diff --git a/CHANGELOG.md b/CHANGELOG.md
index 19a9d5b..77bf195 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,5 @@
1.1.0
-* Migrate to .NET Core
+* Migrate to Universal Orchestrator (KF9 / .NET Core)
* Perform Renewals using RenewalThumbprint
1.0.3
@@ -8,8 +8,9 @@
* 1 SNI Enabled
* 2 Non SNI binding which uses Central Certificate Store
* 3 SNI binding which uses Central Certificate Store
+* Last release to support Windows Orchestrator (KF8)
1.0.2
-* Remove dependnce on Windows.Web.Administration on the orchestrator server. The agent will now use the local version on the managed server via remote powershell
+* Remove dependence on Windows.Web.Administration on the orchestrator server. The agent will now use the local version on the managed server via remote powershell
* add support for the IncludePortInSPN flag
* add support to use credentials from Keyfactor for Add/Remove/Inventory jobs.
diff --git a/IISWithBindings.sln b/IISWithBindings.sln
index 2e98fd4..3e42e26 100644
--- a/IISWithBindings.sln
+++ b/IISWithBindings.sln
@@ -8,8 +8,10 @@ EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}"
ProjectSection(SolutionItems) = preProject
CHANGELOG.md = CHANGELOG.md
+ integration-manifest.json = integration-manifest.json
.github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml
README.md = README.md
+ README.md.tpl = README.md.tpl
EndProjectSection
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{6302034E-DF8C-4B65-AC36-CED24C068999}"
diff --git a/IISWithBindings/Jobs/Inventory.cs b/IISWithBindings/Jobs/Inventory.cs
index 28608b3..df77795 100644
--- a/IISWithBindings/Jobs/Inventory.cs
+++ b/IISWithBindings/Jobs/Inventory.cs
@@ -4,6 +4,7 @@
using System.Management.Automation.Runspaces;
using System.Net;
using System.Security;
+using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
using Microsoft.Extensions.Logging;
@@ -55,6 +56,7 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Failure,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: failed."
};
@@ -66,6 +68,7 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Warning,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Inventory on server {config.CertificateStoreDetails.ClientMachine} did not find any bindings."
};
@@ -113,20 +116,24 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Failure,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Unable to open remote certificate store: {psEx.Message}"
};
}
catch (Exception ex)
{
- _logger.LogTrace(ex.Message);
+ _logger.LogTrace(LogHandler.FlattenException(ex));
+
+ string failureMessage = $"Inventory job failed for Site '{config.CertificateStoreDetails.StorePath}' on server '{config.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
+ _logger.LogWarning(failureMessage);
+
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Failure,
- FailureMessage =
- $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ex.Message}"
+ JobHistoryId = config.JobHistoryId,
+ FailureMessage = failureMessage
};
-
}
}
diff --git a/IISWithBindings/Jobs/Management.cs b/IISWithBindings/Jobs/Management.cs
index e7bdd6c..7be73c0 100644
--- a/IISWithBindings/Jobs/Management.cs
+++ b/IISWithBindings/Jobs/Management.cs
@@ -4,6 +4,7 @@
using System.Management.Automation.Runspaces;
using System.Net;
using System.Security.Cryptography.X509Certificates;
+using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
using Microsoft.Extensions.Logging;
@@ -99,7 +100,8 @@ private JobResult PerformRemoval(ManagementJobConfiguration config)
if (foundBindings.Count == 0)
return new JobResult
{
- Result = OrchestratorJobStatusJobResult.Failure,
+ Result = OrchestratorJobStatusJobResult.Failure,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Site {protocol} binding for Site {siteName} on server {config.CertificateStoreDetails.ClientMachine} not found."
};
@@ -119,7 +121,8 @@ private JobResult PerformRemoval(ManagementJobConfiguration config)
if (ps.HadErrors)
return new JobResult
{
- Result = OrchestratorJobStatusJobResult.Failure,
+ Result = OrchestratorJobStatusJobResult.Failure,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Failed to remove {protocol} binding for Site {siteName} on server {config.CertificateStoreDetails.ClientMachine} not found."
};
@@ -138,12 +141,16 @@ private JobResult PerformRemoval(ManagementJobConfiguration config)
}
catch (Exception ex)
{
- _logger.LogTrace(ex.Message);
+ _logger.LogTrace(LogHandler.FlattenException(ex));
+
+ string failureMessage = $"Remove job failed for Site '{config.CertificateStoreDetails.StorePath}' on server '{config.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
+ _logger.LogWarning(failureMessage);
+
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Failure,
- FailureMessage =
- $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ex.Message}"
+ JobHistoryId = config.JobHistoryId,
+ FailureMessage = failureMessage
};
}
}
@@ -207,7 +214,8 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st
if (ps.HadErrors)
return new JobResult
{
- Result = OrchestratorJobStatusJobResult.Failure,
+ Result = OrchestratorJobStatusJobResult.Failure,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ps.Streams.Error.ReadAll().First().ErrorDetails.Message}"
};
@@ -296,7 +304,8 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st
if (ps.HadErrors)
return new JobResult
{
- Result = OrchestratorJobStatusJobResult.Failure,
+ Result = OrchestratorJobStatusJobResult.Failure,
+ JobHistoryId = config.JobHistoryId,
FailureMessage =
$"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ps.Streams.Error.ReadAll().First().ErrorDetails.Message}"
};
@@ -313,12 +322,16 @@ function InstallPfxToMachineStore([byte[]]$bytes, [string]$password, [string]$st
}
catch (Exception ex)
{
- _logger.LogTrace(ex.Message);
+ _logger.LogTrace(LogHandler.FlattenException(ex));
+
+ string failureMessage = $"Add job failed for Site '{config.CertificateStoreDetails.StorePath}' on server '{config.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
+ _logger.LogWarning(failureMessage);
+
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Failure,
- FailureMessage =
- $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {ex.Message}"
+ JobHistoryId = config.JobHistoryId,
+ FailureMessage = failureMessage
};
}
}
diff --git a/README.md b/README.md
index db8d0f1..816cc4e 100644
--- a/README.md
+++ b/README.md
@@ -1,27 +1,34 @@
-# Windows IIS Orchestrator
+# Windows IIS Binding Orchestrator
## Orchestrator
-The IIS-With-Bindings AnyAgent allows a user to create, configure, and manage a Keyfactor certificate store defined as an Internet Information Systems (IIS) binding definition. The certificate itself will still be stored in the defined server's personal certificate store, but the management within Keyfactor will be abstracted to appear as if the binding itself houses the certificate.
+The IIS Bindings orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator (which did not support binding.)
***
-**IIS With Binding AnyAgent Configuration**
+**IIS Binding Orchestrator Configuration**
**Overview**
-The IIS-With-Bindings AnyAgent allows a user to create, configure, and manage a Keyfactor certificate store defined as an Internet Information Systems (IIS) binding definition. The certificate itself will still be stored in the defined server's personal certificate store, but the management within Keyfactor will be abstracted to appear as if the binding itself houses the certificate.
+The IIS Binding Orchestrator remotely manages certificates in a Windows Server local machine certificate store.
+The "Personal" (My) and "Web Hosting" Stores are supported.
+Only certificates that are bound to an IIS web site are managed.
+Unbound certificates are ignored.
This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this AnyAgent.
-**1. Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent**
+WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow
+the server running the orchestrator to manage the server running IIS.
+
+**1. Create the New Certificate Store Type for the IIS Binding Orchestrator**
In Keyfactor Command create a new Certificate Store Type similar to the one below:
#### STORE TYPE CONFIGURATION
CONFIG ELEMENT | DESCRIPTION
----------------------|------------------
+------------------|------------------
Name |Descriptive name for the Store Type
Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISBinding
+Custom Capability|Store type name orchestrator will register with. Must be "IISBindings".
Needs Server |Must be checked
Blueprint Allowed |Unchecked
Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
@@ -30,7 +37,7 @@ Supports Custom Alias |Determines if an individual entry within a store can have
Uses PowerShell |Unchecked
Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. This must be Multiple Choice
Store Path Value|A comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting
-Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is requried since IIS will need the private key material to establish TLS connections.
+Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
Job Types |Inventory, Add, and Remove are the supported job types.
@@ -44,25 +51,16 @@ Job Types |Inventory, Add, and Remove are the supported job types.
**Custom Fields:**
-
-| Parameter Name | Parameter Type | Default Value | Required |
|---|
-| spnwithport | Boolean | false | No |
+- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
-- **SPN With Port** – Defaults to false but some customers need for remote Powershell Access
-
+Parameter Name|Parameter Type|Default Value|Required
+---|---|---|---
+spnwithport|Boolean|false|No
**Entry Parameters:**
This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
-
-| Parameter Name | Parameter Type | Default Value | Required |
|---|
-| Port | String | 443 | Yes |
-| IP Address | String | * | Yes |
-| Host Name | String | | No |
-| Site Name | String | Default Web Site | Yes |
-| Sni Flag | String | 0 - No SNI | No |
-| Protocol | Multiple Choice | https | Yes |
- **Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site"
- **IP Address** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The IP address for the web site being bound to. Default is "\*" for all IP Addresses.
@@ -71,19 +69,27 @@ This section must be configured with binding fields. The parameters will be popu
- *Protocol* - Required (Adding an entry, Removing an entry, Reenrolling an entry)
- https
- http
-- **Sni Flag** – Optional. Set the SNI flag assoicated with the binding being created.Default is "0". Acceptable values are:
+- **Sni Flag** – Optional. Set the SNI flag associated with the binding being created. Default is "0". Acceptable values are:
- 0 - No SNI
- 1 - SNI Enabled
- 2 - Non SNI Binding
- 3 - SNI Binding
-
+
+Parameter Name|Parameter Type|Default Value|Required
+---|---|---|---
+Port|String|443|Yes
+IP Address|String|*|Yes
+Host Name |String||No
+Site Name |String|Default Web Site|Yes
+Sni Flag |String|0 - No SNI|No
+Protocol |Multiple Choice|https|Yes
-**2. Register the IIS-With-Bindings AnyAgent with Keyfactor**
-See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representitive.
+**2. Register the IIS Binding Orchestrator with Keyfactor**
+See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative.
-**3. Create an IIS With Binding Certificate Store within Keyfactor Command**
+**3. Create an IIS Binding Certificate Store within Keyfactor Command**
In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent".
diff --git a/README.md.tpl b/README.md.tpl
index b5bceab..e90746e 100644
--- a/README.md.tpl
+++ b/README.md.tpl
@@ -5,23 +5,30 @@
***
-**IIS With Binding AnyAgent Configuration**
+**IIS Binding Orchestrator Configuration**
**Overview**
-The IIS-With-Bindings AnyAgent allows a user to create, configure, and manage a Keyfactor certificate store defined as an Internet Information Systems (IIS) binding definition. The certificate itself will still be stored in the defined server's personal certificate store, but the management within Keyfactor will be abstracted to appear as if the binding itself houses the certificate.
+The IIS Binding Orchestrator remotely manages certificates in a Windows Server local machine certificate store.
+The "Personal" (My) and "Web Hosting" Stores are supported.
+Only certificates that are bound to an IIS web site are managed.
+Unbound certificates are ignored.
This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this AnyAgent.
-**1. Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent**
+WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow
+the server running the orchestrator to manage the server running IIS.
+
+**1. Create the New Certificate Store Type for the IIS Binding Orchestrator**
In Keyfactor Command create a new Certificate Store Type similar to the one below:
#### STORE TYPE CONFIGURATION
CONFIG ELEMENT | DESCRIPTION
----------------------|------------------
+------------------|------------------
Name |Descriptive name for the Store Type
Short Name |The short name that identifies the registered functionality of the orchestrator. Must be IISBinding
+Custom Capability|Store type name orchestrator will register with. Must be "IISBindings".
Needs Server |Must be checked
Blueprint Allowed |Unchecked
Requires Store Password |Determines if a store password is required when configuring an individual store. This must be unchecked.
@@ -30,7 +37,7 @@ Supports Custom Alias |Determines if an individual entry within a store can have
Uses PowerShell |Unchecked
Store Path Type |Determines what restrictions are applied to the store path field when configuring a new store. This must be Multiple Choice
Store Path Value|A comma separated list of options to select from for the Store Path. This, combined with the hostname, will determine the location used for the certificate store management and inventory. Must be My, WebHosting
-Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is requried since IIS will need the private key material to establish TLS connections.
+Private Keys |This determines if Keyfactor can send the private key associated with a certificate to the store. This is required since IIS will need the private key material to establish TLS connections.
PFX Password Style |This determines how the platform generate passwords to protect a PFX enrollment job that is delivered to the store. This can be either Default (system generated) or Custom (user determined).
Job Types |Inventory, Add, and Remove are the supported job types.
@@ -44,25 +51,16 @@ Job Types |Inventory, Add, and Remove are the supported job types.
**Custom Fields:**
-
-| Parameter Name | Parameter Type | Default Value | Required |
|---|
-| spnwithport | Boolean | false | No |
+- **SPN With Port** – Defaults to false but some customers need for remote PowerShell Access
-- **SPN With Port** – Defaults to false but some customers need for remote Powershell Access
-
+Parameter Name|Parameter Type|Default Value|Required
+---|---|---|---
+spnwithport|Boolean|false|No
**Entry Parameters:**
This section must be configured with binding fields. The parameters will be populated with the appropriate data when creating a new certificate store.
-
-| Parameter Name | Parameter Type | Default Value | Required |
|---|
-| Port | String | 443 | Yes |
-| IP Address | String | * | Yes |
-| Host Name | String | | No |
-| Site Name | String | Default Web Site | Yes |
-| Sni Flag | String | 0 - No SNI | No |
-| Protocol | Multiple Choice | https | Yes |
- **Site Name** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The site name for the web site being bound to – i.e. "Default Web Site"
- **IP Address** – Required (Adding an entry, Removing an entry, Reenrolling an entry). The IP address for the web site being bound to. Default is "\*" for all IP Addresses.
@@ -71,19 +69,27 @@ This section must be configured with binding fields. The parameters will be popu
- *Protocol* - Required (Adding an entry, Removing an entry, Reenrolling an entry)
- https
- http
-- **Sni Flag** – Optional. Set the SNI flag assoicated with the binding being created.Default is "0". Acceptable values are:
+- **Sni Flag** – Optional. Set the SNI flag associated with the binding being created. Default is "0". Acceptable values are:
- 0 - No SNI
- 1 - SNI Enabled
- 2 - Non SNI Binding
- 3 - SNI Binding
-
+
+Parameter Name|Parameter Type|Default Value|Required
+---|---|---|---
+Port|String|443|Yes
+IP Address|String|*|Yes
+Host Name |String||No
+Site Name |String|Default Web Site|Yes
+Sni Flag |String|0 - No SNI|No
+Protocol |Multiple Choice|https|Yes
-**2. Register the IIS-With-Bindings AnyAgent with Keyfactor**
-See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representitive.
+**2. Register the IIS Binding Orchestrator with Keyfactor**
+See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative.
-**3. Create an IIS With Binding Certificate Store within Keyfactor Command**
+**3. Create an IIS Binding Certificate Store within Keyfactor Command**
In Keyfactor Command create a new Certificate Store similar to the one below, selecting IIS With Binding as the Category and the parameters as described in "Create the New Certificate Store Type for the New IIS-With-Bindings AnyAgent".
@@ -97,4 +103,4 @@ Container |This is a logical grouping of like stores. This configuration is opti
Client Machine |The hostname of the server to be managed. The Change Credentials option must be clicked to provide a username and password. This account will be used to manage the remote server via PowerShell.
Store Path |My or WebHosting
Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type.
-Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.
+Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store.
\ No newline at end of file
diff --git a/integration-manifest.json b/integration-manifest.json
index df220ab..0f1689a 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -1,7 +1,7 @@
{
- "$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
- "integration_type": "orchestrator",
- "name": "Windows IIS Orchestrator",
- "status": "Development",
- "description": "The IIS-With-Bindings AnyAgent allows a user to create, configure, and manage a Keyfactor certificate store defined as an Internet Information Systems (IIS) binding definition. The certificate itself will still be stored in the defined server's personal certificate store, but the management within Keyfactor will be abstracted to appear as if the binding itself houses the certificate."
+ "$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
+ "integration_type": "orchestrator",
+ "name": "Windows IIS Binding Orchestrator",
+ "status": "Development",
+ "description": "The IIS Bindings orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator (which did not support binding.)"
}
\ No newline at end of file