|
1 | 1 | ## Overview |
2 | 2 |
|
3 | | -TODO Overview is a required section |
| 3 | +The Kemp Load Balancer Universal Orchestrator extension enables remote management of cryptographic certificates on Kemp Load Balancers. Kemp Load Balancers use certificates to secure HTTP and HTTPS traffic efficiently, ensuring that sensitive data is encrypted during transit. This extension integrates with Keyfactor Command to automate the process of inventorying, adding, and removing certificates within Kemp Load Balancer environments. By leveraging this orchestrator, administrators can easily manage SSL/TLS certificates, ensuring the security and reliability of their load balancing infrastructure. |
4 | 4 |
|
5 | | -## Requirements |
| 5 | +# Enabling API Access for Keyfactor on Kemp LoadMaster |
6 | 6 |
|
7 | | -TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info |
| 7 | +This guide explains how to enable API access for a specific user on a Kemp LoadMaster appliance to allow Keyfactor Orchestrator integrations for certificate management and inventory operations. |
8 | 8 |
|
9 | | -## Discovery Job Configuration |
| 9 | +--- |
10 | 10 |
|
11 | | -TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info |
| 11 | +## 🧩 Step-by-Step: Enabling API Access for a User |
12 | 12 |
|
13 | | -## Certificate Store Configuration |
| 13 | +### 1. Log in to the Kemp Web UI |
| 14 | +- In your browser, go to: |
| 15 | + ``` |
| 16 | + https://<loadmaster-hostname-or-ip>:8443 |
| 17 | + ``` |
| 18 | +- Log in as an administrator account that can manage users. |
14 | 19 |
|
15 | | -TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info |
| 20 | +--- |
16 | 21 |
|
17 | | -## Global Store Type Section |
| 22 | +### 2. Edit the User Permissions |
| 23 | +1. In the left-hand menu, navigate to: |
| 24 | + ``` |
| 25 | + System Configuration → System Administration → User Management |
| 26 | + ``` |
| 27 | +2. Locate the user account that will be used by the Keyfactor Orchestrator (for example: `bhill`). |
| 28 | +3. Click **Modify** next to that user to open the **Permissions for User** screen. |
| 29 | +4. Under **Rules**, enable the following options: |
| 30 | + - ✅ **Certificate Creation** |
| 31 | + - ✅ **Intermediate Certificates** |
| 32 | +5. Click **Set Permissions** to apply the changes. |
18 | 33 |
|
19 | | -TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info |
| 34 | +These permissions allow the orchestrator to create and manage intermediate and server certificates. |
20 | 35 |
|
| 36 | +--- |
| 37 | + |
| 38 | +### 3. Generate and Record the API Key |
| 39 | +1. Scroll down to the **API Keys** section. |
| 40 | +2. Click **Generate New APIKey** to create a new key for API authentication. |
| 41 | +3. Copy and securely store this key — it will be used in your Keyfactor orchestrator configuration as the **ServerPassword** or **API Key**. |
| 42 | +4. You can later use **Delete** to revoke it if needed. |
| 43 | + |
| 44 | +--- |
| 45 | + |
| 46 | +### 4. Verify API Access |
| 47 | +Use a command line or PowerShell session to verify connectivity: |
| 48 | + |
| 49 | +#### Using curl: |
| 50 | +```bash |
| 51 | +curl -k -H "Authorization: <API_KEY>" https://<loadmaster-ip>:8443/access/list |
| 52 | +``` |
| 53 | + |
| 54 | +#### Using PowerShell: |
| 55 | +```powershell |
| 56 | +Invoke-RestMethod -Uri "https://<loadmaster-ip>:8443/access/list" -Headers @{ Authorization = "<API_KEY>" } -SkipCertificateCheck |
| 57 | +``` |
| 58 | + |
| 59 | +If you receive a JSON response, API access is successfully configured. |
| 60 | + |
| 61 | + |
| 62 | +### ✅ Summary of Required Settings |
| 63 | + |
| 64 | +| Setting | Location | Value | |
| 65 | +|----------|-----------|--------| |
| 66 | +| Certificate Creation | User Permissions | Enabled | |
| 67 | +| Intermediate Certificates | User Permissions | Enabled | |
| 68 | +| API Key | User Management (Modify user) | Generated | |
| 69 | +| Allow Web Administrative Access | Remote Access | Enabled | |
| 70 | +| Enable API Interface | Remote Access | Enabled | |
| 71 | +| Port | Remote Access | 8443 | |
| 72 | +| Authentication Method | Remote Access | Password Only (default) | |
| 73 | + |
| 74 | +--- |
| 75 | + |
| 76 | +## Kemp LoadMaster Orchestrator – Behavior Summary |
| 77 | + |
| 78 | +This document summarizes the observed behaviors of the **Kemp LoadMaster Orchestrator** integration during SSL and Intermediate Certificate management operations. |
| 79 | +It details how the orchestrator interacts with the LoadMaster API, handles overwrite logic, manages bindings, and synchronizes data with Keyfactor Command. |
| 80 | + |
| 81 | +--- |
| 82 | + |
| 83 | +### 🧩 Overall Integration Behavior |
| 84 | + |
| 85 | +- The orchestrator communicates with the **Kemp LoadMaster REST API** using the configured **ServerUsername**, **API Key**, and **SSL (HTTPS)** over port 8443. |
| 86 | +- Operations are driven by the **Overwrite flag** and **Alias Name** supplied in the job parameters. |
| 87 | +- Certificates are managed in two categories: |
| 88 | + - **SSL Certificates** – used by virtual services (may be bound/unbound). |
| 89 | + - **Intermediate Certificates** – uploaded supporting CA chain files. |
| 90 | +- The orchestrator validates overwrite rules, binding constraints, and synchronization with Keyfactor Command for each operation. |
| 91 | + |
| 92 | +--- |
| 93 | + |
| 94 | +### 🧪 Test Case Behavior Summary |
| 95 | + |
| 96 | +| # | Case Name | Behavior Summary | Outcome | |
| 97 | +|---|------------|------------------|----------| |
| 98 | +| **1** | **New Add New Alias SSL Certificates** | When a new alias (`TC1`) is provided and the certificate does not exist, the orchestrator successfully uploads a new SSL certificate to the LoadMaster and registers it in Keyfactor. | ✅ New certificate created successfully. | |
| 99 | +| **2** | **Replace Alias SSL Certificates** | The orchestrator detects an existing alias (`TC1`) and, with **Overwrite=True**, replaces the existing SSL certificate. The old certificate file is overwritten. | ✅ Replacement successful. | |
| 100 | +| **3** | **Replace Alias SSL Certificates (No Overwrite)** | Attempting to replace an existing alias without the overwrite flag causes the orchestrator to abort the operation and return an error indicating the flag is required. | ✅ Expected error: “Overwrite flag should be used.” | |
| 101 | +| **4** | **Replace Alias Bound SSL Certificates** | When a certificate bound to a virtual service is replaced with **Overwrite=True**, the orchestrator updates the certificate file while maintaining the existing service binding. | ✅ Bound certificate replaced in place. | |
| 102 | +| **5** | **Remove Bound SSL Certificate** | The orchestrator prevents removal of any certificate that is currently bound to a virtual service, returning an error message. | ✅ Error handled correctly (“cannot remove bound certificates”). | |
| 103 | +| **6** | **Remove Unbound SSL Certificate** | The orchestrator removes an SSL certificate only if it is unbound, confirming removal through the LoadMaster API. | ✅ Certificate removed successfully. | |
| 104 | +| **7** | **New Add New Alias Intermediate Certificates** | A new intermediate certificate (`TC8b`) is uploaded since no alias conflict exists. It appears under the Intermediate Certificates list. | ✅ Intermediate certificate created. | |
| 105 | +| **8** | **Replace Alias Intermediate Certificates** | Kemp does not support overwriting intermediate certificates. The orchestrator logs and returns the expected API error (`Filename already exists`). | ✅ Expected failure recorded. | |
| 106 | +| **9** | **Remove Intermediate Certificates** | The orchestrator deletes the intermediate certificate (`TC8b`) from the LoadMaster and synchronizes removal from Keyfactor Command. | ✅ Certificate removed successfully. | |
| 107 | +| **10** | **Inventory Intermediate Certificates** | Performs an inventory scan of all intermediate certificates on the LoadMaster, importing them into Keyfactor Command. | ✅ Inventory successful. | |
| 108 | +| **11** | **Inventory SSL Certificates** | Enumerates all SSL certificates (bound and unbound) on the LoadMaster and updates Keyfactor’s inventory accordingly. | ✅ Inventory successful. | |
| 109 | + |
| 110 | +--- |
| 111 | + |
| 112 | +### ⚙️ Functional Insights |
| 113 | + |
| 114 | +- **Overwrite Logic:** SSL certificates respect the `Overwrite` flag. Intermediate certificates cannot be overwritten. |
| 115 | +- **Binding Awareness:** The orchestrator checks for bound services before delete or replace operations. |
| 116 | +- **Error Handling:** Clear API error messages are surfaced in Keyfactor job logs. |
| 117 | +- **Synchronization:** Add/Remove/Inventory maintain consistent state between Keyfactor and LoadMaster. |
| 118 | +- **Security:** All operations occur over HTTPS using API Key authentication. |
| 119 | + |
| 120 | +--- |
| 121 | + |
| 122 | +### ✅ Operation Coverage Summary |
| 123 | + |
| 124 | +| Operation | Certificate Type | Supported | Notes | |
| 125 | +|------------|------------------|------------|--------| |
| 126 | +| Add | SSL | ✅ | Creates new alias or replaces with overwrite flag | |
| 127 | +| Replace | SSL | ✅ | Requires `Overwrite=True` | |
| 128 | +| Replace | Intermediate | ❌ | Unsupported – API rejects | |
| 129 | +| Remove | SSL | ✅ | Allowed only if unbound | |
| 130 | +| Remove | Intermediate | ✅ | Fully supported | |
| 131 | +| Inventory | SSL | ✅ | Returns all SSL certificates | |
| 132 | +| Inventory | Intermediate | ✅ | Returns all intermediate certificates | |
| 133 | + |
| 134 | +--- |
| 135 | + |
| 136 | + |
| 137 | + |
| 138 | +## TEST CASES |
| 139 | +Case Number|Case Name|Case Description|Overwrite Flag|Alias Name|Expected Results|Passed|Screenshots |
| 140 | +------------|---------|----------------|--------------|----------|----------------|--------------|------------ |
| 141 | +1|New Add New Alias SSL Certificates|Will Create a new SSL Certificate|False|TC1|New SSL Certificate with Alias TC1 Created On Kemp LoadMaster|True| |
| 142 | +2|Replace Alias SSL Certificates|Will Replace SSL Certificate|True|TC1|SSL Certificate with Alias TC1 Replaced On Kemp LoadMaster|True| |
| 143 | +3|Replace Alias SSL Certificates no Overwrite|Will Replace SSL Certificate|False|TC1|Error should occur stating Overwrite flag should be used|True| |
| 144 | +4|Replace Alias Bound SSL Certificates|Will Replace Bound SSL Certificate|True|TC1|Bound Certificate should be replaced|True| |
| 145 | +5|Remove Bound SSL Certificate|Should fail as you cannot remove Bound Certificates|N/A|TC1|Error Occurs stating you cannot remove bound certificates.|True| |
| 146 | +6|Remove UnBound SSL Certificate|Try to remove SSL Certificate that is UnBound|N/A|TC8a|Unbound Certificate Is Removed from LoadMaster.|True| |
| 147 | +7|New Add New Alias Intermediate Certificates|Will Create a new Intermediate Certificate|False|TC8b|New Intermediate Certificate with Alias TC8b Created On Kemp LoadMaster|True| |
| 148 | +8|Replace Alias Intermediate Certificates|You cannot replace intermediate certificates|True|TC8b|Command Failed: Filename already exists|True| |
| 149 | +9|Remove Intermediate Certificates|Intermediate Certificate Will Be Removed|N/A|TC8b|Intermediate Certificate Is Removed From Keyfactor and the LoadMaster|True| |
| 150 | +10|Inventory Intermediate Certificates|Intermediate Certificate Will Be Inventoried|N/A|N/A|Intermediate Certificate Is Inventoried to Keyfactor|True| |
| 151 | +11|Inventory SSL Certificates|SSL Certificate Will Be Inventoried|N/A|N/A|SSL Certificate Is Inventoried to Keyfactor|True| |
0 commit comments