diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml
index c9b180cc..cfa4fa2e 100644
--- a/.github/workflows/keyfactor-starter-workflow.yml
+++ b/.github/workflows/keyfactor-starter-workflow.yml
@@ -11,17 +11,17 @@ on:
jobs:
call-starter-workflow:
- uses: keyfactor/actions/.github/workflows/starter.yml@v4
+ uses: keyfactor/actions/.github/workflows/starter.yml@v5
with:
- command_token_url: ${{ vars.COMMAND_TOKEN_URL }} # Only required for doctool generated screenshots
- command_hostname: ${{ vars.COMMAND_HOSTNAME }} # Only required for doctool generated screenshots
- command_base_api_path: ${{ vars.COMMAND_API_PATH }} # Only required for doctool generated screenshots
+ command_token_url: ${{ vars.COMMAND_TOKEN_URL }}
+ command_hostname: ${{ vars.COMMAND_HOSTNAME }}
+ command_base_api_path: ${{ vars.COMMAND_API_PATH }}
secrets:
- token: ${{ secrets.V2BUILDTOKEN}} # REQUIRED
- gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} # Only required for golang builds
- gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} # Only required for golang builds
- scan_token: ${{ secrets.SAST_TOKEN }} # REQUIRED
- entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} # Only required for doctool generated screenshots
- entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} # Only required for doctool generated screenshots
- command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} # Only required for doctool generated screenshots
- command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} # Only required for doctool generated screenshots
\ No newline at end of file
+ token: ${{ secrets.V2BUILDTOKEN}}
+ gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
+ gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+ scan_token: ${{ secrets.SAST_TOKEN }}
+ entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }}
+ entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }}
+ command_client_id: ${{ secrets.COMMAND_CLIENT_ID }}
+ command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }}
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41759cdb..a3d89ae0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+v4.1.0
+- Add custom field to select legacy encryption for certificate stores
+- Improve error message when attempting a management or ODKG job and Ignore Private Key on Inventory is selected.
+- For RFKDB, retry gskcapicmd commands without "bash" on Linux if gskcapicmd CLI utility is a binary file.
+- Added Post Job Application Restart Entry Parameter for RFPkcs12, RFDER, RFORA and RFKDB. Intitialized each with a default "None" option.
+- Modified RFORA implementation to no longer require Oracle CLI utility orapki.
+
v4.0.0
- Added ability to run post job commands for Management-Add and ODKG jobs.
- Added "+" as an allowed character for store paths and file names
diff --git a/Certificate Store Type CURL Scripts/DER.curl b/Certificate Store Type CURL Scripts/DER.curl
deleted file mode 100644
index 301a8c51..00000000
--- a/Certificate Store Type CURL Scripts/DER.curl
+++ /dev/null
@@ -1,56 +0,0 @@
-###CURL script to create DER certificate store type
-
-###Replacement Variables - Manually replace these before running###
-# {URL} - Base URL for your Keyfactor deployment
-# {UserName} - User name with access to run Keyfactor APIs
-# {UserPassword} - Password for the UserName above
-
-curl -X POST {URL}/keyfactorapi/certificatestoretypes -H "Content-Type: application/json" -H "x-keyfactor-requested-with: APIClient" -u {UserName}:{UserPassword} -d '{
- "Name": "RFDER",
- "ShortName": "RFDER",
- "Capability": "RFDER",
- "ServerRequired": true,
- "BlueprintAllowed": false,
- "CustomAliasAllowed": "Forbidden",
- "PowerShell": false,
- "PrivateKeyAllowed": "Optional",
- "SupportedOperations": {
- "Add": true,
- "Create": true,
- "Discovery": true,
- "Enrollment": false,
- "Remove": true
- },
- "PasswordOptions": {
- "Style": "Default",
- "EntrySupported": false,
- "StoreRequired": true
- },
- "Properties": [
- {
- "Name": "LinuxFilePermissionsOnStoreCreation",
- "DisplayName": "Linux File Permissions on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "LinuxFileOwnerOnStoreCreation",
- "DisplayName": "Linux File Owner on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "SeparatePrivateKeyFilePath",
- "DisplayName": "Separate Private Key File Location",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- }
- ],
- "EntryParameters": []
-}'
diff --git a/Certificate Store Type CURL Scripts/JKS.curl b/Certificate Store Type CURL Scripts/JKS.curl
deleted file mode 100644
index d16995e4..00000000
--- a/Certificate Store Type CURL Scripts/JKS.curl
+++ /dev/null
@@ -1,48 +0,0 @@
-###CURL script to create JKS certificate store type
-
-###Replacement Variables - Manually replace these before running###
-# {URL} - Base URL for your Keyfactor deployment
-# {UserName} - User name with access to run Keyfactor APIs
-# {UserPassword} - Password for the UserName above
-
-curl -X POST {URL}/keyfactorapi/certificatestoretypes -H "Content-Type: application/json" -H "x-keyfactor-requested-with: APIClient" -u {UserName}:{UserPassword} -d '{
- "Name": "RFJKS",
- "ShortName": "RFJKS",
- "Capability": "RFJKS",
- "ServerRequired": true,
- "BlueprintAllowed": false,
- "CustomAliasAllowed": "Required",
- "PowerShell": false,
- "PrivateKeyAllowed": "Optional",
- "SupportedOperations": {
- "Add": true,
- "Create": true,
- "Discovery": true,
- "Enrollment": false,
- "Remove": true
- },
- "PasswordOptions": {
- "Style": "Default",
- "EntrySupported": false,
- "StoreRequired": true
- },
- "Properties": [
- {
- "Name": "LinuxFilePermissionsOnStoreCreation",
- "DisplayName": "Linux File Permissions on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "LinuxFileOwnerOnStoreCreation",
- "DisplayName": "Linux File Owner on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- }
- ],
- "EntryParameters": []
-}'
diff --git a/Certificate Store Type CURL Scripts/KDB.curl b/Certificate Store Type CURL Scripts/KDB.curl
deleted file mode 100644
index 31122d1a..00000000
--- a/Certificate Store Type CURL Scripts/KDB.curl
+++ /dev/null
@@ -1,48 +0,0 @@
-###CURL script to create KDB certificate store type
-
-###Replacement Variables - Manually replace these before running###
-# {URL} - Base URL for your Keyfactor deployment
-# {UserName} - User name with access to run Keyfactor APIs
-# {UserPassword} - Password for the UserName above
-
-curl -X POST {URL}/keyfactorapi/certificatestoretypes -H "Content-Type: application/json" -H "x-keyfactor-requested-with: APIClient" -u {UserName}:{UserPassword} -d '{
- "Name": "RFKDB",
- "ShortName": "RFKDB",
- "Capability": "RFKDB",
- "ServerRequired": true,
- "BlueprintAllowed": false,
- "CustomAliasAllowed": "Required",
- "PowerShell": false,
- "PrivateKeyAllowed": "Optional",
- "SupportedOperations": {
- "Add": true,
- "Create": true,
- "Discovery": true,
- "Enrollment": false,
- "Remove": true
- },
- "PasswordOptions": {
- "Style": "Default",
- "EntrySupported": false,
- "StoreRequired": true
- },
- "Properties": [
- {
- "Name": "LinuxFilePermissionsOnStoreCreation",
- "DisplayName": "Linux File Permissions on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "LinuxFileOwnerOnStoreCreation",
- "DisplayName": "Linux File Owner on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- }
- ],
- "EntryParameters": []
-}'
diff --git a/Certificate Store Type CURL Scripts/PEM.curl b/Certificate Store Type CURL Scripts/PEM.curl
deleted file mode 100644
index 4a20f072..00000000
--- a/Certificate Store Type CURL Scripts/PEM.curl
+++ /dev/null
@@ -1,80 +0,0 @@
-###CURL script to create PEM certificate store type
-
-###Replacement Variables - Manually replace these before running###
-# {URL} - Base URL for your Keyfactor deployment
-# {UserName} - User name with access to run Keyfactor APIs
-# {UserPassword} - Password for the UserName above
-
-curl -X POST {URL}/keyfactorapi/certificatestoretypes -H "Content-Type: application/json" -H "x-keyfactor-requested-with: APIClient" -u {UserName}:{UserPassword} -d '{
- "Name": "RFPEM",
- "ShortName": "RFPEM",
- "Capability": "RFPEM",
- "ServerRequired": true,
- "BlueprintAllowed": false,
- "CustomAliasAllowed": "Forbidden",
- "PowerShell": false,
- "PrivateKeyAllowed": "Optional",
- "SupportedOperations": {
- "Add": true,
- "Create": true,
- "Discovery": true,
- "Enrollment": false,
- "Remove": true
- },
- "PasswordOptions": {
- "Style": "Default",
- "EntrySupported": false,
- "StoreRequired": true
- },
- "Properties": [
- {
- "Name": "LinuxFilePermissionsOnStoreCreation",
- "DisplayName": "Linux File Permissions on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "LinuxFileOwnerOnStoreCreation",
- "DisplayName": "Linux File Owner on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "IsTrustStore",
- "DisplayName": "Trust Store",
- "Required": false,
- "DependsOn": "",
- "Type": "Bool",
- "DefaultValue": false
- },
- {
- "Name": "IncludesChain",
- "DisplayName": "Store Includes Chain",
- "Required": false,
- "DependsOn": "",
- "Type": "Bool",
- "DefaultValue": false
- },
- {
- "Name": "SeparatePrivateKeyFilePath",
- "DisplayName": "Separate Private Key File Location",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "IsRSAPrivateKey",
- "DisplayName": "Is RSA Private Key",
- "Required": false,
- "DependsOn": "",
- "Type": "Bool",
- "DefaultValue": false
- }
- ],
- "EntryParameters": []
-}'
diff --git a/Certificate Store Type CURL Scripts/PKCS12.curl b/Certificate Store Type CURL Scripts/PKCS12.curl
deleted file mode 100644
index f3567045..00000000
--- a/Certificate Store Type CURL Scripts/PKCS12.curl
+++ /dev/null
@@ -1,48 +0,0 @@
-###CURL script to create PKCS12 certificate store type
-
-###Replacement Variables - Manually replace these before running###
-# {URL} - Base URL for your Keyfactor deployment
-# {UserName} - User name with access to run Keyfactor APIs
-# {UserPassword} - Password for the UserName above
-
-curl -X POST {URL}/keyfactorapi/certificatestoretypes -H "Content-Type: application/json" -H "x-keyfactor-requested-with: APIClient" -u {UserName}:{UserPassword} -d '{
- "Name": "RFPkcs12",
- "ShortName": "RFPkcs12",
- "Capability": "RFPkcs12",
- "ServerRequired": true,
- "BlueprintAllowed": false,
- "CustomAliasAllowed": "Required",
- "PowerShell": false,
- "PrivateKeyAllowed": "Optional",
- "SupportedOperations": {
- "Add": true,
- "Create": true,
- "Discovery": true,
- "Enrollment": false,
- "Remove": true
- },
- "PasswordOptions": {
- "Style": "Default",
- "EntrySupported": false,
- "StoreRequired": true
- },
- "Properties": [
- {
- "Name": "LinuxFilePermissionsOnStoreCreation",
- "DisplayName": "Linux File Permissions on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- },
- {
- "Name": "LinuxFileOwnerOnStoreCreation",
- "DisplayName": "Linux File Owner on Store Creation",
- "Required": false,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": ""
- }
- ],
- "EntryParameters": []
-}'
diff --git a/README.md b/README.md
index f4639270..9a2af7da 100644
--- a/README.md
+++ b/README.md
@@ -64,25 +64,19 @@ destination store file will be recreated. When this occurs, current AES encrypti
certificates and certificate store files.
The Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
-
- [RFJKS](#RFJKS)
-
- [RFPEM](#RFPEM)
-
- [RFPkcs12](#RFPkcs12)
-
- [RFDER](#RFDER)
-
- [RFKDB](#RFKDB)
-
- [RFORA](#RFORA)
-
## Compatibility
This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.
## Support
+
The Remote File Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.
> If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab.
@@ -91,7 +85,6 @@ The Remote File Universal Orchestrator extension is supported by Keyfactor. If y
Before installing the Remote File Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
-
Certificate stores hosted on Linux servers:
@@ -171,7 +164,6 @@ creating certificate stores for the `RemoteFile` Orchestrator Extension.
C
Please consult with your system administrator for more information on configuring `SSH/SCP/SFTP` or `WinRM` in your environment.
-
## Certificate Store Types
To use the Remote File Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.
@@ -182,7 +174,6 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store
Click to expand details
-
The `RFJKS` store type can be used to manage java keystores of types `JKS` or `PKCS12`. If creating a new java keystore
and adding a certificate all via Keyfactor Command, the created java keystore will be of type `PKCS12`, as java keystores
of type `JKS` have been deprecated as of `JDK 9`.
@@ -192,24 +183,22 @@ of type `JKS` have been deprecated as of `JDK 9`.
2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate is identified with a custom alias.
3. A mix of trust and key entries.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | ✅ Checked |
-| Create | ✅ Checked |
+| Create | ✅ Checked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand RFJKS kfutil details
##### Using online definition from GitHub:
@@ -228,10 +217,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the RFJKS store type manually in
the Keyfactor Command Portal
+
Click to expand manual RFJKS details
Create a store type called `RFJKS` with the attributes in the tables below:
@@ -242,11 +231,11 @@ the Keyfactor Command Portal
| Name | RFJKS | Display name for the store type (may be customized) |
| Short Name | RFJKS | Short display name for the store type |
| Capability | RFJKS | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | ✅ Checked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -255,18 +244,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -285,11 +274,11 @@ the Keyfactor Command Portal
| SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |
| PostJobApplicationRestart | Post Job Application Restart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. | MultipleChoice | Apache Tomcat Restart,Jetty Restart | 🔲 Unchecked |
+ | RequiresLegacyEncryption | Requires Legacy Encryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. | Bool | False | 🔲 Unchecked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*
@@ -299,8 +288,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*
@@ -309,72 +296,67 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Linux File Permissions on Store Creation
The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Linux File Owner on Store Creation
The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Sudo Impersonating User
The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Remove Root Certificate from Chain
Remove root certificate from chain when adding/renewing a certificate in a store.
- 
- 
-
+ 
+ 
###### Include Port in SPN for WinRM
Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
- 
- 
-
+ 
+ 
###### SSH Port
Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Use Shell Commands
Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)
- 
- 
-
+ 
+ 
###### Post Job Application Restart
Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired.
- 
- 
+ 
+ 
+ ###### Requires Legacy Encryption
+ Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances.
+ 
+ 
@@ -384,7 +366,6 @@ the Keyfactor Command Portal
Click to expand details
-
The `RFPEM` store type can be used to manage `PEM` encoded files.
#### Supported use cases
@@ -399,24 +380,22 @@ The `RFPEM` store type can be used to manage `PEM` encoded files.
- Private keys will be stored in encrypted or unencrypted `PKCS#8` format (`BEGIN [ENCRYPTED] PRIVATE KEY`) based on the Store Password set on the Keyfactor Command Certificate Store unless managing a `PEM` store that currently contains a private key in `PKCS#1` format (`BEGIN RSA PRIVATE KEY` or `BEGIN EC PRIVATE KEY`).
- Store password *MUST* be set to `No Password` if managing a store with a `PKCS#1` private key, as encrypted `PKCS#1` keys are not supported with this integration.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | ✅ Checked |
-| Create | ✅ Checked |
+| Create | ✅ Checked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand RFPEM kfutil details
##### Using online definition from GitHub:
@@ -435,10 +414,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the RFPEM store type manually in
the Keyfactor Command Portal
+
Click to expand manual RFPEM details
Create a store type called `RFPEM` with the attributes in the tables below:
@@ -449,11 +428,11 @@ the Keyfactor Command Portal
| Name | RFPEM | Display name for the store type (may be customized) |
| Short Name | RFPEM | Short display name for the store type |
| Capability | RFPEM | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | ✅ Checked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -462,18 +441,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -496,11 +475,11 @@ the Keyfactor Command Portal
| SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |
| PostJobApplicationRestart | Post Job Application Restart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. | MultipleChoice | Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart | 🔲 Unchecked |
+ | RequiresLegacyEncryption | Requires Legacy Encryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. | Bool | False | 🔲 Unchecked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*
@@ -510,8 +489,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*
@@ -520,104 +497,95 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Linux File Permissions on Store Creation
The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Linux File Owner on Store Creation
The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Sudo Impersonating User
The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting..
- 
- 
-
+ 
+ 
###### Trust Store
The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key.
- 
- 
-
+ 
+ 
###### Store Includes Chain
The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it.
- 
- 
-
+ 
+ 
###### Separate Private Key File Location
The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'.
- 
- 
-
+ 
+ 
###### Ignore Private Key On Inventory
The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it.
- 
- 
-
+ 
+ 
###### Remove Root Certificate from Chain
Remove root certificate from chain when adding/renewing a certificate in a store.
- 
- 
-
+ 
+ 
###### Include Port in SPN for WinRM
Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
- 
- 
-
+ 
+ 
###### SSH Port
Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Use Shell Commands
Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)
- 
- 
-
+ 
+ 
###### Post Job Application Restart
Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired.
- 
- 
+ 
+ 
+ ###### Requires Legacy Encryption
+ Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances.
+ 
+ 
@@ -627,7 +595,6 @@ the Keyfactor Command Portal
Click to expand details
-
The `RFPkcs12` store type can be used to manage any `PKCS#12` compliant file format INCLUDING java keystores of type `PKCS12`.
#### Supported use cases
@@ -640,24 +607,22 @@ The `RFPkcs12` store type can be used to manage any `PKCS#12` compliant file for
1. Multiple key and/or trust entries with a mix of existing and non-existing friendly names/aliases.
2. Multiple key and/or trust entries with blank friendly names/aliases
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | ✅ Checked |
-| Create | ✅ Checked |
+| Create | ✅ Checked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand RFPkcs12 kfutil details
##### Using online definition from GitHub:
@@ -676,10 +641,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the RFPkcs12 store type manually in
the Keyfactor Command Portal
+
Click to expand manual RFPkcs12 details
Create a store type called `RFPkcs12` with the attributes in the tables below:
@@ -690,11 +655,11 @@ the Keyfactor Command Portal
| Name | RFPkcs12 | Display name for the store type (may be customized) |
| Short Name | RFPkcs12 | Short display name for the store type |
| Capability | RFPkcs12 | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | ✅ Checked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -703,18 +668,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -732,11 +697,12 @@ the Keyfactor Command Portal
| IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |
| SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |
+ | PostJobApplicationRestart | Post Job Application Restart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12. | MultipleChoice | None | 🔲 Unchecked |
+ | RequiresLegacyEncryption | Requires Legacy Encryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. | Bool | False | 🔲 Unchecked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*
@@ -746,8 +712,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*
@@ -756,65 +720,68 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Linux File Permissions on Store Creation
The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Linux File Owner on Store Creation
The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Sudo Impersonating User
The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Remove Root Certificate from Chain
Remove root certificate from chain when adding/renewing a certificate in a store.
- 
- 
-
+ 
+ 
###### Include Port in SPN for WinRM
Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
- 
- 
-
+ 
+ 
###### SSH Port
Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Use Shell Commands
Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)
- 
- 
+ 
+ 
+
+ ###### Post Job Application Restart
+ Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12.
+ 
+ 
+ ###### Requires Legacy Encryption
+ Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances.
+
+ 
+ 
+
@@ -823,31 +790,28 @@ the Keyfactor Command Portal
Click to expand details
-
The `RFDER` store type can be used to manage DER encoded files.
#### Supported use cases
1. Single certificate stores with private key in an external file.
2. Single certificate stores with no private key.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | ✅ Checked |
-| Create | ✅ Checked |
+| Create | ✅ Checked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand RFDER kfutil details
##### Using online definition from GitHub:
@@ -866,10 +830,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the RFDER store type manually in
the Keyfactor Command Portal
+
Click to expand manual RFDER details
Create a store type called `RFDER` with the attributes in the tables below:
@@ -880,11 +844,11 @@ the Keyfactor Command Portal
| Name | RFDER | Display name for the store type (may be customized) |
| Short Name | RFDER | Short display name for the store type |
| Capability | RFDER | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | ✅ Checked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -893,18 +857,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -923,11 +887,12 @@ the Keyfactor Command Portal
| IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |
| SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |
+ | PostJobApplicationRestart | Post Job Application Restart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER. | MultipleChoice | None | 🔲 Unchecked |
+ | RequiresLegacyEncryption | Requires Legacy Encryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. | Bool | False | 🔲 Unchecked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*
@@ -937,8 +902,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*
@@ -947,73 +910,75 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Linux File Permissions on Store Creation
The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Linux File Owner on Store Creation
The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Sudo Impersonating User
The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.
- 
- 
-
+ 
+ 
###### Separate Private Key File Location
The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'.
- 
- 
-
+ 
+ 
###### Remove Root Certificate from Chain
Remove root certificate from chain when adding/renewing a certificate in a store.
- 
- 
-
+ 
+ 
###### Include Port in SPN for WinRM
Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
- 
- 
-
+ 
+ 
###### SSH Port
Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Use Shell Commands
Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)
- 
- 
+ 
+ 
+ ###### Post Job Application Restart
+ Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER.
+
+ 
+ 
+ ###### Requires Legacy Encryption
+ Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances.
+
+ 
+ 
+
@@ -1022,7 +987,6 @@ the Keyfactor Command Portal
Click to expand details
-
The `RFKDB` store type can be used to manage IBM Key Database Files (`KDB`) files. The IBM utility, `GSKCAPICMD`, is used
to read and write certificates from and to the target store and is therefore required to be installed on the server where
each `KDB` certificate store being managed resides, and its location MUST be in the system `$Path`.
@@ -1032,24 +996,22 @@ each `KDB` certificate store being managed resides, and its location MUST be in
2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate is identified with a custom alias.
3. A mix of trust and key entries.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | 🔲 Unchecked |
-| Create | ✅ Checked |
+| Create | ✅ Checked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand RFKDB kfutil details
##### Using online definition from GitHub:
@@ -1068,10 +1030,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the RFKDB store type manually in
the Keyfactor Command Portal
+
Click to expand manual RFKDB details
Create a store type called `RFKDB` with the attributes in the tables below:
@@ -1082,11 +1044,11 @@ the Keyfactor Command Portal
| Name | RFKDB | Display name for the store type (may be customized) |
| Short Name | RFKDB | Short display name for the store type |
| Capability | RFKDB | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | ✅ Checked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -1095,18 +1057,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -1124,11 +1086,12 @@ the Keyfactor Command Portal
| IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |
| SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |
+ | PostJobApplicationRestart | Post Job Application Restart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB. | MultipleChoice | None | 🔲 Unchecked |
+ | RequiresLegacyEncryption | Requires Legacy Encryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. | Bool | False | 🔲 Unchecked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*
@@ -1138,8 +1101,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*
@@ -1148,64 +1109,67 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Linux File Permissions on Store Creation
The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Linux File Owner on Store Creation
The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Sudo Impersonating User
The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.
- 
- 
-
+ 
+ 
###### Remove Root Certificate from Chain
Remove root certificate from chain when adding/renewing a certificate in a store.
- 
- 
-
+ 
+ 
###### Include Port in SPN for WinRM
Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
- 
- 
-
+ 
+ 
###### SSH Port
Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Use Shell Commands
Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)
- 
- 
+ 
+ 
+
+
+ ###### Post Job Application Restart
+ Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB.
+
+ 
+ 
+ ###### Requires Legacy Encryption
+ Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances.
+ 
+ 
@@ -1215,35 +1179,29 @@ the Keyfactor Command Portal
Click to expand details
-
-The `RFORA` store type can be used to manage `PKCS12` Oracle Wallets.
-
-> NOTE: This should work for `PKCS12` Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows.
-> NOTE: When entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the `eWallet.p12` file name that by convention is the name of the `PKCS12` wallet file that gets created.
+The `RFORA` store type can be used to manage `PKCS12` Oracle wallets. Although implemented as a separate store type, Oracle wallets are accessed and managed identically to RFPkcs12 store types. The file is expected to compatible with the Pkcs#12 standard.
#### Supported use cases
1. One-to-many trust entries - A trust entry is defined as a single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias.
2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate is identified with a custom alias.
3. A mix of trust and key entries.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | 🔲 Unchecked |
-| Create | ✅ Checked |
+| Create | ✅ Checked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand RFORA kfutil details
##### Using online definition from GitHub:
@@ -1262,10 +1220,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the RFORA store type manually in
the Keyfactor Command Portal
+
Click to expand manual RFORA details
Create a store type called `RFORA` with the attributes in the tables below:
@@ -1276,11 +1234,11 @@ the Keyfactor Command Portal
| Name | RFORA | Display name for the store type (may be customized) |
| Short Name | RFORA | Short display name for the store type |
| Capability | RFORA | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | ✅ Checked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -1289,18 +1247,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -1314,16 +1272,16 @@ the Keyfactor Command Portal
| LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | String | | 🔲 Unchecked |
- | WorkFolder | Location to use for creation/removal of work files | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. | String | | ✅ Checked |
| RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |
| IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |
| SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |
| UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |
+ | PostJobApplicationRestart | Post Job Application Restart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA. | MultipleChoice | None | 🔲 Unchecked |
+ | RequiresLegacyEncryption | Requires Legacy Encryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. | Bool | False | 🔲 Unchecked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*
@@ -1333,8 +1291,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*
@@ -1343,72 +1299,67 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Linux File Permissions on Store Creation
The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Linux File Owner on Store Creation
The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Sudo Impersonating User
The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.
- 
- 
-
-
-
- ###### Location to use for creation/removal of work files
- The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'.
-
- 
- 
-
+ 
+ 
###### Remove Root Certificate from Chain
Remove root certificate from chain when adding/renewing a certificate in a store.
- 
- 
-
+ 
+ 
###### Include Port in SPN for WinRM
Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.
- 
- 
-
+ 
+ 
###### SSH Port
Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.
- 
- 
-
+ 
+ 
###### Use Shell Commands
Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)
- 
- 
+ 
+ 
+
+ ###### Post Job Application Restart
+ Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA.
+
+ 
+ 
+ ###### Requires Legacy Encryption
+ Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances.
+
+ 
+ 
@@ -1419,12 +1370,12 @@ the Keyfactor Command Portal
1. **Download the latest Remote File Universal Orchestrator extension from GitHub.**
- Navigate to the [Remote File Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/remote-file-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive.
+ Navigate to the [Remote File Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/remote-file-orchestrator/releases/latest). Refer to the compatibility matrix below to determine which asset should be downloaded. Then, click the corresponding asset to download the zip archive.
| Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `remote-file-orchestrator` .NET version to download |
| --------- | ----------- | ----------- | ----------- |
| Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` |
- | `11.6` _and_ newer | `net8.0` | | `net8.0` |
+ | `11.6` _and_ newer | `net8.0` | | `net8.0` |
Unzip the archive containing extension assemblies to a known location.
@@ -1446,17 +1397,14 @@ the Keyfactor Command Portal
Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).
-
6. **(optional) PAM Integration**
The Remote File Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.
To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).
-
> The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).
-
## Post Installation
The Remote File Orchestrator Extension uses a JSON configuration file. It is located at `{Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile\config.json`. None of the values are required, and a description of each follows below:
@@ -1520,14 +1468,12 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is loc
| `UseShellCommands` | `Y` | `Y/N` | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting). |
| `PostJobCommands` | | See JSON above | JSON values representing post processing commands for Management-Add and ODKG job. For a detailed explanation of this optional setting, please refer to [Post Job Command Execution](#post-job-command-execution). |
-
## Defining Certificate Stores
The Remote File Universal Orchestrator extension implements 6 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
RFJKS (RFJKS)
-
### Store Creation
#### Manually with the Command UI
@@ -1542,8 +1488,8 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "RFJKS" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The IP address or DNS of the server hosting the certificate store. For more information, see [Client Machine ](#client-machine-instructions) |
@@ -1560,11 +1506,10 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store
| SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
| PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. |
+ | RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
-
-
#### Using kfutil CLI
Click to expand details
@@ -1596,6 +1541,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store
| Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
| Properties.PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. |
+ | Properties.RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
3. **Import the CSV file to create the certificate stores**
@@ -1605,7 +1551,6 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -1615,22 +1560,19 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
| --------- | ----------- |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
| ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
- | StorePassword | Password used to secure the Certificate Store |
+ | StorePassword | Password to use when reading/writing to store |
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
RFPEM (RFPEM)
-
### Store Creation
#### Manually with the Command UI
@@ -1645,8 +1587,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "RFPEM" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |
@@ -1667,11 +1609,10 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
| PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. |
+ | RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
-
-
#### Using kfutil CLI
Click to expand details
@@ -1707,6 +1648,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
| Properties.PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. |
+ | Properties.RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
3. **Import the CSV file to create the certificate stores**
@@ -1716,7 +1658,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -1726,22 +1667,19 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
| --------- | ----------- |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
| ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
- | StorePassword | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' |
+ | StorePassword | Password to use when reading/writing to store |
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
RFPkcs12 (RFPkcs12)
-
### Store Creation
#### Manually with the Command UI
@@ -1756,8 +1694,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "RFPkcs12" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |
@@ -1773,11 +1711,11 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12. |
+ | RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
-
-
#### Using kfutil CLI
Click to expand details
@@ -1808,6 +1746,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | Properties.PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12. |
+ | Properties.RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
3. **Import the CSV file to create the certificate stores**
@@ -1817,7 +1757,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -1827,22 +1766,19 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
| --------- | ----------- |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
| ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
- | StorePassword | Password used to secure the Certificate Store |
+ | StorePassword | Password to use when reading/writing to store |
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
RFDER (RFDER)
-
### Store Creation
#### Manually with the Command UI
@@ -1857,8 +1793,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "RFDER" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |
@@ -1875,11 +1811,11 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER. |
+ | RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
-
-
#### Using kfutil CLI
Click to expand details
@@ -1911,6 +1847,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | Properties.PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER. |
+ | Properties.RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
3. **Import the CSV file to create the certificate stores**
@@ -1920,7 +1858,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -1930,22 +1867,19 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
| --------- | ----------- |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
| ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
- | StorePassword | Password used to secure the Certificate Store |
+ | StorePassword | Password to use when reading/writing to store |
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
RFKDB (RFKDB)
-
### Store Creation
#### Manually with the Command UI
@@ -1960,8 +1894,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "RFKDB" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |
@@ -1977,11 +1911,11 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB. |
+ | RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
-
-
#### Using kfutil CLI
Click to expand details
@@ -2012,6 +1946,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | Properties.PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB. |
+ | Properties.RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
3. **Import the CSV file to create the certificate stores**
@@ -2021,7 +1957,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -2031,22 +1966,19 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
| --------- | ----------- |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
| ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
- | StorePassword | Password used to secure the Certificate Store |
+ | StorePassword | Password to use when reading/writing to store |
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
RFORA (RFORA)
-
### Store Creation
#### Manually with the Command UI
@@ -2061,12 +1993,12 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "RFORA" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |
- | Store Path | The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\path\to\eWallet.p12'. |
+ | Store Path | The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name that is generally used by convention. Example: '/path/to/eWallet.p12' or 'c:\path\to\eWallet.p12'. |
| Store Password | Password used to secure the Certificate Store |
| Orchestrator | Select an approved orchestrator capable of managing `RFORA` certificates. Specifically, one with the `RFORA` capability. |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
@@ -2074,16 +2006,15 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
| LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
| SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |
- | WorkFolder | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. |
| RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |
| IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA. |
+ | RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
-
-
#### Using kfutil CLI
Click to expand details
@@ -2102,7 +2033,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| Category | Select "RFORA" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |
- | Store Path | The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\path\to\eWallet.p12'. |
+ | Store Path | The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name that is generally used by convention. Example: '/path/to/eWallet.p12' or 'c:\path\to\eWallet.p12'. |
| Store Password | Password used to secure the Certificate Store |
| Orchestrator | Select an approved orchestrator capable of managing `RFORA` certificates. Specifically, one with the `RFORA` capability. |
| Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
@@ -2110,11 +2041,12 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
| Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |
| Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |
| Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |
- | Properties.WorkFolder | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. |
| Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |
| Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
| Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |
| Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |
+ | Properties.PostJobApplicationRestart | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA. |
+ | Properties.RequiresLegacyEncryption | Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances. |
3. **Import the CSV file to create the certificate stores**
@@ -2124,7 +2056,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -2134,20 +2065,19 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
| --------- | ----------- |
| ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |
| ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |
- | StorePassword | Password used to secure the Certificate Store |
+ | StorePassword | Password to use when reading/writing to store |
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
## Discovering Certificate Stores with the Discovery Job
+
When scheduling discovery jobs in Keyfactor Command, there are a few fields that are important to highlight here:
| Field | Description |
@@ -2161,13 +2091,6 @@ Please refer to the Keyfactor Command Reference Guide for complete information o
scheduling discovery jobs in Keyfactor Command.
-
-
-
-
-
-
-
## Client Machine Instructions
When creating a Certificate Store or scheduling a Discovery Job, you will be asked to provide a `Client Machine`.
@@ -2290,11 +2213,10 @@ Steps to create a new supported file-based certificate store type:
types. Discovery is a common implementation for all supported store types.
8. Modify the integration-manifest.json file to add the new store type under the store_types element.
-
## License
Apache License 2.0, see [LICENSE](LICENSE).
## Related Integrations
-See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).
\ No newline at end of file
+See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).
diff --git a/RemoteFile/ImplementedStoreTypes/KDB/KDBCertificateStoreSerializer.cs b/RemoteFile/ImplementedStoreTypes/KDB/KDBCertificateStoreSerializer.cs
index a7f1dcf4..d378a21f 100644
--- a/RemoteFile/ImplementedStoreTypes/KDB/KDBCertificateStoreSerializer.cs
+++ b/RemoteFile/ImplementedStoreTypes/KDB/KDBCertificateStoreSerializer.cs
@@ -33,6 +33,8 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
logger.MethodEntry(LogLevel.Debug);
string bashCommand = storePath.Substring(0, 1) == "/" ? "bash " : string.Empty;
+ if (storePath.Substring(0, 1) == "|")
+ storePath = "/" + storePath.Substring(1);
Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
Pkcs12Store store = storeBuilder.Build();
@@ -51,9 +53,15 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
byte[] storeBytes = remoteHandler.DownloadCertificateFile($"{storePath}{tempCertFile}");
store.Load(new MemoryStream(storeBytes), string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
}
- catch (Exception)
+ catch (Exception ex)
{
- throw;
+ if (ex.Message.Contains("cannot execute binary file", StringComparison.InvariantCultureIgnoreCase) && storePath.Substring(0, 1) == "/")
+ {
+ storePath = "|" + storePath.Substring(1);
+ store = DeserializeRemoteCertificateStore(storeContentBytes, storePath, storePassword, remoteHandler, isInventory);
+ }
+ else
+ throw;
}
finally
{
@@ -70,7 +78,10 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer
logger.MethodEntry(LogLevel.Debug);
List storeInfo = new List();
+
string bashCommand = storePath.Substring(0, 1) == "/" ? "bash " : string.Empty;
+ if (storePath.Substring(0, 1) == "|")
+ storePath = "/" + storePath.Substring(1);
string tempStoreFile = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".kdb";
string tempCertFile = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".p12";
@@ -88,20 +99,27 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer
byte[] storeContents = remoteHandler.DownloadCertificateFile($"{storePath}{tempStoreFile}");
storeInfo.Add(new SerializedStoreInfo() { Contents = storeContents, FilePath = storePath+storeFileName });
- return storeInfo;
}
- catch (Exception)
+ catch (Exception ex)
{
- throw;
+ if (ex.Message.Contains("cannot execute binary file", StringComparison.InvariantCultureIgnoreCase) && storePath.Substring(0, 1) == "/")
+ {
+ storePath = "|" + storePath.Substring(1);
+ storeInfo = SerializeRemoteCertificateStore(certificateStore, storePath, storeFileName, storePassword, remoteHandler);
+ }
+ else
+ throw;
}
finally
{
try { remoteHandler.RemoveCertificateFile(storePath, tempStoreFile); } catch (Exception) { };
try { remoteHandler.RemoveCertificateFile(storePath, tempCertFile); } catch (Exception) { };
}
+
+ return storeInfo;
}
- public string GetPrivateKeyPath()
+ public string GetPrivateKeyPath()
{
return null;
}
diff --git a/RemoteFile/ImplementedStoreTypes/OraWlt/OraWltCertificateStoreSerializer.cs b/RemoteFile/ImplementedStoreTypes/OraWlt/OraWltCertificateStoreSerializer.cs
index 4339eb95..24112428 100644
--- a/RemoteFile/ImplementedStoreTypes/OraWlt/OraWltCertificateStoreSerializer.cs
+++ b/RemoteFile/ImplementedStoreTypes/OraWlt/OraWltCertificateStoreSerializer.cs
@@ -19,6 +19,7 @@
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Newtonsoft.Json;
+using Keyfactor.Extensions.Orchestrator.RemoteFile.PKCS12;
namespace Keyfactor.Extensions.Orchestrator.RemoteFile.OraWlt
{
@@ -26,113 +27,107 @@ class OraWltCertificateStoreSerializer : ICertificateStoreSerializer
{
private ILogger logger;
- public string WorkFolder { get; set; }
-
public OraWltCertificateStoreSerializer(string storeProperties)
{
logger = LogHandler.GetClassLogger(this.GetType());
- LoadCustomProperties(storeProperties);
}
public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, string storePath, string storePassword, IRemoteHandler remoteHandler, bool isInventory)
{
logger.MethodEntry(LogLevel.Debug);
- string tempStoreFile = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".p12";
- string tempStoreFileJKS = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".jks";
+ PKCS12CertificateStoreSerializer serializer = new PKCS12CertificateStoreSerializer(string.Empty);
- string orapkiCommand = $"orapki wallet pkcs12_to_jks -wallet \"{WorkFolder}{tempStoreFile}\" -pwd \"{storePassword}\" -jksKeyStoreLoc \"{WorkFolder}{tempStoreFileJKS}\" -jksKeyStorepwd \"{storePassword}\"";
+ //string tempStoreFile = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".p12";
+ //string tempStoreFileJKS = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".jks";
- JksStore jksStore = new JksStore();
- Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
- Pkcs12Store store = storeBuilder.Build();
+ //string orapkiCommand = $"orapki wallet pkcs12_to_jks -wallet \"{WorkFolder}{tempStoreFile}\" -pwd \"{storePassword}\" -jksKeyStoreLoc \"{WorkFolder}{tempStoreFileJKS}\" -jksKeyStorepwd \"{storePassword}\"";
- try
- {
- remoteHandler.UploadCertificateFile(WorkFolder, tempStoreFile, storeContentBytes);
+ //JksStore jksStore = new JksStore();
+ //Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
+ //Pkcs12Store store = storeBuilder.Build();
- remoteHandler.RunCommand(orapkiCommand, null, ApplicationSettings.UseSudo, null);
+ //try
+ //{
+ // remoteHandler.UploadCertificateFile(WorkFolder, tempStoreFile, storeContentBytes);
- byte[] storeBytes = remoteHandler.DownloadCertificateFile($"{WorkFolder}{tempStoreFileJKS}");
- jksStore.Load(new MemoryStream(storeBytes), string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+ // remoteHandler.RunCommand(orapkiCommand, null, ApplicationSettings.UseSudo, null);
- JKSCertificateStoreSerializer serializer = new JKSCertificateStoreSerializer(String.Empty);
- store = serializer.DeserializeRemoteCertificateStore(storeBytes, $"{WorkFolder}{tempStoreFileJKS}", storePassword, remoteHandler, isInventory);
- }
- catch (Exception)
- {
- throw;
- }
- finally
- {
- try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFile); } catch (Exception) { };
- try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFile+".lck"); } catch (Exception) { };
- try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFileJKS); } catch (Exception) { };
- }
+ // byte[] storeBytes = remoteHandler.DownloadCertificateFile($"{WorkFolder}{tempStoreFileJKS}");
+ // jksStore.Load(new MemoryStream(storeBytes), string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+
+ // JKSCertificateStoreSerializer serializer = new JKSCertificateStoreSerializer(String.Empty);
+ // store = serializer.DeserializeRemoteCertificateStore(storeBytes, $"{WorkFolder}{tempStoreFileJKS}", storePassword, remoteHandler, isInventory);
+ //}
+ //catch (Exception)
+ //{
+ // throw;
+ //}
+ //finally
+ //{
+ // try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFile); } catch (Exception) { };
+ // try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFile+".lck"); } catch (Exception) { };
+ // try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFileJKS); } catch (Exception) { };
+ //}
logger.MethodExit(LogLevel.Debug);
- return store;
+
+ return serializer.DeserializeRemoteCertificateStore(storeContentBytes, storePath, storePassword, remoteHandler, isInventory);
+ //return store;
}
public List SerializeRemoteCertificateStore(Pkcs12Store certificateStore, string storePath, string storeFileName, string storePassword, IRemoteHandler remoteHandler)
{
logger.MethodEntry(LogLevel.Debug);
- List storeInfo = new List();
-
- string tempStoreFileJKS = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".jks";
-
- string orapkiCommand1 = $"orapki wallet create -wallet \"{WorkFolder}\" -pwd \"{storePassword}\"";
- string orapkiCommand2 = $"orapki wallet jks_to_pkcs12 -wallet \"{WorkFolder}\" -pwd \"{storePassword}\" -keystore \"{WorkFolder}{tempStoreFileJKS}\" -jkspwd \"{storePassword}\"";
-
- JksStore jksStore = new JksStore();
-
- JKSCertificateStoreSerializer serializer = new JKSCertificateStoreSerializer(string.Empty);
- List jksStoreInfo = serializer.SerializeRemoteCertificateStore(certificateStore, WorkFolder, storeFileName, storePassword, remoteHandler);
+ PKCS12CertificateStoreSerializer serializer = new PKCS12CertificateStoreSerializer(string.Empty);
try
{
- remoteHandler.UploadCertificateFile($"{WorkFolder}", $"{tempStoreFileJKS}", jksStoreInfo[0].Contents);
- remoteHandler.RunCommand(orapkiCommand1, null, ApplicationSettings.UseSudo, [storePassword]);
- remoteHandler.RunCommand(orapkiCommand2, null, ApplicationSettings.UseSudo, [storePassword]);
-
- byte[] storeContents = remoteHandler.DownloadCertificateFile($"{WorkFolder}ewallet.p12");
-
- storeInfo.Add(new SerializedStoreInfo() { Contents = storeContents, FilePath = storePath+storeFileName });
- return storeInfo;
- }
- catch (Exception)
- {
- throw;
+ return serializer.SerializeRemoteCertificateStore(certificateStore, storePath, storeFileName, storePassword, remoteHandler);
}
finally
{
- try { remoteHandler.RemoveCertificateFile(WorkFolder, "ewallet.p12"); } catch (Exception) { };
- try { remoteHandler.RemoveCertificateFile(WorkFolder, "ewallet.p12.lck"); } catch (Exception) { };
- try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFileJKS); } catch (Exception) { };
+ logger.MethodExit(LogLevel.Debug);
}
- }
- public string GetPrivateKeyPath()
- {
- return null;
- }
- private void LoadCustomProperties(string storeProperties)
- {
- logger.MethodEntry(LogLevel.Debug);
+ //List storeInfo = new List();
- dynamic properties = JsonConvert.DeserializeObject(storeProperties);
- WorkFolder = properties.WorkFolder == null || string.IsNullOrEmpty(properties.WorkFolder.Value) ? String.Empty : properties.WorkFolder.Value;
+ //string tempStoreFileJKS = Guid.NewGuid().ToString().Replace("-", string.Empty) + ".jks";
- string pathDelimiter = @"\";
- if (WorkFolder.Substring(0, 1) == @"/")
- pathDelimiter = @"/";
+ //string orapkiCommand1 = $"orapki wallet create -wallet \"{WorkFolder}\" -pwd \"{storePassword}\"";
+ //string orapkiCommand2 = $"orapki wallet jks_to_pkcs12 -wallet \"{WorkFolder}\" -pwd \"{storePassword}\" -keystore \"{WorkFolder}{tempStoreFileJKS}\" -jkspwd \"{storePassword}\"";
- if (WorkFolder.Substring(WorkFolder.Length - 1, 1) != pathDelimiter)
- WorkFolder += pathDelimiter;
+ //JksStore jksStore = new JksStore();
- logger.MethodExit(LogLevel.Debug);
+ //JKSCertificateStoreSerializer serializer = new JKSCertificateStoreSerializer(string.Empty);
+ //List jksStoreInfo = serializer.SerializeRemoteCertificateStore(certificateStore, WorkFolder, storeFileName, storePassword, remoteHandler);
+
+ //try
+ //{
+ // remoteHandler.UploadCertificateFile($"{WorkFolder}", $"{tempStoreFileJKS}", jksStoreInfo[0].Contents);
+ // remoteHandler.RunCommand(orapkiCommand1, null, ApplicationSettings.UseSudo, [storePassword]);
+ // remoteHandler.RunCommand(orapkiCommand2, null, ApplicationSettings.UseSudo, [storePassword]);
+
+ // byte[] storeContents = remoteHandler.DownloadCertificateFile($"{WorkFolder}ewallet.p12");
+
+ // storeInfo.Add(new SerializedStoreInfo() { Contents = storeContents, FilePath = storePath+storeFileName });
+ // return storeInfo;
+ //}
+ //finally
+ //{
+ // try { remoteHandler.RemoveCertificateFile(WorkFolder, "ewallet.p12"); } catch (Exception) { }
+ // ;
+ // try { remoteHandler.RemoveCertificateFile(WorkFolder, "ewallet.p12.lck"); } catch (Exception) { }
+ // ;
+ // try { remoteHandler.RemoveCertificateFile(WorkFolder, tempStoreFileJKS); } catch (Exception) { }
+ // ;
+ //}
}
+ public string GetPrivateKeyPath()
+ {
+ return null;
+ }
}
}
diff --git a/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs b/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs
index 936e4583..5fe43aec 100644
--- a/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs
+++ b/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs
@@ -69,6 +69,9 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
string storeContents = Encoding.ASCII.GetString(storeContentBytes);
X509CertificateEntry[] certificates = GetCertificates(storeContents);
+ if (!isInventory && IgnorePrivateKeyOnInventory)
+ throw new RemoteFileException("RFPEM stores with Ignore Private Key On Inventory set to True do not support Management or ODKG jobs. Only Inventory may be run.");
+
if (IsTrustStore || (isInventory && IgnorePrivateKeyOnInventory))
{
foreach (X509CertificateEntry certificate in certificates)
diff --git a/RemoteFile/ManagementBase.cs b/RemoteFile/ManagementBase.cs
index b527c183..f9c2f7b4 100644
--- a/RemoteFile/ManagementBase.cs
+++ b/RemoteFile/ManagementBase.cs
@@ -54,7 +54,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
}
certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
certificateStore.AddCertificate(config.JobCertificate.Alias ?? GetThumbprint(config.JobCertificate, logger), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, RemoveRootCertificate);
- certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+ certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(RequiresLegacyEncryption), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
try
{
@@ -83,7 +83,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
{
certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
certificateStore.DeleteCertificateByAlias(config.JobCertificate.Alias);
- certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+ certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(RequiresLegacyEncryption), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
}
logger.LogDebug($"END Delete Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
break;
diff --git a/RemoteFile/ReenrollmentBase.cs b/RemoteFile/ReenrollmentBase.cs
index 96d14010..f9c744f5 100644
--- a/RemoteFile/ReenrollmentBase.cs
+++ b/RemoteFile/ReenrollmentBase.cs
@@ -101,8 +101,8 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm
}
// save certificate
- certificateStore.AddCertificate(config.Alias ?? cert.Thumbprint, Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), config.Overwrite, null, RemoveRootCertificate);
- certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+ certificateStore.AddCertificate(config.Alias ?? cert.Thumbprint, Convert.ToBase64String(cert.Export(X509ContentType.Pfx, "password")), config.Overwrite, "password", RemoveRootCertificate);
+ certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(RequiresLegacyEncryption), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
try
{
diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs
index 030d50eb..79e445d7 100644
--- a/RemoteFile/RemoteCertificateStore.cs
+++ b/RemoteFile/RemoteCertificateStore.cs
@@ -27,6 +27,7 @@
using Keyfactor.PKI.PrivateKeys;
using Keyfactor.PKI.CryptographicObjects.Formatters;
using Org.BouncyCastle.X509;
+using Org.BouncyCastle.Asn1.Pkcs;
namespace Keyfactor.Extensions.Orchestrator.RemoteFile
{
@@ -124,11 +125,38 @@ internal void LoadCertificateStore(ICertificateStoreSerializer certificateStoreS
logger.MethodExit(LogLevel.Debug);
}
- internal Pkcs12Store GetCertificateStore()
+ internal Pkcs12Store GetCertificateStore(bool requiresLegacyEncryption)
{
logger.MethodEntry(LogLevel.Debug);
logger.MethodExit(LogLevel.Debug);
+ if (requiresLegacyEncryption)
+ {
+ Pkcs12StoreBuilder builder = new Pkcs12StoreBuilder();
+ builder.SetKeyAlgorithm(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc);
+ builder.SetCertAlgorithm(PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc);
+
+ Pkcs12Store tempStore = builder.Build();
+
+ foreach (string alias in CertificateStore.Aliases)
+ {
+ if (CertificateStore.IsKeyEntry(alias))
+ {
+ var keyEntry = CertificateStore.GetKey(alias);
+ var certChain = CertificateStore.GetCertificateChain(alias);
+
+ tempStore.SetKeyEntry(alias, keyEntry, certChain);
+ }
+ else if (CertificateStore.IsCertificateEntry(alias))
+ {
+ var certEntry = CertificateStore.GetCertificate(alias);
+ tempStore.SetCertificateEntry(alias, certEntry);
+ }
+ }
+
+ CertificateStore = tempStore;
+ }
+
return CertificateStore;
}
diff --git a/RemoteFile/RemoteFile.csproj b/RemoteFile/RemoteFile.csproj
index 2b13f6e2..19ce51c3 100644
--- a/RemoteFile/RemoteFile.csproj
+++ b/RemoteFile/RemoteFile.csproj
@@ -2,7 +2,7 @@
true
- net8.0
+ net8.0;net10.0truedisable
@@ -12,7 +12,7 @@
-
+
diff --git a/RemoteFile/RemoteFileJobTypeBase.cs b/RemoteFile/RemoteFileJobTypeBase.cs
index a9f35b3a..771e2155 100644
--- a/RemoteFile/RemoteFileJobTypeBase.cs
+++ b/RemoteFile/RemoteFileJobTypeBase.cs
@@ -17,6 +17,8 @@ namespace Keyfactor.Extensions.Orchestrator.RemoteFile
{
public abstract class RemoteFileJobTypeBase
{
+ private const string POST_JOB_APPLICATION_RESTART_NO_VALUE = "None";
+
public IPAMSecretResolver _resolver;
internal abstract ICertificateStoreSerializer GetCertificateStoreSerializer(string storeProperties);
@@ -30,6 +32,7 @@ public abstract class RemoteFileJobTypeBase
internal bool CreateCSROnDevice { get; set; }
internal bool UseShellCommands { get; set; }
internal string PostJobApplicationRestart { get; set; }
+ internal bool RequiresLegacyEncryption { get; set; }
internal string KeyType { get; set; }
internal int KeySize { get; set; }
internal string SubjectText { get; set; }
@@ -74,10 +77,14 @@ internal void SetJobProperties(JobConfiguration config, CertificateStore certifi
ApplicationSettings.UseShellCommands :
properties.UseShellCommands;
- PostJobApplicationRestart = properties.PostJobApplicationRestart == null || string.IsNullOrEmpty(properties.PostJobApplicationRestart.Value) ?
+ PostJobApplicationRestart = properties.PostJobApplicationRestart == null || string.IsNullOrEmpty(properties.PostJobApplicationRestart.Value) || properties.PostJobApplicationRestart.Value == POST_JOB_APPLICATION_RESTART_NO_VALUE ?
null :
properties.PostJobApplicationRestart;
+ RequiresLegacyEncryption = properties.RequiresLegacyEncryption == null || string.IsNullOrEmpty(properties.RequiresLegacyEncryption.Value) ?
+ false :
+ properties.RequiresLegacyEncryption;
+
if (config.JobProperties != null)
{
KeyType = !config.JobProperties.ContainsKey("keyType") || config.JobProperties["keyType"] == null || string.IsNullOrEmpty(config.JobProperties["keyType"].ToString()) ? string.Empty : config.JobProperties["keyType"].ToString();
diff --git a/RemoteFile/RemoteHandlers/SSHHandler.cs b/RemoteFile/RemoteHandlers/SSHHandler.cs
index 180dfdac..1921b2c3 100644
--- a/RemoteFile/RemoteHandlers/SSHHandler.cs
+++ b/RemoteFile/RemoteHandlers/SSHHandler.cs
@@ -276,7 +276,7 @@ public override byte[] DownloadCertificateFile(string path)
catch (Exception ex)
{
scpError = true;
- _logger.LogError($"Upload Exception: {RemoteFileException.FlattenExceptionMessages(ex, "Exception during SCP download...")}");
+ _logger.LogError($"Download Exception: {RemoteFileException.FlattenExceptionMessages(ex, "Exception during SCP download...")}");
_logger.LogDebug($"SCP download failed. Attempting with SFTP protocol...");
}
finally
diff --git a/docsource/images/RFDER-advanced-store-type-dialog.svg b/docsource/images/RFDER-advanced-store-type-dialog.svg
new file mode 100644
index 00000000..c0df7539
--- /dev/null
+++ b/docsource/images/RFDER-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-basic-store-type-dialog.png b/docsource/images/RFDER-basic-store-type-dialog.png
index f0a4ed37..8c8636a5 100644
Binary files a/docsource/images/RFDER-basic-store-type-dialog.png and b/docsource/images/RFDER-basic-store-type-dialog.png differ
diff --git a/docsource/images/RFDER-basic-store-type-dialog.svg b/docsource/images/RFDER-basic-store-type-dialog.svg
new file mode 100644
index 00000000..77b25e4b
--- /dev/null
+++ b/docsource/images/RFDER-basic-store-type-dialog.svg
@@ -0,0 +1,87 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-IncludePortInSPN-dialog.svg b/docsource/images/RFDER-custom-field-IncludePortInSPN-dialog.svg
new file mode 100644
index 00000000..a275315d
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-IncludePortInSPN-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-IncludePortInSPN-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-IncludePortInSPN-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-IncludePortInSPN-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg b/docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..5bdc8340
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg b/docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..7e71f575
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-PostJobApplicationRestart-dialog.svg b/docsource/images/RFDER-custom-field-PostJobApplicationRestart-dialog.svg
new file mode 100644
index 00000000..69bf31e3
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-PostJobApplicationRestart-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-PostJobApplicationRestart-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-RemoveRootCertificate-dialog.svg b/docsource/images/RFDER-custom-field-RemoveRootCertificate-dialog.svg
new file mode 100644
index 00000000..8b6f671e
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-RemoveRootCertificate-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-RemoveRootCertificate-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-RemoveRootCertificate-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-RemoveRootCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-dialog.png b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-dialog.png
new file mode 100644
index 00000000..fab02be8
Binary files /dev/null and b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-dialog.png differ
diff --git a/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-dialog.svg b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-dialog.svg
new file mode 100644
index 00000000..0b45e4d4
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-validation-options-dialog.png b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-validation-options-dialog.png
new file mode 100644
index 00000000..fc2630ff
Binary files /dev/null and b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-validation-options-dialog.png differ
diff --git a/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-SSHPort-dialog.svg b/docsource/images/RFDER-custom-field-SSHPort-dialog.svg
new file mode 100644
index 00000000..c13b1da0
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-SSHPort-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-SSHPort-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-SSHPort-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-SSHPort-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-dialog.svg b/docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-dialog.svg
new file mode 100644
index 00000000..a718c54e
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-SudoImpersonatingUser-dialog.svg b/docsource/images/RFDER-custom-field-SudoImpersonatingUser-dialog.svg
new file mode 100644
index 00000000..09b3a369
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-SudoImpersonatingUser-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-SudoImpersonatingUser-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-UseShellCommands-dialog.svg b/docsource/images/RFDER-custom-field-UseShellCommands-dialog.svg
new file mode 100644
index 00000000..4d775ce4
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-UseShellCommands-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-field-UseShellCommands-validation-options-dialog.svg b/docsource/images/RFDER-custom-field-UseShellCommands-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFDER-custom-field-UseShellCommands-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFDER-custom-fields-store-type-dialog.png b/docsource/images/RFDER-custom-fields-store-type-dialog.png
index d95b10d6..ae166fd1 100644
Binary files a/docsource/images/RFDER-custom-fields-store-type-dialog.png and b/docsource/images/RFDER-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/RFDER-custom-fields-store-type-dialog.svg b/docsource/images/RFDER-custom-fields-store-type-dialog.svg
new file mode 100644
index 00000000..53acb957
--- /dev/null
+++ b/docsource/images/RFDER-custom-fields-store-type-dialog.svg
@@ -0,0 +1,147 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-advanced-store-type-dialog.svg b/docsource/images/RFJKS-advanced-store-type-dialog.svg
new file mode 100644
index 00000000..4bd468bc
--- /dev/null
+++ b/docsource/images/RFJKS-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-basic-store-type-dialog.png b/docsource/images/RFJKS-basic-store-type-dialog.png
index bb13f7b7..da3ec217 100644
Binary files a/docsource/images/RFJKS-basic-store-type-dialog.png and b/docsource/images/RFJKS-basic-store-type-dialog.png differ
diff --git a/docsource/images/RFJKS-basic-store-type-dialog.svg b/docsource/images/RFJKS-basic-store-type-dialog.svg
new file mode 100644
index 00000000..c8d7b533
--- /dev/null
+++ b/docsource/images/RFJKS-basic-store-type-dialog.svg
@@ -0,0 +1,87 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-IncludePortInSPN-dialog.svg b/docsource/images/RFJKS-custom-field-IncludePortInSPN-dialog.svg
new file mode 100644
index 00000000..a275315d
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-IncludePortInSPN-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-IncludePortInSPN-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-IncludePortInSPN-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-IncludePortInSPN-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg b/docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..5bdc8340
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg b/docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..7e71f575
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-PostJobApplicationRestart-dialog.svg b/docsource/images/RFJKS-custom-field-PostJobApplicationRestart-dialog.svg
new file mode 100644
index 00000000..61253652
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-PostJobApplicationRestart-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-PostJobApplicationRestart-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-RemoveRootCertificate-dialog.svg b/docsource/images/RFJKS-custom-field-RemoveRootCertificate-dialog.svg
new file mode 100644
index 00000000..8b6f671e
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-RemoveRootCertificate-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-RemoveRootCertificate-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-RemoveRootCertificate-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-RemoveRootCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-dialog.png b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-dialog.png
new file mode 100644
index 00000000..b968cc32
Binary files /dev/null and b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-dialog.png differ
diff --git a/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-dialog.svg b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-dialog.svg
new file mode 100644
index 00000000..0b45e4d4
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-validation-options-dialog.png b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-validation-options-dialog.png
new file mode 100644
index 00000000..535fe385
Binary files /dev/null and b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-validation-options-dialog.png differ
diff --git a/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-SSHPort-dialog.svg b/docsource/images/RFJKS-custom-field-SSHPort-dialog.svg
new file mode 100644
index 00000000..c13b1da0
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-SSHPort-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-SSHPort-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-SSHPort-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-SSHPort-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-SudoImpersonatingUser-dialog.svg b/docsource/images/RFJKS-custom-field-SudoImpersonatingUser-dialog.svg
new file mode 100644
index 00000000..09b3a369
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-SudoImpersonatingUser-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-SudoImpersonatingUser-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-UseShellCommands-dialog.svg b/docsource/images/RFJKS-custom-field-UseShellCommands-dialog.svg
new file mode 100644
index 00000000..4d775ce4
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-UseShellCommands-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-field-UseShellCommands-validation-options-dialog.svg b/docsource/images/RFJKS-custom-field-UseShellCommands-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFJKS-custom-field-UseShellCommands-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFJKS-custom-fields-store-type-dialog.png b/docsource/images/RFJKS-custom-fields-store-type-dialog.png
index 985f7815..4bc63cfb 100644
Binary files a/docsource/images/RFJKS-custom-fields-store-type-dialog.png and b/docsource/images/RFJKS-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/RFJKS-custom-fields-store-type-dialog.svg b/docsource/images/RFJKS-custom-fields-store-type-dialog.svg
new file mode 100644
index 00000000..92b717c2
--- /dev/null
+++ b/docsource/images/RFJKS-custom-fields-store-type-dialog.svg
@@ -0,0 +1,139 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-advanced-store-type-dialog.svg b/docsource/images/RFKDB-advanced-store-type-dialog.svg
new file mode 100644
index 00000000..4bd468bc
--- /dev/null
+++ b/docsource/images/RFKDB-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-basic-store-type-dialog.png b/docsource/images/RFKDB-basic-store-type-dialog.png
index dc28e0a0..99631b47 100644
Binary files a/docsource/images/RFKDB-basic-store-type-dialog.png and b/docsource/images/RFKDB-basic-store-type-dialog.png differ
diff --git a/docsource/images/RFKDB-basic-store-type-dialog.svg b/docsource/images/RFKDB-basic-store-type-dialog.svg
new file mode 100644
index 00000000..5e4a9e95
--- /dev/null
+++ b/docsource/images/RFKDB-basic-store-type-dialog.svg
@@ -0,0 +1,86 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-IncludePortInSPN-dialog.svg b/docsource/images/RFKDB-custom-field-IncludePortInSPN-dialog.svg
new file mode 100644
index 00000000..a275315d
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-IncludePortInSPN-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-IncludePortInSPN-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-IncludePortInSPN-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-IncludePortInSPN-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg b/docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..5bdc8340
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg b/docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..7e71f575
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-PostJobApplicationRestart-dialog.svg b/docsource/images/RFKDB-custom-field-PostJobApplicationRestart-dialog.svg
new file mode 100644
index 00000000..69bf31e3
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-PostJobApplicationRestart-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-PostJobApplicationRestart-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-RemoveRootCertificate-dialog.svg b/docsource/images/RFKDB-custom-field-RemoveRootCertificate-dialog.svg
new file mode 100644
index 00000000..8b6f671e
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-RemoveRootCertificate-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-RemoveRootCertificate-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-RemoveRootCertificate-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-RemoveRootCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-dialog.png b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-dialog.png
new file mode 100644
index 00000000..c1b4ca0c
Binary files /dev/null and b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-dialog.png differ
diff --git a/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-dialog.svg b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-dialog.svg
new file mode 100644
index 00000000..0b45e4d4
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-validation-options-dialog.png b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-validation-options-dialog.png
new file mode 100644
index 00000000..e7e9edf3
Binary files /dev/null and b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-validation-options-dialog.png differ
diff --git a/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-SSHPort-dialog.svg b/docsource/images/RFKDB-custom-field-SSHPort-dialog.svg
new file mode 100644
index 00000000..c13b1da0
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-SSHPort-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-SSHPort-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-SSHPort-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-SSHPort-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-SudoImpersonatingUser-dialog.svg b/docsource/images/RFKDB-custom-field-SudoImpersonatingUser-dialog.svg
new file mode 100644
index 00000000..09b3a369
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-SudoImpersonatingUser-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-SudoImpersonatingUser-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-UseShellCommands-dialog.svg b/docsource/images/RFKDB-custom-field-UseShellCommands-dialog.svg
new file mode 100644
index 00000000..4d775ce4
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-UseShellCommands-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-field-UseShellCommands-validation-options-dialog.svg b/docsource/images/RFKDB-custom-field-UseShellCommands-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFKDB-custom-field-UseShellCommands-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFKDB-custom-fields-store-type-dialog.png b/docsource/images/RFKDB-custom-fields-store-type-dialog.png
index cf02335f..e6e5edc2 100644
Binary files a/docsource/images/RFKDB-custom-fields-store-type-dialog.png and b/docsource/images/RFKDB-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/RFKDB-custom-fields-store-type-dialog.svg b/docsource/images/RFKDB-custom-fields-store-type-dialog.svg
new file mode 100644
index 00000000..a0a79366
--- /dev/null
+++ b/docsource/images/RFKDB-custom-fields-store-type-dialog.svg
@@ -0,0 +1,139 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-advanced-store-type-dialog.svg b/docsource/images/RFORA-advanced-store-type-dialog.svg
new file mode 100644
index 00000000..4bd468bc
--- /dev/null
+++ b/docsource/images/RFORA-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-basic-store-type-dialog.svg b/docsource/images/RFORA-basic-store-type-dialog.svg
new file mode 100644
index 00000000..0a857ed9
--- /dev/null
+++ b/docsource/images/RFORA-basic-store-type-dialog.svg
@@ -0,0 +1,86 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-IncludePortInSPN-dialog.svg b/docsource/images/RFORA-custom-field-IncludePortInSPN-dialog.svg
new file mode 100644
index 00000000..a275315d
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-IncludePortInSPN-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-IncludePortInSPN-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-IncludePortInSPN-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-IncludePortInSPN-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg b/docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..5bdc8340
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg b/docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..7e71f575
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-PostJobApplicationRestart-dialog.svg b/docsource/images/RFORA-custom-field-PostJobApplicationRestart-dialog.svg
new file mode 100644
index 00000000..69bf31e3
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-PostJobApplicationRestart-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-PostJobApplicationRestart-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-RemoveRootCertificate-dialog.svg b/docsource/images/RFORA-custom-field-RemoveRootCertificate-dialog.svg
new file mode 100644
index 00000000..8b6f671e
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-RemoveRootCertificate-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-RemoveRootCertificate-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-RemoveRootCertificate-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-RemoveRootCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-dialog.png b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-dialog.png
new file mode 100644
index 00000000..fab02be8
Binary files /dev/null and b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-dialog.png differ
diff --git a/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-dialog.svg b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-dialog.svg
new file mode 100644
index 00000000..0b45e4d4
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-validation-options-dialog.png b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-validation-options-dialog.png
new file mode 100644
index 00000000..fc2630ff
Binary files /dev/null and b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-validation-options-dialog.png differ
diff --git a/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-SSHPort-dialog.svg b/docsource/images/RFORA-custom-field-SSHPort-dialog.svg
new file mode 100644
index 00000000..c13b1da0
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-SSHPort-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-SSHPort-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-SSHPort-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-SSHPort-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-SudoImpersonatingUser-dialog.svg b/docsource/images/RFORA-custom-field-SudoImpersonatingUser-dialog.svg
new file mode 100644
index 00000000..09b3a369
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-SudoImpersonatingUser-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-SudoImpersonatingUser-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-UseShellCommands-dialog.svg b/docsource/images/RFORA-custom-field-UseShellCommands-dialog.svg
new file mode 100644
index 00000000..4d775ce4
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-UseShellCommands-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-UseShellCommands-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-UseShellCommands-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-UseShellCommands-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-WorkFolder-dialog.svg b/docsource/images/RFORA-custom-field-WorkFolder-dialog.svg
new file mode 100644
index 00000000..a2da5ad0
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-WorkFolder-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-field-WorkFolder-validation-options-dialog.svg b/docsource/images/RFORA-custom-field-WorkFolder-validation-options-dialog.svg
new file mode 100644
index 00000000..7993c230
--- /dev/null
+++ b/docsource/images/RFORA-custom-field-WorkFolder-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFORA-custom-fields-store-type-dialog.png b/docsource/images/RFORA-custom-fields-store-type-dialog.png
index 1bf005ea..407ba19a 100644
Binary files a/docsource/images/RFORA-custom-fields-store-type-dialog.png and b/docsource/images/RFORA-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/RFORA-custom-fields-store-type-dialog.svg b/docsource/images/RFORA-custom-fields-store-type-dialog.svg
new file mode 100644
index 00000000..a0a79366
--- /dev/null
+++ b/docsource/images/RFORA-custom-fields-store-type-dialog.svg
@@ -0,0 +1,139 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-advanced-store-type-dialog.svg b/docsource/images/RFPEM-advanced-store-type-dialog.svg
new file mode 100644
index 00000000..c0df7539
--- /dev/null
+++ b/docsource/images/RFPEM-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-basic-store-type-dialog.svg b/docsource/images/RFPEM-basic-store-type-dialog.svg
new file mode 100644
index 00000000..ef3e5a02
--- /dev/null
+++ b/docsource/images/RFPEM-basic-store-type-dialog.svg
@@ -0,0 +1,87 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-dialog.svg b/docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-dialog.svg
new file mode 100644
index 00000000..89100eac
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IncludePortInSPN-dialog.svg b/docsource/images/RFPEM-custom-field-IncludePortInSPN-dialog.svg
new file mode 100644
index 00000000..a275315d
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IncludePortInSPN-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IncludePortInSPN-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-IncludePortInSPN-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IncludePortInSPN-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IncludesChain-dialog.svg b/docsource/images/RFPEM-custom-field-IncludesChain-dialog.svg
new file mode 100644
index 00000000..19148cd9
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IncludesChain-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IncludesChain-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-IncludesChain-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IncludesChain-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IsTrustStore-dialog.svg b/docsource/images/RFPEM-custom-field-IsTrustStore-dialog.svg
new file mode 100644
index 00000000..5d429e46
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IsTrustStore-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-IsTrustStore-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-IsTrustStore-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-IsTrustStore-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg b/docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..5bdc8340
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg b/docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..7e71f575
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-PostJobApplicationRestart-dialog.svg b/docsource/images/RFPEM-custom-field-PostJobApplicationRestart-dialog.svg
new file mode 100644
index 00000000..1d316fd3
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-PostJobApplicationRestart-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-PostJobApplicationRestart-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-RemoveRootCertificate-dialog.svg b/docsource/images/RFPEM-custom-field-RemoveRootCertificate-dialog.svg
new file mode 100644
index 00000000..8b6f671e
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-RemoveRootCertificate-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-RemoveRootCertificate-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-RemoveRootCertificate-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-RemoveRootCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-dialog.png b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-dialog.png
new file mode 100644
index 00000000..39d89781
Binary files /dev/null and b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-dialog.png differ
diff --git a/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-dialog.svg b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-dialog.svg
new file mode 100644
index 00000000..0b45e4d4
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-validation-options-dialog.png b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-validation-options-dialog.png
new file mode 100644
index 00000000..e73a5df5
Binary files /dev/null and b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-validation-options-dialog.png differ
diff --git a/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-SSHPort-dialog.svg b/docsource/images/RFPEM-custom-field-SSHPort-dialog.svg
new file mode 100644
index 00000000..c13b1da0
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-SSHPort-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-SSHPort-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-SSHPort-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-SSHPort-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-dialog.svg b/docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-dialog.svg
new file mode 100644
index 00000000..a718c54e
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-SudoImpersonatingUser-dialog.svg b/docsource/images/RFPEM-custom-field-SudoImpersonatingUser-dialog.svg
new file mode 100644
index 00000000..09b3a369
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-SudoImpersonatingUser-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-SudoImpersonatingUser-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-UseShellCommands-dialog.svg b/docsource/images/RFPEM-custom-field-UseShellCommands-dialog.svg
new file mode 100644
index 00000000..4d775ce4
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-UseShellCommands-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-field-UseShellCommands-validation-options-dialog.svg b/docsource/images/RFPEM-custom-field-UseShellCommands-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPEM-custom-field-UseShellCommands-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPEM-custom-fields-store-type-dialog.png b/docsource/images/RFPEM-custom-fields-store-type-dialog.png
index a40181c7..9ffae5d1 100644
Binary files a/docsource/images/RFPEM-custom-fields-store-type-dialog.png and b/docsource/images/RFPEM-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/RFPEM-custom-fields-store-type-dialog.svg b/docsource/images/RFPEM-custom-fields-store-type-dialog.svg
new file mode 100644
index 00000000..52279299
--- /dev/null
+++ b/docsource/images/RFPEM-custom-fields-store-type-dialog.svg
@@ -0,0 +1,174 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-advanced-store-type-dialog.svg b/docsource/images/RFPkcs12-advanced-store-type-dialog.svg
new file mode 100644
index 00000000..4bd468bc
--- /dev/null
+++ b/docsource/images/RFPkcs12-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-basic-store-type-dialog.svg b/docsource/images/RFPkcs12-basic-store-type-dialog.svg
new file mode 100644
index 00000000..c2f1c712
--- /dev/null
+++ b/docsource/images/RFPkcs12-basic-store-type-dialog.svg
@@ -0,0 +1,87 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-IncludePortInSPN-dialog.svg b/docsource/images/RFPkcs12-custom-field-IncludePortInSPN-dialog.svg
new file mode 100644
index 00000000..a275315d
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-IncludePortInSPN-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-IncludePortInSPN-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-IncludePortInSPN-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-IncludePortInSPN-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg b/docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..5bdc8340
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg b/docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
new file mode 100644
index 00000000..7e71f575
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-PostJobApplicationRestart-dialog.svg b/docsource/images/RFPkcs12-custom-field-PostJobApplicationRestart-dialog.svg
new file mode 100644
index 00000000..69bf31e3
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-PostJobApplicationRestart-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-PostJobApplicationRestart-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-PostJobApplicationRestart-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-dialog.svg b/docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-dialog.svg
new file mode 100644
index 00000000..8b6f671e
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-dialog.png b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-dialog.png
new file mode 100644
index 00000000..c1b4ca0c
Binary files /dev/null and b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-dialog.png differ
diff --git a/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-dialog.svg b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-dialog.svg
new file mode 100644
index 00000000..0b45e4d4
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-validation-options-dialog.png b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-validation-options-dialog.png
new file mode 100644
index 00000000..e7e9edf3
Binary files /dev/null and b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-validation-options-dialog.png differ
diff --git a/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-RequiresLegacyEncryption-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-SSHPort-dialog.svg b/docsource/images/RFPkcs12-custom-field-SSHPort-dialog.svg
new file mode 100644
index 00000000..c13b1da0
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-SSHPort-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-SSHPort-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-SSHPort-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-SSHPort-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-dialog.svg b/docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-dialog.svg
new file mode 100644
index 00000000..09b3a369
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-UseShellCommands-dialog.svg b/docsource/images/RFPkcs12-custom-field-UseShellCommands-dialog.svg
new file mode 100644
index 00000000..4d775ce4
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-UseShellCommands-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-field-UseShellCommands-validation-options-dialog.svg b/docsource/images/RFPkcs12-custom-field-UseShellCommands-validation-options-dialog.svg
new file mode 100644
index 00000000..22f8bbd6
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-field-UseShellCommands-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/RFPkcs12-custom-fields-store-type-dialog.png b/docsource/images/RFPkcs12-custom-fields-store-type-dialog.png
index cf02335f..e6e5edc2 100644
Binary files a/docsource/images/RFPkcs12-custom-fields-store-type-dialog.png and b/docsource/images/RFPkcs12-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/RFPkcs12-custom-fields-store-type-dialog.svg b/docsource/images/RFPkcs12-custom-fields-store-type-dialog.svg
new file mode 100644
index 00000000..a0a79366
--- /dev/null
+++ b/docsource/images/RFPkcs12-custom-fields-store-type-dialog.svg
@@ -0,0 +1,139 @@
+
+
\ No newline at end of file
diff --git a/docsource/rfora.md b/docsource/rfora.md
index 35dc4265..dd3d7360 100644
--- a/docsource/rfora.md
+++ b/docsource/rfora.md
@@ -1,9 +1,6 @@
## Overview
-The `RFORA` store type can be used to manage `PKCS12` Oracle Wallets.
-
-> NOTE: This should work for `PKCS12` Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows.
-> NOTE: When entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the `eWallet.p12` file name that by convention is the name of the `PKCS12` wallet file that gets created.
+The `RFORA` store type can be used to manage `PKCS12` Oracle wallets. Although implemented as a separate store type, Oracle wallets are accessed and managed identically to RFPkcs12 store types. The file is expected to compatible with the Pkcs#12 standard.
### Supported use cases
1. One-to-many trust entries - A trust entry is defined as a single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias.
diff --git a/integration-manifest.json b/integration-manifest.json
index ec8f8d51..5633c6c2 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -132,6 +132,15 @@
"Type": "MultipleChoice",
"DefaultValue": "Apache Tomcat Restart,Jetty Restart",
"Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
}
],
"EntryParameters": [],
@@ -291,6 +300,15 @@
"Type": "MultipleChoice",
"DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart",
"Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
}
],
"EntryParameters": [],
@@ -405,6 +423,24 @@
"Type": "Bool",
"DefaultValue": "True",
"Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
}
],
"EntryParameters": [],
@@ -528,6 +564,24 @@
"Type": "Bool",
"DefaultValue": "True",
"Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
}
],
"EntryParameters": [],
@@ -642,6 +696,24 @@
"Type": "Bool",
"DefaultValue": "True",
"Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
}
],
"EntryParameters": [],
@@ -721,15 +793,6 @@
"DefaultValue": "",
"Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
},
- {
- "Name": "WorkFolder",
- "DisplayName": "Location to use for creation/removal of work files",
- "Required": true,
- "DependsOn": "",
- "Type": "String",
- "DefaultValue": "",
- "Description": "The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'."
- },
{
"Name": "RemoveRootCertificate",
"DisplayName": "Remove Root Certificate from Chain",
@@ -765,11 +828,29 @@
"Type": "Bool",
"DefaultValue": "True",
"Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
}
],
"EntryParameters": [],
"ClientMachineDescription": "The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access.",
- "StorePathDescription": "The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\\path\\to\\eWallet.p12'."
+ "StorePathDescription": "The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name that is generally used by convention. Example: '/path/to/eWallet.p12' or 'c:\\path\\to\\eWallet.p12'."
}
]
}
diff --git a/scripts/store_types/bash/curl_create_store_types.sh b/scripts/store_types/bash/curl_create_store_types.sh
new file mode 100755
index 00000000..6662fada
--- /dev/null
+++ b/scripts/store_types/bash/curl_create_store_types.sh
@@ -0,0 +1,872 @@
+#!/bin/bash
+# Store Type creation script using curl
+# Generated by Doctool
+
+set -e
+
+# Configuration - set these variables before running
+KEYFACTOR_HOSTNAME="${KEYFACTOR_HOSTNAME}"
+KEYFACTOR_API_PATH="${KEYFACTOR_API_PATH:-KeyfactorAPI}"
+KEYFACTOR_AUTH_TOKEN="${KEYFACTOR_AUTH_TOKEN}"
+
+echo "Creating store type: RFJKS"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "RFJKS",
+ "ShortName": "RFJKS",
+ "Capability": "RFJKS",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "Apache Tomcat Restart,Jetty Restart",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}'
+
+echo "Creating store type: RFPEM"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "RFPEM",
+ "ShortName": "RFPEM",
+ "Capability": "RFPEM",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Forbidden",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value'",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.."
+ },
+ {
+ "Name": "IsTrustStore",
+ "DisplayName": "Trust Store",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "false",
+ "Description": "The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key."
+ },
+ {
+ "Name": "IncludesChain",
+ "DisplayName": "Store Includes Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "false",
+ "Description": "The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it."
+ },
+ {
+ "Name": "SeparatePrivateKeyFilePath",
+ "DisplayName": "Separate Private Key File Location",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'."
+ },
+ {
+ "Name": "IgnorePrivateKeyOnInventory",
+ "DisplayName": "Ignore Private Key On Inventory",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "false",
+ "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}'
+
+echo "Creating store type: RFPkcs12"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "RFPkcs12",
+ "ShortName": "RFPkcs12",
+ "Capability": "RFPkcs12",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}'
+
+echo "Creating store type: RFDER"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "RFDER",
+ "ShortName": "RFDER",
+ "Capability": "RFDER",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Forbidden",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
+ },
+ {
+ "Name": "SeparatePrivateKeyFilePath",
+ "DisplayName": "Separate Private Key File Location",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}'
+
+echo "Creating store type: RFKDB"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "RFKDB",
+ "ShortName": "RFKDB",
+ "Capability": "RFKDB",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}'
+
+echo "Creating store type: RFORA"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "RFORA",
+ "ShortName": "RFORA",
+ "Capability": "RFORA",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}'
+
diff --git a/scripts/store_types/bash/kfutil_create_store_types.sh b/scripts/store_types/bash/kfutil_create_store_types.sh
new file mode 100755
index 00000000..6836df31
--- /dev/null
+++ b/scripts/store_types/bash/kfutil_create_store_types.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Store Type creation script using kfutil
+# Generated by Doctool
+
+set -e
+
+echo "Creating store type: RFJKS"
+kfutil store-types create RFJKS
+
+echo "Creating store type: RFPEM"
+kfutil store-types create RFPEM
+
+echo "Creating store type: RFPkcs12"
+kfutil store-types create RFPkcs12
+
+echo "Creating store type: RFDER"
+kfutil store-types create RFDER
+
+echo "Creating store type: RFKDB"
+kfutil store-types create RFKDB
+
+echo "Creating store type: RFORA"
+kfutil store-types create RFORA
+
diff --git a/scripts/store_types/powershell/kfutil_create_store_types.ps1 b/scripts/store_types/powershell/kfutil_create_store_types.ps1
new file mode 100644
index 00000000..2678e444
--- /dev/null
+++ b/scripts/store_types/powershell/kfutil_create_store_types.ps1
@@ -0,0 +1,21 @@
+# Store Type creation script using kfutil
+# Generated by Doctool
+
+Write-Host "Creating store type: RFJKS"
+kfutil store-types create RFJKS
+
+Write-Host "Creating store type: RFPEM"
+kfutil store-types create RFPEM
+
+Write-Host "Creating store type: RFPkcs12"
+kfutil store-types create RFPkcs12
+
+Write-Host "Creating store type: RFDER"
+kfutil store-types create RFDER
+
+Write-Host "Creating store type: RFKDB"
+kfutil store-types create RFKDB
+
+Write-Host "Creating store type: RFORA"
+kfutil store-types create RFORA
+
diff --git a/scripts/store_types/powershell/restmethod_create_store_types.ps1 b/scripts/store_types/powershell/restmethod_create_store_types.ps1
new file mode 100644
index 00000000..bf6c13e9
--- /dev/null
+++ b/scripts/store_types/powershell/restmethod_create_store_types.ps1
@@ -0,0 +1,875 @@
+# Store Type creation script using Invoke-RestMethod
+# Generated by Doctool
+
+# Configuration - set these variables before running
+$KeyfactorHostname = $env:KEYFACTOR_HOSTNAME
+$KeyfactorApiPath = if ($env:KEYFACTOR_API_PATH) { $env:KEYFACTOR_API_PATH } else { "KeyfactorAPI" }
+$KeyfactorAuthToken = $env:KEYFACTOR_AUTH_TOKEN
+
+$Headers = @{
+ "Authorization" = "Bearer $KeyfactorAuthToken"
+ "Content-Type" = "application/json"
+ "x-keyfactor-requested-with" = "APIClient"
+}
+
+Write-Host "Creating store type: RFJKS"
+$Body = @'
+{
+ "Name": "RFJKS",
+ "ShortName": "RFJKS",
+ "Capability": "RFJKS",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "Apache Tomcat Restart,Jetty Restart",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+
+Write-Host "Creating store type: RFPEM"
+$Body = @'
+{
+ "Name": "RFPEM",
+ "ShortName": "RFPEM",
+ "Capability": "RFPEM",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Forbidden",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value'",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.."
+ },
+ {
+ "Name": "IsTrustStore",
+ "DisplayName": "Trust Store",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "false",
+ "Description": "The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key."
+ },
+ {
+ "Name": "IncludesChain",
+ "DisplayName": "Store Includes Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "false",
+ "Description": "The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it."
+ },
+ {
+ "Name": "SeparatePrivateKeyFilePath",
+ "DisplayName": "Separate Private Key File Location",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'."
+ },
+ {
+ "Name": "IgnorePrivateKeyOnInventory",
+ "DisplayName": "Ignore Private Key On Inventory",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "false",
+ "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+
+Write-Host "Creating store type: RFPkcs12"
+$Body = @'
+{
+ "Name": "RFPkcs12",
+ "ShortName": "RFPkcs12",
+ "Capability": "RFPkcs12",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFPkcs12."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+
+Write-Host "Creating store type: RFDER"
+$Body = @'
+{
+ "Name": "RFDER",
+ "ShortName": "RFDER",
+ "Capability": "RFDER",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Forbidden",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": true,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
+ },
+ {
+ "Name": "SeparatePrivateKeyFilePath",
+ "DisplayName": "Separate Private Key File Location",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFDER."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+
+Write-Host "Creating store type: RFKDB"
+$Body = @'
+{
+ "Name": "RFKDB",
+ "ShortName": "RFKDB",
+ "Capability": "RFKDB",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFKDB."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+
+Write-Host "Creating store type: RFORA"
+$Body = @'
+{
+ "Name": "RFORA",
+ "ShortName": "RFORA",
+ "Capability": "RFORA",
+ "ServerRequired": true,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required",
+ "PowerShell": false,
+ "PrivateKeyAllowed": "Optional",
+ "SupportedOperations": {
+ "Add": true,
+ "Create": true,
+ "Discovery": true,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "PasswordOptions": {
+ "Style": "Default",
+ "EntrySupported": false,
+ "StoreRequired": true,
+ "StorePassword": {
+ "Description": "Password used to secure the Certificate Store",
+ "IsPAMEligible": true
+ }
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "IsPAMEligible": true,
+ "Description": "A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*"
+ },
+ {
+ "Name": "LinuxFilePermissionsOnStoreCreation",
+ "DisplayName": "Linux File Permissions on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "LinuxFileOwnerOnStoreCreation",
+ "DisplayName": "Linux File Owner on Store Creation",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "SudoImpersonatingUser",
+ "DisplayName": "Sudo Impersonating User",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting."
+ },
+ {
+ "Name": "RemoveRootCertificate",
+ "DisplayName": "Remove Root Certificate from Chain",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Remove root certificate from chain when adding/renewing a certificate in a store."
+ },
+ {
+ "Name": "IncludePortInSPN",
+ "DisplayName": "Include Port in SPN for WinRM",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
+ },
+ {
+ "Name": "SSHPort",
+ "DisplayName": "SSH Port",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "String",
+ "DefaultValue": "",
+ "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting."
+ },
+ {
+ "Name": "UseShellCommands",
+ "DisplayName": "Use Shell Commands",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "True",
+ "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+ },
+ {
+ "Name": "PostJobApplicationRestart",
+ "DisplayName": "Post Job Application Restart",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "MultipleChoice",
+ "DefaultValue": "None",
+ "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. No options are initially delivered for RFORA."
+ },
+ {
+ "Name": "RequiresLegacyEncryption",
+ "DisplayName": "Requires Legacy Encryption",
+ "Required": false,
+ "DependsOn": "",
+ "Type": "Bool",
+ "DefaultValue": "False",
+ "Description": "Optional setting. If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs. Should be left not implemented or set to False for most instances."
+ }
+ ],
+ "EntryParameters": []
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+