Merge pull request #4 from Keyfactor/release-1.0

Merge 1.0.0 to main

Author: spbsoluble

README.md

@@ -1,93 +1,222 @@
-# cpr-cagateway-template
+<h1 align="center" style="border-bottom: none">
+    Aruba Clearpass   Gateway AnyCA Gateway REST Plugin
+</h1>
+
+<p align="center">
+  <!-- Badges -->
+<img src="https://img.shields.io/badge/integration_status-pilot-3D1973?style=flat-square" alt="Integration Status: pilot" />
+<a href="https://github.com/Keyfactor/aruba-clearpass-caplugin/releases"><img src="https://img.shields.io/github/v/release/Keyfactor/aruba-clearpass-caplugin?style=flat-square" alt="Release" /></a>
+<img src="https://img.shields.io/github/issues/Keyfactor/aruba-clearpass-caplugin?style=flat-square" alt="Issues" />
+<img src="https://img.shields.io/github/downloads/Keyfactor/aruba-clearpass-caplugin/total?style=flat-square&label=downloads&color=28B905" alt="GitHub Downloads (all assets, all releases)" />
+</p>
+
+<p align="center">
+  <!-- TOC -->
+  <a href="#support">
+    <b>Support</b>
+  </a> 
+  ·
+  <a href="#requirements">
+    <b>Requirements</b>
+  </a>
+  ·
+  <a href="#installation">
+    <b>Installation</b>
+  </a>
+  ·
+  <a href="#license">
+    <b>License</b>
+  </a>
+  ·
+  <a href="https://github.com/orgs/Keyfactor/repositories?q=anycagateway">
+    <b>Related Integrations</b>
+  </a>
+</p>
+
+
+The Clearpass AnyCA Gateway REST plugin extends the capabilities of Aruba Clearpass Onboard to Keyfactor Command via the Keyfactor AnyCA Gateway REST. The plugin represents a fully featured AnyCA REST Plugin with the following capabilies :
+* CA Sync:
+    * Download all certificates issued to the customer by the Clearpass CA.
+* Certificate enrollment for the Clearpass products listed in the manifest file:
+    * Support certificate enrollment (new keys/certificate)
+        * Support certificate re-issuance/renewal (new public/private keys with the same or different domain names).
+* Certificate revocation:
+    * Request revocation of a previously issued certificate.
+
+## Compatibility
+
+The Aruba Clearpass   Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
+
+## Support
+The Aruba Clearpass   Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. 
+
+> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
+
+## Requirements
 
-## Template for new CA Gateway integrations
+---
 
-### Use this repository to create new integrations for new CA Gateway integration types. 
+### ClearPass Onboard: Setting Up an API Client
 
+#### Step 1: Access ClearPass Admin Console
+1. **Login** to the ClearPass Admin console using your administrator credentials.
+2. Navigate to **Administration** > **API Services** > **API Clients**.
 
-1. [Use this repository](#using-the-repository)
-1. [Update the integration-manifest.json](#updating-the-integration-manifest.json)
-1. [Add Keyfactor Bootstrap Workflow (keyfactor-bootstrap-workflow.yml)](#add-bootstrap)
-1. [Create required branches](#create-required-branches)
-1. [Replace template files/folders](#replace-template-files-and-folders)
-1. [Create initial prerelease](#create-initial-prerelease)
----
+#### Step 2: Create a New API Client
+1. Click on the **Add API Client** button to create a new API client.
 
-#### Using the repository
-1. Select the ```Use this template``` button at the top of this page
-1. Update the repository name following [these guidelines](https://keyfactorinc.sharepoint.com/sites/IntegrationWiki/SitePages/GitHub-Processes.aspx#repository-naming-conventions) 
-    1. All repositories must be in lower-case
-	1. General pattern: company-product-type
-	1. e.g. hashicorp-vault-orchestator
-1. Click the ```Create repository``` button
+#### Step 3: Configure the API Client
 
----
+- **Client ID**:
+  - Enter some value such as `Client1` in the **Client ID** field.
+  - This is the value you will use in Keyfactor for the API Client ID when setting up the CA.
 
-#### Updating the integration-manifest.json
+- **Description**:
+  - You can provide a description for this API client, such as "Sample API client for testing purposes," in the **Description** field.
 
-*The following properties must be updated in the integration-manifest.json*
+- **Enabled**:
+  - Ensure the **Enabled** checkbox is selected. This means the API client will be active and able to make API calls.
 
-Clone the repository locally, use vsdev.io, or the GitHub online editor to update the file.
+- **Operating Mode**:
+  - Select **ClearPass REST API - Client will be used for API calls to ClearPass** from the **Operating Mode** dropdown.
 
-* "name": "Friendly name for the integration"
-	* This will be used in the readme file generation and catalog entries
-* "description": "Brief description of the integration."
-	* This will be used in the readme file generation
-	* If the repository description is empty this value will be used for the repository description upon creating a release branch
-* "release_dir": "PATH\\\TO\\\BINARY\\\RELEASE\\\OUTPUT\\\FOLDER"
-	* Path separators can be "\\\\" or "/"
-	* Be sure to specify the release folder name. This can be found by running a Release build and noting the output folder
-	* Example: "AzureAppGatewayOrchestrator\\bin\\Release"
-* "gateway_framework": "" string denoting the required command gateway framework version
----
+- **Operator Profile**:
+  - Select **Super Administrator** from the **Operator Profile** dropdown.
+  - This profile will provide the API client with the necessary permissions to interact with ClearPass.
 
-#### Add Bootstrap 
-Add Keyfactor Bootstrap Workflow (keyfactor-bootstrap-workflow.yml). This can be copied directly from the workflow templates or through the Actions tab
-* Directly:
-    1. Create a file named ```.github\workflows\keyfactor-bootstrap-workflow.yml``` 
-	1. Copy the contents of [keyfactor/.github/workflow-templates/keyfactor-bootstrap-workflow.yml](https://raw.githubusercontent.com/Keyfactor/.github/main/workflow-templates/keyfactor-bootstrap-workflow.yml) into the file created in the previous step
-* Actions tab:
-    1. Navigate to the [Actions tab](./actions) in the new repository
-	1. Click the ```New workflow``` button
-	1. Find the ```Keyfactor Bootstrap Workflow``` and click the ```Configure``` button
-	1. Click the ```Commit changes...``` button on this screen and the next to add the bootstrap workflow to the main branch
-	
-A new build will run the tasks of a *Push* trigger on the main branch
-
-*Ensure there are no errors during the workflow run in the Actions tab.*
+- **Grant Type**:
+  - Select **Client credentials (`grant_type=client_credentials`)** from the **Grant Type** dropdown.
+  - This means the API client will authenticate using its client credentials.
 
----
+- **Client Secret**:
+  - Since this is a non-public client, ensure the **Generate a new client secret** checkbox is selected.
+  - The system will generate a new client secret. For example, `FFFDDDCCCRRR4444DDDDDDDDDDD`.
+  - **Note:** The client secret is used in the OAuth2 `client_secret` parameter and will be encrypted once stored, so be sure to copy it securely.
+
+#### Step 4: Set Token Lifetimes
 
-#### Create required branches 
-1. Create a release branch from main: release-1.0
-1. Create a dev branch from the starting with the devops id in the format ab#\<DevOps-ID>, e.g. ab#53535. 
-    1. For the cleanest pull request merge, create the dev branch from the release branch. 
-	1. Optionally, add a suffix to the branch name indicating initial release. e.g. ab#53535-initial-release
+- **Access Token Lifetime**:
+  - Enter `8` in the **Access Token Lifetime** field.
+  - Select **hours** from the dropdown. This means the access token will be valid for 8 hours.
+
+#### Step 5: Save the API Client
+1. Once all fields are configured, click the **Create API Client** button to save the new API client.
+2. If you need to cancel, click the **Cancel** button.
+
+#### Step 6: Use the API Client
+- Use the **Client ID** (`Client1`) and **Client Secret** (`FFFDDDCCCRRR4444DDDDDDDDDDD`) in your Gateway Configuration Settings.
 
 ---
 
+### Getting the Certificate Authority ID in Aruba ClearPass Onboard
+
+#### Steps to Get the Certificate Authority ID
+
+1. **Log in to ClearPass Policy Manager**:
+   - Open your web browser and navigate to the ClearPass Policy Manager login page.
+   - Enter your credentials and log in.
+
+2. **Navigate to the Certificate Authorities Page**:
+   - Go to **Onboard** > **Certificate Authorities**.
 
-#### Replace template files and folders
-1. Replace the contents of readme_source.md
-1. Create a CHANGELOG.md file in the root of the repository indicating ```1.0: Initial release```
-1. Replace the SampleOrchestratorExtension.sln solution file and SampleOrchestratorExtension folder with your new orchestrator dotnet solution
-1. Push your updates to the dev branch (ab#xxxxx)
+3. **Select the Certificate Authority**:
+   - Find the Certificate Authority you are interested in.
+   - Click the **Edit** button next to the Certificate Authority.
+
+4. **Locate the ID in the URL**:
+   - Once the edit page opens, look at the URL in your browser's address bar.
+   - The ID of the Certificate Authority will be part of the URL. It usually appears as a numeric value after `id=`.
+
+5. **Command Gateway Translation**:
+   - This will be used when setting up the Gateway as the CaId as explained in the Configuration section.
+
+#### Note
+At the time of writing, there was no API call available to get a list of Certificate Authorities in ClearPass Onboard. Therefore, this method of extracting the ID from the URL was the only known way to obtain it.
 
 ---
 
+### Aruba ClearPass Onboard Trust Chain Bundle Download
+
+#### Steps to Download a Trust Chain Bundle
+
+1. **Log in to ClearPass Policy Manager**:
+   - Open your web browser and navigate to the ClearPass Policy Manager login page.
+   - Enter your credentials and log in.
+
+2. **Navigate to the Certificate Authority Trust Chain Page**:
+   - Go to **Onboard** > **Certificate Authorities**.
+   - Click on the appropriate **Certificate Authority**.
+   - Click the **Trust Chain** link.
+
+3. **Download the Trust Chain Bundle**:
+   - Click the **Download Bundle** link on the Certificate Authority Trust Chain page.
+   - The **Export Certificate** form will open.
+   - In the **Format** row, choose the certificate format.
+   - Follow the prompts to download the trust chain bundle.
+
+4. **Save the Bundle**:
+   - Save the downloaded bundle to a secure location on your computer.
+   
+5. **Using The Intermediate Certificate**:
+   - Extract the Intermediate Certificate from the Bundle.  This will be the certificate used when setting up the CA on the Gateway.
+
+## Installation
+
+1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm).
+
+2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [Aruba Clearpass   Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aruba-clearpass-caplugin/releases/latest) from GitHub.
+
+3. Copy the unzipped directory (usually called `net6.0`) to the Extensions directory:
+
+    ```shell
+    Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions
+    ```
+
+    > The directory containing the Aruba Clearpass   Gateway AnyCA Gateway REST plugin DLLs (`net6.0`) can be named anything, as long as it is unique within the `Extensions` directory.
+
+4. Restart the AnyCA Gateway REST service.
+
+5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the Aruba Clearpass   Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
+
+## Configuration
+
+1. Follow the [official AnyCA Gateway REST documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) to define a new Certificate Authority, and use the notes below to configure the **Gateway Registration** and **CA Connection** tabs:
+
+    * **Gateway Registration**
+
+        TODO Gateway Registration is a required section
+
+    * **CA Connection**
+
+        Populate using the configuration fields collected in the [requirements](#requirements) section.
+
+        * **ClientSecret** - Client Secret for Generating Bearer Token 
+        * **BaseUrl** - Base Url for ClearPass API such as https://url:8443 
+        * **ClearPassApiClient** - ClearPass API Client Name 
+        * **ClearPassCaId** - ClearPass Ca Id.  Example would be 2. In ClearPass Onboard UI, click edit on the Ca and look at the id in the Url. 
+
+2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The Aruba Clearpass   Gateway plugin supports the following product IDs:
+
+    * **ca**
+    * **code-signing**
+    * **https**
+    * **tls-client**
+    * **trusted**
+
+3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
+
+4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters:
+
+    * **NumberOfDaysValid** - OPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365. 
+
+
 
-#### Create initial prerelease
-1. Create a pull request from the dev branch to the release-1.0 branch
 
 
-----
+## License
 
-When the repository is ready for SE Demo, change the following property:
-* "status": "pilot"
+Apache License 2.0, see [LICENSE](LICENSE).
 
-When the integration has been approved by Support and Delivery teams, change the following property:
-* "status": "production"
+## Related Integrations
 
-If the repository is ready to be published in the public catalog, the following properties must be updated:
-* "update_catalog": true
-* "link_github": true
+See all [Keyfactor Any CA Gateways (REST)](https://github.com/orgs/Keyfactor/repositories?q=anycagateway).

aruba-clearpass-caplugin/ArubaClearPassCAPlugin.cs

@@ -1,22 +1,16 @@
 using Keyfactor.AnyGateway.Extensions;
-using Keyfactor.Common;
-using Keyfactor.Common.Exceptions;
 using Keyfactor.Extensions.CAPlugin.ArubaClearPass.Client;
-using Keyfactor.Extensions.CAPlugin.ArubaClearPass.Models;
 using Keyfactor.Logging;
-using Keyfactor.PKI.Enums;
 using Keyfactor.PKI.Enums.EJBCA;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Logging.Abstractions;
-using Microsoft.VisualBasic;
-
 using Newtonsoft.Json;
-
-using Org.BouncyCastle.Asn1.X509;
+using System;
 using System.Collections.Concurrent;
-using System.Runtime.ConstrainedExecution;
-using System.Runtime.InteropServices;
-using static Keyfactor.PKI.PKIConstants.Microsoft;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+
 
 using ArubaClearPassConstants = Keyfactor.Extensions.CAPlugin.ArubaClearPass.Constants;
 
@@ -280,6 +274,11 @@ public List<string> GetProductIds()
             };
         }
 
+        Task<AnyCAPluginCertificate> IAnyCAPlugin.GetSingleRecord(string caRequestID)
+        {
+            throw new NotImplementedException();
+        }
+
     }
 }
 

aruba-clearpass-caplugin/Client/ClearPassClient.cs

@@ -7,9 +7,13 @@
 using Microsoft.Extensions.Logging;
 using Keyfactor.Logging;
 using Keyfactor.PKI.Enums.EJBCA;
-using Org.BouncyCastle.Tls;
 using Certificate = Keyfactor.Extensions.CAPlugin.ArubaClearPass.Models.Certificate;
 using Keyfactor.Extensions.CAPlugin.Aruba.Models;
+using System.Net.Http;
+using System;
+using System.Threading.Tasks;
+using System.Collections.Generic;
+using System.Threading;
 
 namespace Keyfactor.Extensions.CAPlugin.ArubaClearPass.Client
 {

aruba-clearpass-caplugin/Constants.cs

@@ -1,10 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace Keyfactor.Extensions.CAPlugin.ArubaClearPass
+namespace Keyfactor.Extensions.CAPlugin.ArubaClearPass
 {
 	public class Constants
 	{

aruba-clearpass-caplugin/Models/AuthPrivileges.cs

@@ -1,8 +1,5 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
+using System.Collections.Generic;
+
 
 namespace Keyfactor.Extensions.CAPlugin.Aruba.Models
 {

aruba-clearpass-caplugin/Models/Certificate.cs

@@ -1,8 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using Newtonsoft.Json;
 
 namespace Keyfactor.Extensions.CAPlugin.ArubaClearPass.Models

aruba-clearpass-caplugin/Models/CertificateListResponse.cs

@@ -1,5 +1,4 @@
 using Newtonsoft.Json;
-using System;
 using System.Collections.Generic;
 
 

aruba-clearpass-caplugin/Models/EnrollCertificateRequest.cs

@@ -1,9 +1,4 @@
 using Newtonsoft.Json;
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace Keyfactor.Extensions.CAPlugin.ArubaClearPass.Models
 {