Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix private key entry #32

Merged
merged 6 commits into from
Apr 21, 2023
Merged

Fix private key entry #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fce0dc1
Update generated README
Apr 17, 2023
14d09ac
changes
Apr 21, 2023
a371d92
Merge branch 'fix-private-key-entry' of https://github.com/Keyfactor/…
Apr 21, 2023
af3cb13
Update generated README
Apr 21, 2023
c58168f
Update readme_source.md
leefine02 Apr 21, 2023
37e0ece
Update generated README
Apr 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
v1.4
- Modified authentication for API calls from Basic to Token Auth. Initial login uses id/password to retrieve temporary access token, so the same id/password credentials are still required for the certificate store, but all subsequent API calls will use the token retrieved on initial login.
- Added PAM Support
- Fix bug where Private Key Entry is always False

v1.3
- Fix to match F5 hotfix modification to handle certificates/keys with dissimilar names within F5. Please go to the [Troubleshooting Guide](Troubleshooting.md#certificate-renewal-error) for details.
Expand Down
12 changes: 5 additions & 7 deletions F5Client.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,18 +388,16 @@ private void SetItemStatus(CurrentInventoryItem agentInventoryItem)
LogHandlerCommon.MethodExit(logger, CertificateStore, "SetItemStatus");
}

private CurrentInventoryItem GetInventoryItem(string partition, string name)
private CurrentInventoryItem GetInventoryItem(string partition, string name, bool hasPrivateKey)
{
LogHandlerCommon.MethodEntry(logger, CertificateStore, "GetInventoryItem");

// Get the pfx/certificate contents from the filesystem (using a wildcard as the files have slightly randomized name suffixes)
X509Certificate2Collection certificateCollection = GetCertificateEntry($"/config/filestore/files_d/{partition}_d/certificate_d/:{partition}:{name}_*");
List<string> certContents = new List<string>();
bool useChainLevel = certificateCollection.Count > 1;
bool privateKeyEntry = false;
foreach (X509Certificate2 certificate in certificateCollection)
{
if (certificate.HasPrivateKey) { privateKeyEntry = true; }
certContents.Add(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
}

Expand All @@ -408,7 +406,7 @@ private CurrentInventoryItem GetInventoryItem(string partition, string name)
{
ItemStatus = OrchestratorInventoryItemStatus.Unknown,
Alias = crtName,
PrivateKeyEntry = privateKeyEntry,
PrivateKeyEntry = hasPrivateKey,
UseChainLevel = useChainLevel,
Certificates = certContents.ToArray()
};
Expand Down Expand Up @@ -633,7 +631,7 @@ public List<CurrentInventoryItem> GetSSLProfiles(int pageSize)
{
LogHandlerCommon.MethodEntry(logger, CertificateStore, "GetSSLProfiles");
string partition = CertificateStore.StorePath;
string query = $"/mgmt/tm/sys/file/ssl-cert?$filter=partition+eq+{partition}&$select=name,isBundle&$top={pageSize}&$skip=0";
string query = $"/mgmt/tm/sys/file/ssl-cert?$filter=partition+eq+{partition}&$select=name,keyType,isBundle&$top={pageSize}&$skip=0";
F5PagedSSLProfiles pagedProfiles = REST.Get<F5PagedSSLProfiles>(query);
List<F5SSLProfile> profiles = new List<F5SSLProfile>();
List<CurrentInventoryItem> inventory = new List<CurrentInventoryItem>();
Expand Down Expand Up @@ -674,7 +672,7 @@ public List<CurrentInventoryItem> GetSSLProfiles(int pageSize)
LogHandlerCommon.Trace(logger, CertificateStore, $"Skipping '{profiles[i].name}' because it is managed by F5");
continue;
}
inventory.Add(GetInventoryItem(partition, profiles[i].name));
inventory.Add(GetInventoryItem(partition, profiles[i].name, true));
}
catch (Exception ex)
{
Expand Down Expand Up @@ -763,7 +761,7 @@ public List<CurrentInventoryItem> GetCABundleInventory()
string crtName = crtPathParts[1];

LogHandlerCommon.Trace(logger, CertificateStore, $"Adding inventory item for partition '{partition}' and name '{crtName}'");
inventory.Add(GetInventoryItem(partition, crtName));
inventory.Add(GetInventoryItem(partition, crtName, false));
}
catch (Exception ex)
{
Expand Down
1 change: 1 addition & 0 deletions F5DataModels.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ internal class F5SSLProfile
{
public string name { get; set; }
public bool isBundle { get; set; }
public string keyType { get; set; }
}

internal class F5Key
Expand Down
20 changes: 11 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@ The F5 Orchestrator allows for the remote management of F5 Stores. Discovery, In

#### Integration status: Production - Ready for use in production environments.

## About the Keyfactor Universal Orchestrator Capability
## About the Keyfactor Universal Orchestrator Extension

This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” &mdash; collections of certificates and roots of trust that are found within and used by various applications.
This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” &mdash; collections of certificates and roots of trust that are found within and used by various applications.

The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.

The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.



Expand Down Expand Up @@ -100,15 +100,17 @@ The F5 Orchestrator supports three different types of certificates stores with t

- CA Bundles
- Discovery
- Inventory
- Management (Add)
- Inventory*
- Management (Add and Remove)
- Web Server Device Certificates
- Inventory
- Inventory*
- Management (Add, but replacement/renewal of existing certificate only)
- SSL Certificates
- Discovery
- Inventory
- Management (Add)
- Inventory*
- Management (Add and Remove)

*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.



Expand Down
12 changes: 7 additions & 5 deletions readme_source.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,17 @@ The F5 Orchestrator supports three different types of certificates stores with t

- CA Bundles
- Discovery
- Inventory
- Management (Add)
- Inventory*
- Management (Add and Remove)
- Web Server Device Certificates
- Inventory
- Inventory*
- Management (Add, but replacement/renewal of existing certificate only)
- SSL Certificates
- Discovery
- Inventory
- Management (Add)
- Inventory*
- Management (Add and Remove)

*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.



Expand Down