True|![](images/TestCase4Results.gif)
+5   |New Cert Enrollment New Host Name|**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.newhostname.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|New Binding Created With different host on Same Port and IP Address|True|![](images/TestCase5Results.gif)
+6   |New Cert Enrollment Same Site New Port |**Site Name:** FirstSite<br/>**Port:** 4443<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.newhostname.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|New Binding on different port will be created with new cert enrolled|True|![](images/TestCase6Results.gif)
+7   |Remove Cert and Binding From Test Case 6|**Site Name:** FirstSite<br/>**Port:** 4443<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.newhostname.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Cert and Binding From Test Case 6 Removed|True|![](images/TestCase7Results.gif)
+8   |Renew Same Cert on 2 Different Sites|`SITE 1`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsite.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https<br/>`SITE 2`<br/>**First Site**<br/>**Site Name:** SecondSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** cstiis04.cstpki.int<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Cert will be renewed on both sites because it has the same thrumbprint|True|![](images/TestCase8Site1.gif)![](images/TestCase8Site2.gif)
+9   |Renew Same Cert on Same Site Same Binding Settings Different Hostname|`BINDING 1`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsitebinding1.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https<br/>`BINDING 2`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsitebinding2.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase9Binding1.gif)![](images/TestCase9Binding2.gif)
+10  |Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs|`BINDING 1`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsitebinding1.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https<br/>`BINDING 2`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`*`<br/>**Host Name:** www.firstsitebinding2.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Cert will be renewed on only one binding because the other binding does not match thrumbprint|True|![](images/TestCase10Binding1.gif)![](images/TestCase10Binding2.gif)
+11  |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.firstsitebinding1.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https<br/>`BINDING 2`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`192.168.58.160`<br/>**Host Name:** www.firstsitebinding1.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase11Binding1.gif)![](images/TestCase11Binding2.gif)
+12  |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`<br/>**Site Name:** FirstSite<br/>**Port:** 443<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.firstsitebinding1.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https<br/>`BINDING 2`<br/>**Site Name:** FirstSite<br/>**Port:** 543<br/>**IP Address:**`192.168.58.162`<br/>**Host Name:** www.firstsitebinding1.com<br/>**Sni Flag:** 1 - SNI Enabled<br/>**Protocol:** https|Cert will be renewed on both bindings because it has the same thrumbprint|True|![](images/TestCase12Binding1.gif)![](images/TestCase12Binding2.gif)
+
+
+
+
+
+
+
