From 0c4926b29c84f3b3a5f289d5ca722f083cbfd4ba Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 22 Oct 2025 15:43:20 +0000 Subject: [PATCH 1/4] Update store_types.json for all:latest --- cmd/store_types.json | 154 ++++++++++++++++++++++++++++++++++++++++--- store_types.json | 154 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 292 insertions(+), 16 deletions(-) diff --git a/cmd/store_types.json b/cmd/store_types.json index 6fac9af3..418e37d0 100644 --- a/cmd/store_types.json +++ b/cmd/store_types.json @@ -17,6 +17,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "PreserveExistingTags", + "DisplayName": "Preserve Existing Tags", + "Description": "If true, this will perform a union of any tags provided with enrollment with the tags on the existing cert with the same alias and apply the result to the new certificate.", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -957,7 +970,7 @@ "PowerShell": false, "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden", - "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the the \"host\" value from the API credentials file.", + "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the \"host\" value from the API credentials file.", "StorePathDescription": "The Akamai network the certificate will be managed from. Value can be either \"Production\" or \"Staging\"." }, { @@ -1064,6 +1077,77 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Axis IP Camera", + "ShortName": "AxisIPCamera", + "Capability": "AxisIPCamera", + "ServerRequired": true, + "BlueprintAllowed": false, + "PowerShell": false, + "CustomAliasAllowed": "Required", + "PrivateKeyAllowed": "Forbidden", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. This should always be \"True\"" + } + ], + "EntryParameters": [ + { + "Name": "CertUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "HTTPS,IEEE802.X,MQTT,Trust,Other", + "Description": "The Certificate Usage to assign to the cert after enrollment. Can be left 'Other' to be assigned later." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `0b7c3d2f9e8a`", + "StorePathType": "", + "StorePathValue": "", + "JobProperties": [] + }, { "Name": "Azure App Registration (Application)", "ShortName": "AzureApp", @@ -2896,8 +2980,8 @@ "ShortName": "HPiLO", "Capability": "HPiLO", "LocalStore": false, - "StorePathDescription": "This should contain the path pointing to the HPiLO instance address, IP or domain name.", - "ClientMachineDescription": "Should contain a copy of the store path for compatibility reasons but is currently unused.", + "StorePathDescription": "This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API.", + "ClientMachineDescription": "Currently unused.", "SupportedOperations": { "Add": true, "Create": false, @@ -2955,11 +3039,11 @@ "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Required" }, { "Name": "IIS Bound Certificate", @@ -3133,7 +3217,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -4055,6 +4139,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4169,6 +4262,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4283,6 +4385,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4406,6 +4517,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4556,6 +4676,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4670,6 +4799,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -5015,7 +5153,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -5150,7 +5288,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", diff --git a/store_types.json b/store_types.json index 6fac9af3..418e37d0 100644 --- a/store_types.json +++ b/store_types.json @@ -17,6 +17,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "PreserveExistingTags", + "DisplayName": "Preserve Existing Tags", + "Description": "If true, this will perform a union of any tags provided with enrollment with the tags on the existing cert with the same alias and apply the result to the new certificate.", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -957,7 +970,7 @@ "PowerShell": false, "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden", - "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the the \"host\" value from the API credentials file.", + "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the \"host\" value from the API credentials file.", "StorePathDescription": "The Akamai network the certificate will be managed from. Value can be either \"Production\" or \"Staging\"." }, { @@ -1064,6 +1077,77 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Axis IP Camera", + "ShortName": "AxisIPCamera", + "Capability": "AxisIPCamera", + "ServerRequired": true, + "BlueprintAllowed": false, + "PowerShell": false, + "CustomAliasAllowed": "Required", + "PrivateKeyAllowed": "Forbidden", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. This should always be \"True\"" + } + ], + "EntryParameters": [ + { + "Name": "CertUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "HTTPS,IEEE802.X,MQTT,Trust,Other", + "Description": "The Certificate Usage to assign to the cert after enrollment. Can be left 'Other' to be assigned later." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `0b7c3d2f9e8a`", + "StorePathType": "", + "StorePathValue": "", + "JobProperties": [] + }, { "Name": "Azure App Registration (Application)", "ShortName": "AzureApp", @@ -2896,8 +2980,8 @@ "ShortName": "HPiLO", "Capability": "HPiLO", "LocalStore": false, - "StorePathDescription": "This should contain the path pointing to the HPiLO instance address, IP or domain name.", - "ClientMachineDescription": "Should contain a copy of the store path for compatibility reasons but is currently unused.", + "StorePathDescription": "This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API.", + "ClientMachineDescription": "Currently unused.", "SupportedOperations": { "Add": true, "Create": false, @@ -2955,11 +3039,11 @@ "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Required" }, { "Name": "IIS Bound Certificate", @@ -3133,7 +3217,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -4055,6 +4139,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4169,6 +4262,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4283,6 +4385,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4406,6 +4517,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4556,6 +4676,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4670,6 +4799,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -5015,7 +5153,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -5150,7 +5288,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", From 918116d5a375b9c12894dbf59603eba72f2a82bf Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:18:52 -0700 Subject: [PATCH 2/4] fix(ci): check branch existence instead of open PRs for checkout strategy The update-stores workflow was failing with a non-fast-forward push error when a branch already existed remotely but had no open PR. The check-branch step only queried open PRs to determine whether to create or commit to a branch, so an orphaned remote branch would always trigger the 'create' path, causing the push to be rejected. Fix by checking actual branch existence via git.getRef, using that to select the checkout strategy (commit vs create), and separately tracking HAS_OPEN_PR to control PR creation. Also adds a schedule trigger (daily at midnight UTC) with default inputs of all/latest. --- .github/workflows/update-stores.yml | 48 ++++++++++++++++------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/.github/workflows/update-stores.yml b/.github/workflows/update-stores.yml index 1330fe9e..c4543374 100644 --- a/.github/workflows/update-stores.yml +++ b/.github/workflows/update-stores.yml @@ -1,6 +1,8 @@ name: Create Cert Store Update Pull Request on: + schedule: + - cron: '0 0 * * *' repository_dispatch: types: targetRepo-event workflow_dispatch: @@ -16,6 +18,12 @@ jobs: create_pull_request: runs-on: ubuntu-latest steps: + - name: Set TARGET_REPO_BRANCH from schedule + if: github.event_name == 'schedule' + run: | + echo "TARGET_REPO_BRANCH=latest" | tee -a $GITHUB_ENV + echo "KFUTIL_ARG=all" | tee -a $GITHUB_ENV + - name: Set TARGET_REPO_BRANCH from workflow_dispatch input if: github.event_name == 'workflow_dispatch' id: set-local-env-vars @@ -42,33 +50,31 @@ jobs: uses: actions/github-script@v7 with: script: | - // Look for open pull requests const owner = context.repo.owner; const repo = context.repo.repo; - const pulls = await github.rest.pulls.list({ - owner, - repo, - state: "open" - }); - // Filter out ones matching our branch naming convention - const filteredData = pulls.data.filter(item => item.head.ref === '${{ env.BRANCH_NAME }}'); - const isBranch = (filteredData.length > 0) - if (isBranch) { - const { - head: { ref: incomingBranch }, base: { ref: baseBranch } - } = pulls.data[0] - core.setOutput('PR_BRANCH', 'commit'); // Just commit since the branch exists - console.log(`incomingBranch: ${incomingBranch}`) - console.log(`baseBranch: ${baseBranch}`) - } else { - core.setOutput('PR_BRANCH', 'create') // No branch, create one + const branchName = '${{ env.BRANCH_NAME }}'; + + // Check if the branch itself exists + let branchExists = false; + try { + await github.rest.git.getRef({ owner, repo, ref: `heads/${branchName}` }); + branchExists = true; + } catch (e) { + branchExists = false; } - console.log(`Branch exists? ${filteredData.length > 0}`) - console.log(`Branch name: ${{env.BRANCH_NAME}}`) + + // Check for an open PR targeting this branch + const pulls = await github.rest.pulls.list({ owner, repo, state: "open" }); + const hasOpenPR = pulls.data.some(item => item.head.ref === branchName); + + console.log(`Branch exists: ${branchExists}, Open PR: ${hasOpenPR}, Branch name: ${branchName}`); + core.setOutput('PR_BRANCH', branchExists ? 'commit' : 'create'); + core.setOutput('HAS_OPEN_PR', String(hasOpenPR)); - name: set env.PR_BRANCH value for jobs run: | echo "PR_BRANCH=${{steps.check-branch.outputs.PR_BRANCH}}" | tee -a $GITHUB_ENV + echo "HAS_OPEN_PR=${{steps.check-branch.outputs.HAS_OPEN_PR}}" | tee -a $GITHUB_ENV # If the branch with an open PR already exists, first check out that branch from kfutil - name: Check out existing repo merge branch @@ -192,7 +198,7 @@ jobs: cwd: './merge-folder/' - name: Create new PR for the newly created branch - if: env.UPDATE_FILE == 'T' && env.PR_BRANCH == 'create' + if: env.UPDATE_FILE == 'T' && env.HAS_OPEN_PR == 'false' uses: actions/github-script@v7 with: script: | From 21aa6151c9fb1f0c1725ac59e332e24b0aa12fd7 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 30 Apr 2026 16:21:25 +0000 Subject: [PATCH 3/4] Update store_types.json for all:latest --- cmd/store_types.json | 1379 ++++++++++++++++++++++++++++++++---------- store_types.json | 1379 ++++++++++++++++++++++++++++++++---------- 2 files changed, 2150 insertions(+), 608 deletions(-) diff --git a/cmd/store_types.json b/cmd/store_types.json index 418e37d0..96550457 100644 --- a/cmd/store_types.json +++ b/cmd/store_types.json @@ -30,6 +30,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "NonExportable", + "DisplayName": "Non Exportable Private Key", + "Description": "If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -956,6 +969,20 @@ }, "DefaultValue": "SET-DEFAULT", "Description": "Required field for Akamai Tech contact." + }, + { + "Name": "deployment-network", + "DisplayName": "Deployment Network", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "Standard TLS,Enhanced TLS", + "DefaultValue": "Standard TLS", + "Description": "Required field for Deployment Network." } ], "PasswordOptions": { @@ -976,42 +1003,31 @@ { "Name": "Alteon Load Balancer", "ShortName": "AlteonLB", - "Capability": "AlteonLB", - "ClientMachineDescription": "The Alteon Load Balancer Server and port", - "StorePathDescription": "This value isn't used for this integration (other than to uniquely identify the cert store in certificate searches).", + "LocalStore": false, + "BlueprintAllowed": false, + "PowerShell": false, + "ServerRequired": true, + "ClientMachineDescription": "The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com).", + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "", "SupportedOperations": { "Add": true, "Remove": true, "Enrollment": false, "Discovery": false, - "Inventory": true + "Create": false }, - "Properties": [ - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "Description": "Alteon user ID with sufficient permissions to manage certs in the Alteon Load Balancer.", - "Required": true - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "Description": "Password associated with Alteon user ID entered above.", - "Required": true - } - ], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, + "CustomAliasAllowed": "Optional", "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "JobProperties": [], + "Properties": [], + "EntryParameters": [] }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1077,6 +1093,98 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Aruba", + "ShortName": "Aruba", + "Capability": "Aruba", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "EntryParameters": [ + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of : entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Forbidden", + "ClientMachineDescription": "The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com)", + "StorePathDescription": "A semicolon-delimited string that in the format `;` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information.", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "Properties": [ + { + "Name": "FileServerType", + "DisplayName": "File Server Type", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "Amazon S3", + "Required": true, + "Description": "The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS." + }, + { + "Name": "FileServerHost", + "DisplayName": "File Server Host", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerUsername", + "DisplayName": "File Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerPassword", + "DisplayName": "File Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "DigestAlgorithm", + "DisplayName": "Digest Algorithm", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "SHA-256,SHA-1,SHA-224,SHA-384,SHA-512", + "Required": true, + "Description": "The hash digest algorithm used for the certificate signing request (CSR)." + } + ] + }, { "Name": "Axis IP Camera", "ShortName": "AxisIPCamera", @@ -1473,102 +1581,169 @@ "CustomAliasAllowed": "Required" }, { - "Name": "Bosch IP Camera", - "ShortName": "BIPCamera", - "Capability": "BIPCamera", - "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required", + "Name": "BMC Orchestrator Solution", + "ShortName": "BMC", + "Capability": "BMC", + "LocalStore": false, + "StorePathDescription": "Path points to a BMC Keyring.", + "ClientMachineDescription": "Runs on a Windows or Linux based machine.", "SupportedOperations": { - "Add": false, - "Create": false, - "Discovery": false, + "Add": true, + "Create": true, + "Discovery": true, "Enrollment": true, - "Remove": false - }, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "Remove": true }, "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the username of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the password of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": "", + "DependsOn": null, "DefaultValue": "true", - "Required": true, - "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + "Required": true } ], "EntryParameters": [ { - "Name": "CertificateUsage", - "DisplayName": "Certificate Usage", - "Type": "MultipleChoice", + "Name": "CertLabel", + "DisplayName": "CertLabel", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert label as it appears in the BMC API (without the suffix)." + }, + { + "Name": "CertOwner", + "DisplayName": "CertOwner", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert owner as it appears in the BMC API." + }, + { + "Name": "CertUse", + "DisplayName": "CertUse", + "Type": "String", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, "OnReenrollment": false }, - "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", - "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert use as returned by the BMC API." }, { - "Name": "Name", - "DisplayName": "Name (Alias)", - "Type": "String", + "Name": "ImplementCert", + "DisplayName": "ImplementCert", + "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, - "OnAdd": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": true }, - "Description": "The certificate Alias, entered again." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Is used to pass an implement cert command to BMC." }, { - "Name": "Overwrite", - "DisplayName": "Overwrite", + "Name": "IsCertDefault", + "DisplayName": "IsCertDefault", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Indicates whether a given cert is set as default in a keyring." + }, + { + "StoreTypeId": 104, + "Name": "RemoveFromAllKeyrings", + "DisplayName": "RemoveFromAllKeyrings", "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, + "OnRemove": true, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "false", + "Options": "", + "Description": "A bool to indicate whether a given cert is to be removed from all keyrings." + }, + { + "StoreTypeId": 104, + "Name": "RollbackCert", + "DisplayName": "RollbackCert", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": false }, + "DependsOn": "", "DefaultValue": "false", - "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + "Options": "", + "Description": "A bool to indicate whether a given cert is to be rolled back." } ], - "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", - "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden" }, { - "Name": "CiscoAsa", - "ShortName": "CiscoAsa", - "Capability": "CiscoAsa", + "Name": "Barracuda WAF", + "ShortName": "BarracudaWaf", + "Capability": "BarracudaWaf", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -1579,19 +1754,178 @@ }, "Properties": [ { - "Name": "CommitToDisk", - "DisplayName": "Commit To Disk", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", - "DefaultValue": "false", - "Required": true, - "IsPAMEligible": false, - "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + "DefaultValue": "true", + "Required": false, + "Description": "Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS)." }, { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", + "Name": "ApiVersion", + "DisplayName": "API Version", + "Type": "String", + "DependsOn": "", + "DefaultValue": "v3.2", + "Required": false, + "Description": "The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version." + }, + { + "Name": "InventorySelfSignedCerts", + "DisplayName": "Inventory Self-Signed Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": false, + "Description": "When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true." + }, + { + "Name": "InventoryTrustedCerts", + "DisplayName": "Inventory Trusted Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "/", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP).", + "StorePathDescription": "Not used for this integration. Set to '/' or leave at the default value." + }, + { + "Name": "Bosch IP Camera", + "ShortName": "BoschIPCamera", + "Capability": "BoschIPCamera", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + } + ], + "EntryParameters": [ + { + "Name": "CertificateUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", + "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + }, + { + "Name": "Name", + "DisplayName": "Name (Alias)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Description": "The certificate Alias, entered again." + }, + { + "Name": "Overwrite", + "DisplayName": "Overwrite", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "false", + "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + }, + { + "Name": "CiscoAsa", + "ShortName": "CiscoAsa", + "Capability": "CiscoAsa", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "CommitToDisk", + "DisplayName": "Commit To Disk", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", "DefaultValue": "", "Required": false, @@ -1663,9 +1997,13 @@ "Remove": true }, "PasswordOptions": { + "Style": "Default", "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "StoreRequired": true, + "StorePassword": { + "Description": "Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.", + "IsPAMEligible": true + } }, "Properties": [ { @@ -1696,6 +2034,15 @@ "DefaultValue": "false", "Required": false, "Description": "Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate." + }, + { + "Name": "timeout", + "DisplayName": "Login Timeout in seconds", + "Type": "String", + "DependsOn": "", + "DefaultValue": "3600", + "Required": false, + "Description": "Determines timeout in seconds for all Citrix ADC API calls." } ], "EntryParameters": [ @@ -1904,53 +2251,7 @@ "Description": "Login password for the F5 Big IQ device." } ], - "EntryParameters": [ - { - "Name": "Alias", - "DisplayName": "Alias (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "The name F5 Big IQ uses to identify the certificate" - }, - { - "Name": "Overwrite", - "DisplayName": "Overwrite (Reenrollment only)", - "Type": "Bool", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "False", - "Options": "", - "Description": "Allow overwriting an existing certificate when reenrolling?" - }, - { - "Name": "SANs", - "DisplayName": "SANs (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field." - } - ] + "EntryParameters": [] }, { "Name": "F5 CA Profiles REST", @@ -2408,7 +2709,7 @@ } }, "ClientMachineDescription": "The IP address or DNS of the Fortigate server", - "StorePathDescription": "This is not used in this integration, but is a required field in the UI. Just enter any value here" + "StorePathDescription": "Value must contain the VDOM this certificate store will be managing. `root` must be entered to manage the default 'root' VDOM." }, { "Name": "GCP Load Balancer", @@ -2447,6 +2748,70 @@ "StorePathDescription": "Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59).", "EntryParameters": [] }, + { + "Name": "GCPScrtMgr", + "ShortName": "GCPScrtMgr", + "Capability": "GCPScrtMgr", + "ServerRequired": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Optional", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default", + "StorePassword": { + "Description": "Password used to encrypt the private key of ALL certificate secrets. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information", + "IsPAMEligible": true + } + }, + "Properties": [ + { + "Name": "PasswordSecretSuffix", + "DisplayName": "Password Secret Location Suffix", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "If storing a certificate with an encrypted private key, this is the suffix to add to the certificate (secret) alias name where the encrypted private key password will be stored. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information" + }, + { + "Name": "IncludeChain", + "DisplayName": "Include Chain", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "True", + "Required": false, + "IsPAMEligible": false, + "Description": "Determines whether to include the certificate chain when adding a certificate as a secret." + } + ], + "EntryParameters": [ + { + "Name": "tags", + "DisplayName": "Tags", + "Type": "String", + "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "ClientMachineDescription": "Not used", + "StorePathDescription": "The Project ID of the Google Secret Manager being managed." + }, { "Name": "Google Cloud Provider Apigee", "ShortName": "GcpApigee", @@ -2620,7 +2985,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2672,9 +3037,18 @@ "DependsOn": "", "DefaultValue": "", "Required": false - } - ], - "EntryParameters": [], + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -2693,7 +3067,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2745,6 +3119,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2846,7 +3229,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2898,6 +3281,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2962,6 +3354,15 @@ "DependsOn": "", "DefaultValue": "", "Required": true + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -3092,7 +3493,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -3101,7 +3502,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -3218,21 +3619,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -3283,6 +3669,7 @@ "Name": "K8SCert", "ShortName": "K8SCert", "Capability": "K8SCert", + "ClientMachineDescription": "The Kubernetes cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": false, @@ -3293,31 +3680,34 @@ }, "Properties": [ { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "default", + "DefaultValue": null, "Required": false }, { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", "DependsOn": "", "DefaultValue": null, - "Required": false + "Required": true }, { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", + "Name": "KubeSecretName", + "DisplayName": "KubeSecretName", + "Description": "The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.", "Type": "String", "DependsOn": "", - "DefaultValue": "cert", - "Required": true + "DefaultValue": "", + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3336,6 +3726,7 @@ "Name": "K8SCluster", "ShortName": "K8SCluster", "Capability": "K8SCluster", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3345,22 +3736,44 @@ "Remove": true }, "Properties": [ + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3379,6 +3792,7 @@ "Name": "K8SJKS", "ShortName": "K8SJKS", "Capability": "K8SJKS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3391,6 +3805,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3399,6 +3814,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3407,22 +3823,25 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.", "Type": "String", "DependsOn": "", "DefaultValue": "jks", - "Required": true + "Required": false }, { "Name": "CertificateDataFieldName", "DisplayName": "CertificateDataFieldName", + "Description": "The field name to use when looking for certificate data in the K8S secret.", "Type": "String", "DependsOn": "", - "DefaultValue": ".jks", - "Required": true + "DefaultValue": null, + "Required": false }, { "Name": "PasswordFieldName", "DisplayName": "PasswordFieldName", + "Description": "The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3430,25 +3849,54 @@ }, { "Name": "PasswordIsK8SSecret", - "DisplayName": "Password Is K8S Secret", + "DisplayName": "PasswordIsK8SSecret", + "Description": "Indicates whether the password to the JKS keystore is stored in a separate K8S secret.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the JKS keystore. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3464,6 +3912,7 @@ "Name": "K8SNS", "ShortName": "K8SNS", "Capability": "K8SNS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3476,27 +3925,50 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3515,6 +3987,7 @@ "Name": "K8SPKCS12", "ShortName": "K8SPKCS12", "Capability": "K8SPKCS12", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3525,12 +3998,13 @@ }, "Properties": [ { - "Name": "KubeSecretType", - "DisplayName": "Kube Secret Type", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pkcs12", - "Required": true + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "CertificateDataFieldName", @@ -3543,6 +4017,7 @@ { "Name": "PasswordFieldName", "DisplayName": "Password Field Name", + "Description": "The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3551,6 +4026,7 @@ { "Name": "PasswordIsK8SSecret", "DisplayName": "Password Is K8S Secret", + "Description": "Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -3559,6 +4035,7 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3567,24 +4044,53 @@ { "Name": "KubeSecretName", "DisplayName": "Kube Secret Name", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "KubeSecretType", + "DisplayName": "Kube Secret Type", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.", + "Type": "String", + "DependsOn": "", + "DefaultValue": "pkcs12", + "Required": false + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3600,6 +4106,7 @@ "Name": "K8SSecret", "ShortName": "K8SSecret", "Capability": "K8SSecret", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3612,6 +4119,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3620,6 +4128,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3628,27 +4137,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3667,6 +4199,7 @@ "Name": "K8STLSSecr", "ShortName": "K8STLSSecr", "Capability": "K8STLSSecr", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3679,6 +4212,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3687,6 +4221,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3695,27 +4230,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "tls_secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3730,6 +4288,65 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden" }, + { + "Name": "Kemp", + "ShortName": "Kemp", + "Capability": "Kemp", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Not used." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Kemp Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "IsPAMEligible": false, + "Description": "Should be true, http is not supported." + } + ], + "EntryParameters": [], + "ClientMachineDescription": "Kemp Load Balancer Client Machine and port example TestKemp:8443.", + "StorePathDescription": "Not used just put a /", + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "MyOrchestratorStoreType", "ShortName": "MOST", @@ -4035,7 +4652,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4122,15 +4739,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4167,7 +4775,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4245,15 +4853,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4271,6 +4870,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache Tomcat Restart,Jetty Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4368,15 +4976,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4500,15 +5099,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4545,7 +5135,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4659,15 +5249,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4685,6 +5266,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4704,7 +5294,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4782,15 +5372,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4819,8 +5400,8 @@ "ShortName": "SOS", "Capability": "SOS", "LocalStore": false, - "StorePathDescription": "Path points to a local .json file. Orchestrator and its account should have read/write access.", - "ClientMachineDescription": "Runs on a Windows based machine.", + "StorePathDescription": "The name of the store as defined in the SOS system (i.e. SampleKeyStore2).", + "ClientMachineDescription": "The base URL of the SOS API (i.e. http://localhost:8080)", "SupportedOperations": { "Add": true, "Create": true, @@ -4871,7 +5452,7 @@ "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, - "OnReenrollment": false + "OnReenrollment": true }, "Description": "SAN string." }, @@ -4918,14 +5499,14 @@ ], "PasswordOptions": { "EntrySupported": true, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "PrivateKeyAllowed": "Optional", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Forbidden" }, { "Name": "Signum", @@ -4974,6 +5555,127 @@ "Style": "Default" } }, + { + "Name": "A10 Thunder Management Certificates", + "ShortName": "ThunderMgmt", + "Capability": "ThunderMgmt", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "OrchToScpServerIp", + "DisplayName": "Orch To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates." + }, + { + "Name": "ScpPort", + "DisplayName": "Port Used For Scp", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations." + }, + { + "Name": "ScpUserName", + "DisplayName": "UserName Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "ScpPassword", + "DisplayName": "Password Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "A10ToScpServerIp", + "DisplayName": "A10 Device To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths." + }, + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.", + "StorePathDescription": "Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "A10 Thunder Ssl Certificates", + "ShortName": "ThunderSsl", + "Capability": "ThunderSsl", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.", + "StorePathDescription": "A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "VMware-NSX", "ShortName": "VMware-NSX", @@ -5035,6 +5737,105 @@ "ClientMachineDescription": "This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ ", "StorePathDescription": "A selection from the different certificate types supported: Application, Controller, or CA." }, + { + "Name": "ADFS Rotation Manager", + "ShortName": "WinAdfs", + "Capability": "WinAdfs", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + } + ], + "EntryParameters": [ + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "My", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server.", + "StorePathDescription": "Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default." + }, { "Name": "WinCerMgmt", "ShortName": "WinCerMgmt", @@ -5118,7 +5919,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5127,7 +5928,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5154,21 +5955,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -5232,7 +6018,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5241,7 +6027,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5289,21 +6075,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs." } ], "PasswordOptions": { @@ -5501,7 +6272,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The vCenter username used to manage the vCenter connection" }, { @@ -5511,7 +6282,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The secret vCenter password used to manage the vCenter connection" } ] diff --git a/store_types.json b/store_types.json index 418e37d0..96550457 100644 --- a/store_types.json +++ b/store_types.json @@ -30,6 +30,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "NonExportable", + "DisplayName": "Non Exportable Private Key", + "Description": "If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -956,6 +969,20 @@ }, "DefaultValue": "SET-DEFAULT", "Description": "Required field for Akamai Tech contact." + }, + { + "Name": "deployment-network", + "DisplayName": "Deployment Network", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "Standard TLS,Enhanced TLS", + "DefaultValue": "Standard TLS", + "Description": "Required field for Deployment Network." } ], "PasswordOptions": { @@ -976,42 +1003,31 @@ { "Name": "Alteon Load Balancer", "ShortName": "AlteonLB", - "Capability": "AlteonLB", - "ClientMachineDescription": "The Alteon Load Balancer Server and port", - "StorePathDescription": "This value isn't used for this integration (other than to uniquely identify the cert store in certificate searches).", + "LocalStore": false, + "BlueprintAllowed": false, + "PowerShell": false, + "ServerRequired": true, + "ClientMachineDescription": "The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com).", + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "", "SupportedOperations": { "Add": true, "Remove": true, "Enrollment": false, "Discovery": false, - "Inventory": true + "Create": false }, - "Properties": [ - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "Description": "Alteon user ID with sufficient permissions to manage certs in the Alteon Load Balancer.", - "Required": true - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "Description": "Password associated with Alteon user ID entered above.", - "Required": true - } - ], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, + "CustomAliasAllowed": "Optional", "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "JobProperties": [], + "Properties": [], + "EntryParameters": [] }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1077,6 +1093,98 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Aruba", + "ShortName": "Aruba", + "Capability": "Aruba", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "EntryParameters": [ + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of : entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Forbidden", + "ClientMachineDescription": "The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com)", + "StorePathDescription": "A semicolon-delimited string that in the format `;` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information.", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "Properties": [ + { + "Name": "FileServerType", + "DisplayName": "File Server Type", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "Amazon S3", + "Required": true, + "Description": "The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS." + }, + { + "Name": "FileServerHost", + "DisplayName": "File Server Host", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerUsername", + "DisplayName": "File Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerPassword", + "DisplayName": "File Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "DigestAlgorithm", + "DisplayName": "Digest Algorithm", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "SHA-256,SHA-1,SHA-224,SHA-384,SHA-512", + "Required": true, + "Description": "The hash digest algorithm used for the certificate signing request (CSR)." + } + ] + }, { "Name": "Axis IP Camera", "ShortName": "AxisIPCamera", @@ -1473,102 +1581,169 @@ "CustomAliasAllowed": "Required" }, { - "Name": "Bosch IP Camera", - "ShortName": "BIPCamera", - "Capability": "BIPCamera", - "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required", + "Name": "BMC Orchestrator Solution", + "ShortName": "BMC", + "Capability": "BMC", + "LocalStore": false, + "StorePathDescription": "Path points to a BMC Keyring.", + "ClientMachineDescription": "Runs on a Windows or Linux based machine.", "SupportedOperations": { - "Add": false, - "Create": false, - "Discovery": false, + "Add": true, + "Create": true, + "Discovery": true, "Enrollment": true, - "Remove": false - }, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "Remove": true }, "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the username of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the password of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": "", + "DependsOn": null, "DefaultValue": "true", - "Required": true, - "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + "Required": true } ], "EntryParameters": [ { - "Name": "CertificateUsage", - "DisplayName": "Certificate Usage", - "Type": "MultipleChoice", + "Name": "CertLabel", + "DisplayName": "CertLabel", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert label as it appears in the BMC API (without the suffix)." + }, + { + "Name": "CertOwner", + "DisplayName": "CertOwner", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert owner as it appears in the BMC API." + }, + { + "Name": "CertUse", + "DisplayName": "CertUse", + "Type": "String", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, "OnReenrollment": false }, - "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", - "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert use as returned by the BMC API." }, { - "Name": "Name", - "DisplayName": "Name (Alias)", - "Type": "String", + "Name": "ImplementCert", + "DisplayName": "ImplementCert", + "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, - "OnAdd": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": true }, - "Description": "The certificate Alias, entered again." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Is used to pass an implement cert command to BMC." }, { - "Name": "Overwrite", - "DisplayName": "Overwrite", + "Name": "IsCertDefault", + "DisplayName": "IsCertDefault", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Indicates whether a given cert is set as default in a keyring." + }, + { + "StoreTypeId": 104, + "Name": "RemoveFromAllKeyrings", + "DisplayName": "RemoveFromAllKeyrings", "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, + "OnRemove": true, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "false", + "Options": "", + "Description": "A bool to indicate whether a given cert is to be removed from all keyrings." + }, + { + "StoreTypeId": 104, + "Name": "RollbackCert", + "DisplayName": "RollbackCert", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": false }, + "DependsOn": "", "DefaultValue": "false", - "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + "Options": "", + "Description": "A bool to indicate whether a given cert is to be rolled back." } ], - "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", - "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden" }, { - "Name": "CiscoAsa", - "ShortName": "CiscoAsa", - "Capability": "CiscoAsa", + "Name": "Barracuda WAF", + "ShortName": "BarracudaWaf", + "Capability": "BarracudaWaf", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -1579,19 +1754,178 @@ }, "Properties": [ { - "Name": "CommitToDisk", - "DisplayName": "Commit To Disk", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", - "DefaultValue": "false", - "Required": true, - "IsPAMEligible": false, - "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + "DefaultValue": "true", + "Required": false, + "Description": "Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS)." }, { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", + "Name": "ApiVersion", + "DisplayName": "API Version", + "Type": "String", + "DependsOn": "", + "DefaultValue": "v3.2", + "Required": false, + "Description": "The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version." + }, + { + "Name": "InventorySelfSignedCerts", + "DisplayName": "Inventory Self-Signed Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": false, + "Description": "When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true." + }, + { + "Name": "InventoryTrustedCerts", + "DisplayName": "Inventory Trusted Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "/", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP).", + "StorePathDescription": "Not used for this integration. Set to '/' or leave at the default value." + }, + { + "Name": "Bosch IP Camera", + "ShortName": "BoschIPCamera", + "Capability": "BoschIPCamera", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + } + ], + "EntryParameters": [ + { + "Name": "CertificateUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", + "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + }, + { + "Name": "Name", + "DisplayName": "Name (Alias)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Description": "The certificate Alias, entered again." + }, + { + "Name": "Overwrite", + "DisplayName": "Overwrite", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "false", + "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + }, + { + "Name": "CiscoAsa", + "ShortName": "CiscoAsa", + "Capability": "CiscoAsa", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "CommitToDisk", + "DisplayName": "Commit To Disk", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", "DefaultValue": "", "Required": false, @@ -1663,9 +1997,13 @@ "Remove": true }, "PasswordOptions": { + "Style": "Default", "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "StoreRequired": true, + "StorePassword": { + "Description": "Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.", + "IsPAMEligible": true + } }, "Properties": [ { @@ -1696,6 +2034,15 @@ "DefaultValue": "false", "Required": false, "Description": "Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate." + }, + { + "Name": "timeout", + "DisplayName": "Login Timeout in seconds", + "Type": "String", + "DependsOn": "", + "DefaultValue": "3600", + "Required": false, + "Description": "Determines timeout in seconds for all Citrix ADC API calls." } ], "EntryParameters": [ @@ -1904,53 +2251,7 @@ "Description": "Login password for the F5 Big IQ device." } ], - "EntryParameters": [ - { - "Name": "Alias", - "DisplayName": "Alias (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "The name F5 Big IQ uses to identify the certificate" - }, - { - "Name": "Overwrite", - "DisplayName": "Overwrite (Reenrollment only)", - "Type": "Bool", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "False", - "Options": "", - "Description": "Allow overwriting an existing certificate when reenrolling?" - }, - { - "Name": "SANs", - "DisplayName": "SANs (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field." - } - ] + "EntryParameters": [] }, { "Name": "F5 CA Profiles REST", @@ -2408,7 +2709,7 @@ } }, "ClientMachineDescription": "The IP address or DNS of the Fortigate server", - "StorePathDescription": "This is not used in this integration, but is a required field in the UI. Just enter any value here" + "StorePathDescription": "Value must contain the VDOM this certificate store will be managing. `root` must be entered to manage the default 'root' VDOM." }, { "Name": "GCP Load Balancer", @@ -2447,6 +2748,70 @@ "StorePathDescription": "Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59).", "EntryParameters": [] }, + { + "Name": "GCPScrtMgr", + "ShortName": "GCPScrtMgr", + "Capability": "GCPScrtMgr", + "ServerRequired": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Optional", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default", + "StorePassword": { + "Description": "Password used to encrypt the private key of ALL certificate secrets. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information", + "IsPAMEligible": true + } + }, + "Properties": [ + { + "Name": "PasswordSecretSuffix", + "DisplayName": "Password Secret Location Suffix", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "If storing a certificate with an encrypted private key, this is the suffix to add to the certificate (secret) alias name where the encrypted private key password will be stored. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information" + }, + { + "Name": "IncludeChain", + "DisplayName": "Include Chain", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "True", + "Required": false, + "IsPAMEligible": false, + "Description": "Determines whether to include the certificate chain when adding a certificate as a secret." + } + ], + "EntryParameters": [ + { + "Name": "tags", + "DisplayName": "Tags", + "Type": "String", + "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "ClientMachineDescription": "Not used", + "StorePathDescription": "The Project ID of the Google Secret Manager being managed." + }, { "Name": "Google Cloud Provider Apigee", "ShortName": "GcpApigee", @@ -2620,7 +2985,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2672,9 +3037,18 @@ "DependsOn": "", "DefaultValue": "", "Required": false - } - ], - "EntryParameters": [], + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -2693,7 +3067,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2745,6 +3119,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2846,7 +3229,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2898,6 +3281,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2962,6 +3354,15 @@ "DependsOn": "", "DefaultValue": "", "Required": true + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -3092,7 +3493,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -3101,7 +3502,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -3218,21 +3619,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -3283,6 +3669,7 @@ "Name": "K8SCert", "ShortName": "K8SCert", "Capability": "K8SCert", + "ClientMachineDescription": "The Kubernetes cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": false, @@ -3293,31 +3680,34 @@ }, "Properties": [ { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "default", + "DefaultValue": null, "Required": false }, { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", "DependsOn": "", "DefaultValue": null, - "Required": false + "Required": true }, { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", + "Name": "KubeSecretName", + "DisplayName": "KubeSecretName", + "Description": "The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.", "Type": "String", "DependsOn": "", - "DefaultValue": "cert", - "Required": true + "DefaultValue": "", + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3336,6 +3726,7 @@ "Name": "K8SCluster", "ShortName": "K8SCluster", "Capability": "K8SCluster", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3345,22 +3736,44 @@ "Remove": true }, "Properties": [ + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3379,6 +3792,7 @@ "Name": "K8SJKS", "ShortName": "K8SJKS", "Capability": "K8SJKS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3391,6 +3805,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3399,6 +3814,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3407,22 +3823,25 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.", "Type": "String", "DependsOn": "", "DefaultValue": "jks", - "Required": true + "Required": false }, { "Name": "CertificateDataFieldName", "DisplayName": "CertificateDataFieldName", + "Description": "The field name to use when looking for certificate data in the K8S secret.", "Type": "String", "DependsOn": "", - "DefaultValue": ".jks", - "Required": true + "DefaultValue": null, + "Required": false }, { "Name": "PasswordFieldName", "DisplayName": "PasswordFieldName", + "Description": "The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3430,25 +3849,54 @@ }, { "Name": "PasswordIsK8SSecret", - "DisplayName": "Password Is K8S Secret", + "DisplayName": "PasswordIsK8SSecret", + "Description": "Indicates whether the password to the JKS keystore is stored in a separate K8S secret.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the JKS keystore. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3464,6 +3912,7 @@ "Name": "K8SNS", "ShortName": "K8SNS", "Capability": "K8SNS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3476,27 +3925,50 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3515,6 +3987,7 @@ "Name": "K8SPKCS12", "ShortName": "K8SPKCS12", "Capability": "K8SPKCS12", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3525,12 +3998,13 @@ }, "Properties": [ { - "Name": "KubeSecretType", - "DisplayName": "Kube Secret Type", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pkcs12", - "Required": true + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "CertificateDataFieldName", @@ -3543,6 +4017,7 @@ { "Name": "PasswordFieldName", "DisplayName": "Password Field Name", + "Description": "The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3551,6 +4026,7 @@ { "Name": "PasswordIsK8SSecret", "DisplayName": "Password Is K8S Secret", + "Description": "Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -3559,6 +4035,7 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3567,24 +4044,53 @@ { "Name": "KubeSecretName", "DisplayName": "Kube Secret Name", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "KubeSecretType", + "DisplayName": "Kube Secret Type", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.", + "Type": "String", + "DependsOn": "", + "DefaultValue": "pkcs12", + "Required": false + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3600,6 +4106,7 @@ "Name": "K8SSecret", "ShortName": "K8SSecret", "Capability": "K8SSecret", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3612,6 +4119,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3620,6 +4128,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3628,27 +4137,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3667,6 +4199,7 @@ "Name": "K8STLSSecr", "ShortName": "K8STLSSecr", "Capability": "K8STLSSecr", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3679,6 +4212,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3687,6 +4221,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3695,27 +4230,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "tls_secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3730,6 +4288,65 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden" }, + { + "Name": "Kemp", + "ShortName": "Kemp", + "Capability": "Kemp", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Not used." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Kemp Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "IsPAMEligible": false, + "Description": "Should be true, http is not supported." + } + ], + "EntryParameters": [], + "ClientMachineDescription": "Kemp Load Balancer Client Machine and port example TestKemp:8443.", + "StorePathDescription": "Not used just put a /", + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "MyOrchestratorStoreType", "ShortName": "MOST", @@ -4035,7 +4652,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4122,15 +4739,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4167,7 +4775,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4245,15 +4853,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4271,6 +4870,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache Tomcat Restart,Jetty Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4368,15 +4976,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4500,15 +5099,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4545,7 +5135,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4659,15 +5249,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4685,6 +5266,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4704,7 +5294,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4782,15 +5372,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4819,8 +5400,8 @@ "ShortName": "SOS", "Capability": "SOS", "LocalStore": false, - "StorePathDescription": "Path points to a local .json file. Orchestrator and its account should have read/write access.", - "ClientMachineDescription": "Runs on a Windows based machine.", + "StorePathDescription": "The name of the store as defined in the SOS system (i.e. SampleKeyStore2).", + "ClientMachineDescription": "The base URL of the SOS API (i.e. http://localhost:8080)", "SupportedOperations": { "Add": true, "Create": true, @@ -4871,7 +5452,7 @@ "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, - "OnReenrollment": false + "OnReenrollment": true }, "Description": "SAN string." }, @@ -4918,14 +5499,14 @@ ], "PasswordOptions": { "EntrySupported": true, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "PrivateKeyAllowed": "Optional", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Forbidden" }, { "Name": "Signum", @@ -4974,6 +5555,127 @@ "Style": "Default" } }, + { + "Name": "A10 Thunder Management Certificates", + "ShortName": "ThunderMgmt", + "Capability": "ThunderMgmt", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "OrchToScpServerIp", + "DisplayName": "Orch To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates." + }, + { + "Name": "ScpPort", + "DisplayName": "Port Used For Scp", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations." + }, + { + "Name": "ScpUserName", + "DisplayName": "UserName Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "ScpPassword", + "DisplayName": "Password Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "A10ToScpServerIp", + "DisplayName": "A10 Device To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths." + }, + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.", + "StorePathDescription": "Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "A10 Thunder Ssl Certificates", + "ShortName": "ThunderSsl", + "Capability": "ThunderSsl", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.", + "StorePathDescription": "A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "VMware-NSX", "ShortName": "VMware-NSX", @@ -5035,6 +5737,105 @@ "ClientMachineDescription": "This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ ", "StorePathDescription": "A selection from the different certificate types supported: Application, Controller, or CA." }, + { + "Name": "ADFS Rotation Manager", + "ShortName": "WinAdfs", + "Capability": "WinAdfs", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + } + ], + "EntryParameters": [ + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "My", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server.", + "StorePathDescription": "Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default." + }, { "Name": "WinCerMgmt", "ShortName": "WinCerMgmt", @@ -5118,7 +5919,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5127,7 +5928,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5154,21 +5955,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -5232,7 +6018,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5241,7 +6027,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5289,21 +6075,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs." } ], "PasswordOptions": { @@ -5501,7 +6272,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The vCenter username used to manage the vCenter connection" }, { @@ -5511,7 +6282,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The secret vCenter password used to manage the vCenter connection" } ] From e6baf1fdbabcd83df1b7ab37e6ccc3cab5fb665f Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:26:21 -0700 Subject: [PATCH 4/4] chore(ci): bump all actions to latest versions - actions/checkout v4 -> v6 - actions/github-script v7 -> v9 - actions/upload-artifact v4 -> v7 - Keyfactor/add-and-commit v9.1.3 -> v9.1.4 Addresses Node.js 20 deprecation warnings from the previous run. --- .github/workflows/update-stores.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/update-stores.yml b/.github/workflows/update-stores.yml index c4543374..5925cc1f 100644 --- a/.github/workflows/update-stores.yml +++ b/.github/workflows/update-stores.yml @@ -47,7 +47,7 @@ jobs: - name: Check Open PRs for Existing Branch id: check-branch - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const owner = context.repo.owner; @@ -79,7 +79,7 @@ jobs: # If the branch with an open PR already exists, first check out that branch from kfutil - name: Check out existing repo merge branch if: env.PR_BRANCH == 'commit' - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: 'keyfactor/kfutil' sparse-checkout: | @@ -92,7 +92,7 @@ jobs: # If the branch does not exist, first check out the main branch from kfutil. - name: Check out main if: env.PR_BRANCH == 'create' - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: 'keyfactor/kfutil' sparse-checkout: | @@ -109,7 +109,7 @@ jobs: # Checkout and run the python tool - name: Check out python merge tool repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: 'keyfactor/integration-tools' path: './tools/' @@ -124,7 +124,7 @@ jobs: - name: Save Store Types JSON Artifact if: success() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: store-types path: | @@ -133,14 +133,14 @@ jobs: - name: Save Invalid Store Types JSON Artifact if: success() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: invalid-repos path: ./tools/store-type-merge/invalid_repos.json - name: Save logs directory if: success() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: logs path: ./tools/store-type-merge/log @@ -170,7 +170,7 @@ jobs: # Both steps will contain a check for the UPDATE_FILE variable before running - name: Add and Commit to newly created branch if: ${{ env.UPDATE_FILE == 'T' && env.PR_BRANCH == 'create' }} - uses: Keyfactor/add-and-commit@v9.1.3 + uses: Keyfactor/add-and-commit@v9.1.4 env: GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} with: @@ -185,7 +185,7 @@ jobs: - name: Add and Commit to existing branch if: ${{ env.UPDATE_FILE == 'T' && env.PR_BRANCH == 'commit' }} - uses: Keyfactor/add-and-commit@v9.1.3 + uses: Keyfactor/add-and-commit@v9.1.4 env: GITHUB_TOKEN: ${{ secrets.SDK_SYNC_PAT }} with: @@ -213,7 +213,7 @@ jobs: const response = await github.rest.pulls.create({ owner, repo, - title: 'New Pull Request - ${{env.KFUTIL_ARG}}:${{env.TARGET_REPO_BRANCH}}', + title: 'Store Types Update - ${{env.KFUTIL_ARG}}:${{env.TARGET_REPO_BRANCH}}', head: newBranch, base: baseBranch, body: 'The cert store update from ${{env.KFUTIL_ARG}}:${{env.TARGET_REPO_BRANCH}} needs to be verified and merged if correct.',