diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d9fc8c..a8529f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +- 1.1.0 + - Enabled Flag For Gateway + - Dual Build Support - 1.0.0 - First production release of the Aruba Clearpass AnyCA Gateway REST plugin that implements: - CA Sync @@ -7,3 +10,6 @@ - Support certificate renewal/re-issuance (new public/private keys with the same or different domain names) - Certificate revocation - Request revocation of a previously issued certificate + + + diff --git a/README.md b/README.md index de37877..4ee8938 100644 --- a/README.md +++ b/README.md @@ -54,8 +54,6 @@ The Aruba Clearpass Gateway AnyCA Gateway REST plugin is supported by Keyfacto ## Requirements ---- - ### ClearPass Onboard: Setting Up an API Client #### Step 1: Access ClearPass Admin Console @@ -81,7 +79,9 @@ The Aruba Clearpass Gateway AnyCA Gateway REST plugin is supported by Keyfacto - Select **ClearPass REST API - Client will be used for API calls to ClearPass** from the **Operating Mode** dropdown. - **Operator Profile**: + - Select **Super Administrator** from the **Operator Profile** dropdown. + - This profile will provide the API client with the necessary permissions to interact with ClearPass. - **Grant Type**: @@ -94,7 +94,6 @@ The Aruba Clearpass Gateway AnyCA Gateway REST plugin is supported by Keyfacto - **Note:** The client secret is used in the OAuth2 `client_secret` parameter and will be encrypted once stored, so be sure to copy it securely. #### Step 4: Set Token Lifetimes - - **Access Token Lifetime**: - Enter `8` in the **Access Token Lifetime** field. - Select **hours** from the dropdown. This means the access token will be valid for 8 hours. @@ -166,13 +165,16 @@ At the time of writing, there was no API call available to get a list of Certifi 2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [Aruba Clearpass Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/aruba-clearpass-caplugin/releases/latest) from GitHub. -3. Copy the unzipped directory (usually called `net6.0`) to the Extensions directory: +3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: + ```shell + Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations: Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions + Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions ``` - > The directory containing the Aruba Clearpass Gateway AnyCA Gateway REST plugin DLLs (`net6.0`) can be named anything, as long as it is unique within the `Extensions` directory. + > The directory containing the Aruba Clearpass Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. 4. Restart the AnyCA Gateway REST service. @@ -184,7 +186,7 @@ At the time of writing, there was no API call available to get a list of Certifi * **Gateway Registration** - TODO Gateway Registration is a required section + Each defined Certificate Authority in the AnyCA Gateway REST can support one issuing certificate authority. Since Aruba ClearPass Onboard has multiple available Certificate Authorities, if you require certificate enrollment from multiple Aruba ClearPass Certificate Authorities, you must define multiple Certificate Authorities in the AnyCA Gateway REST. This will manifest in Command as one Aruba ClearPass CA per defined Certificate Authority. * **CA Connection** @@ -194,6 +196,7 @@ At the time of writing, there was no API call available to get a list of Certifi * **BaseUrl** - Base Url for ClearPass API such as https://url:8443 * **ClearPassApiClient** - ClearPass API Client Name * **ClearPassCaId** - ClearPass Ca Id. Example would be 2. In ClearPass Onboard UI, click edit on the Ca and look at the id in the Url. + * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. 2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The Aruba Clearpass Gateway plugin supports the following product IDs: @@ -205,12 +208,6 @@ At the time of writing, there was no API call available to get a list of Certifi 3. Follow the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Keyfactor.htm) to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates. -4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the [official documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Configuring%20Template%20Options.htm) to define enrollment fields for each of the following parameters: - - * **NumberOfDaysValid** - OPTIONAL: The number of days of validity to use when requesting certs. If not provided, default is 365. - - - ## License diff --git a/aruba-clearpass-caplugin.sln b/aruba-clearpass-caplugin.sln index 41212d2..b6ddd0b 100644 --- a/aruba-clearpass-caplugin.sln +++ b/aruba-clearpass-caplugin.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 16 -VisualStudioVersion = 16.0.31729.503 +VisualStudioVersion = 17.10.35027.167 MinimumVisualStudioVersion = 10.0.40219.1 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "aruba-clearpass-caplugin", "aruba-clearpass-caplugin/aruba-clearpass-caplugin.csproj", "{9D2D6ED9-4626-430C-879D-0FE0FEBED146}" EndProject diff --git a/aruba-clearpass-caplugin/ArubaClearPassCAPlugin.cs b/aruba-clearpass-caplugin/ArubaClearPassCAPlugin.cs index 7271cb0..810d9f3 100644 --- a/aruba-clearpass-caplugin/ArubaClearPassCAPlugin.cs +++ b/aruba-clearpass-caplugin/ArubaClearPassCAPlugin.cs @@ -1,4 +1,4 @@ -using Keyfactor.AnyGateway.Extensions; +using Keyfactor.AnyGateway.Extensions; using Keyfactor.Extensions.CAPlugin.ArubaClearPass.Client; using Keyfactor.Logging; using Keyfactor.PKI.Enums.EJBCA; @@ -128,6 +128,13 @@ public async Task Enroll(string csr, string subject, Dictionar public async Task Ping() { _logger.MethodEntry(LogLevel.Trace); + if (!_config.Enabled) + { + _logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping connectivity test..."); + _logger.MethodExit(LogLevel.Trace); + return; + } + try { _logger.LogInformation($"Attempting to authenticate"); @@ -159,7 +166,21 @@ public async Task Ping() public async Task ValidateCAConnectionInfo(Dictionary connectionInfo) { - _logger.LogInformation("Validation successful"); + try + { + if (!(bool)connectionInfo[ArubaClearPassConstants.Config.Enabled]) + { + _logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); + _logger.MethodExit(LogLevel.Trace); + return; + } + } + catch (Exception ex) + { + _logger.LogError($"Exception: {LogHandler.FlattenException(ex)}"); + } + + _logger.LogInformation("Validating CA Connection Info"); List errors = new List(); @@ -181,7 +202,7 @@ public async Task ValidateCAConnectionInfo(Dictionary connection errors.Add("The Base URL needs http:// or https://"); } - _logger.LogTrace("Checking the API Secret."); + _logger.LogTrace("Checking the API Client."); string apiClient = connectionInfo.ContainsKey(ArubaClearPassConstants.Config.ClearPassApiClient) ? (string)connectionInfo[ArubaClearPassConstants.Config.ClearPassApiClient] : string.Empty; if (string.IsNullOrWhiteSpace(apiClient)) { @@ -245,6 +266,13 @@ public Dictionary GetCAConnectorAnnotations() Hidden = false, DefaultValue = "", Type = "String" + }, + [ArubaClearPassConstants.Config.Enabled] = new PropertyConfigInfo() //No Call Available to get a list of the CAs with Ids in API so... + { + Comments = "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available.", + Hidden = false, + DefaultValue = true, + Type = "Boolean" } }; } @@ -280,5 +308,4 @@ Task IAnyCAPlugin.GetSingleRecord(string caRequestID) } } -} - +} \ No newline at end of file diff --git a/aruba-clearpass-caplugin/ArubaClearPassConfig.cs b/aruba-clearpass-caplugin/ArubaClearPassConfig.cs index cea0941..6af740a 100644 --- a/aruba-clearpass-caplugin/ArubaClearPassConfig.cs +++ b/aruba-clearpass-caplugin/ArubaClearPassConfig.cs @@ -11,5 +11,6 @@ public ArubaClearPassConfig() public string BaseUrl { get; set; } public string ClearPassApiClient { get; set; } public string ClearPassCaId { get; set; } + public bool Enabled { get; set; } = true; } -} +} \ No newline at end of file diff --git a/aruba-clearpass-caplugin/Constants.cs b/aruba-clearpass-caplugin/Constants.cs index 84ce753..0d8e457 100644 --- a/aruba-clearpass-caplugin/Constants.cs +++ b/aruba-clearpass-caplugin/Constants.cs @@ -8,6 +8,7 @@ public class Config public const string ClearPassApiClient = "ClearPassApiClient"; public const string ClientSecret = "ClientSecret"; public const string ClearPassCaId = "ClearPassCaId"; + public const string Enabled = "Enabled"; } public class Products @@ -24,4 +25,4 @@ public class ProductParams public const string NumberOfDaysValid = "NumberOfDaysValid"; } } -} +} \ No newline at end of file diff --git a/aruba-clearpass-caplugin/aruba-clearpass-caplugin.csproj b/aruba-clearpass-caplugin/aruba-clearpass-caplugin.csproj index f1979c4..fd0b9cd 100644 --- a/aruba-clearpass-caplugin/aruba-clearpass-caplugin.csproj +++ b/aruba-clearpass-caplugin/aruba-clearpass-caplugin.csproj @@ -1,7 +1,7 @@  - net6.0 + net6.0;net8.0 Keyfactor.Extensions.CAPlugin.ArubaClearPass disable disable diff --git a/integration-manifest.json b/integration-manifest.json index 00d0271..9f6f766 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,5 +1,5 @@ { - "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", + "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", "integration_type": "anyca-plugin", "name": "Aruba Clearpass AnyCA REST Gateway Plugin", "status": "pilot", @@ -8,7 +8,8 @@ "update_catalog": true, "description": "Aruba Clearpass plugin for the AnyCA REST Gateway framework", "gateway_framework": "24.2.0", - "release_dir": "aruba-clearpass-caplugin/bin/Release/net6.0", + "release_dir": "aruba-clearpass-caplugin/bin/Release", + "release_project": "aruba-clearpass-caplugin/aruba-clearpass-caplugin.csproj", "about": { "carest": { "ca_plugin_config": [ @@ -27,6 +28,10 @@ { "name": "ClearPassCaId", "description": "ClearPass Ca Id. Example would be 2. In ClearPass Onboard UI, click edit on the Ca and look at the id in the Url." + }, + { + "name": "Enabled", + "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available." } ], "enrollment_config": [