A10 vThunder AnyAgent allows an organization to inventory and deploy certificates in any domain that the appliance services. The AnyAgent deploys the appropriate files (.cer, .pem) within the defined directories and also performs and Inventory on the Items.
This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
a10vThunder is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
The minimum version of the Universal Orchestrator Framework needed to run this version of the extension is
The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
| Operation | Win | Linux |
|---|---|---|
| Supports Management Add | ✓ | ✓ |
| Supports Management Remove | ✓ | ✓ |
| Supports Create Store | ||
| Supports Discovery | ||
| Supports Renrollment | ||
| Supports Inventory | ✓ | ✓ |
A10 Networks vThunder Orchestrator
Overview
A10 vThunder AnyAgent allows an organization to inventory and deploy certificates in any domain that the appliance services. The AnyAgent deploys the appropriate files (.cer, .pem) within the defined directories and also performs and Inventory on the Items.
This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this AnyAgent. It supports adding certificates with or without private keys.
A10 vThunder Configuration
- Read up on A10 Networks ADC and how it works.
- A user account is needed with the appropriate permissions on vThunder to manage certificates.
1. Create the New Certificate Store Type for the A10 vThunder Orchestrator
In Keyfactor Command create a new Certificate Store Type similar to the one below:
| SETTING TAB | CONFIG ELEMENT | DESCRIPTION |
|---|---|---|
| Basic | Name | Descriptive name for the Store Type. A10 vThunder can be used. |
| Basic | Short Name | The short name that identifies the registered functionality of the orchestrator. Must be vThunderU |
| Basic | Custom Capability | Unchecked |
| Basic | Job Types | Inventory, Add, and Remove are the supported job types. |
| Basic | Needs Server | Must be checked |
| Basic | Blueprint Allowed | checked |
| Basic | Requires Store Password | Determines if a store password is required when configuring an individual store. This must be unchecked. |
| Basic | Supports Entry Password | Determined if an individual entry within a store can have a password. This must be unchecked. |
| Advanced | Store Path Type | Determines how the user will enter the store path when setting up the cert store. Freeform |
| Advanced | Supports Custom Alias | Determines if an individual entry within a store can have a custom Alias. This must be Required |
| Advanced | Private Key Handling | Determines how the orchestrator deals with private keys. Optional |
| Advanced | PFX Password Style | Determines password style for the PFX Password. Default |
| Custom Fields | protocol | Name:protocol Display Name:Protocol Type:Multiple Choice (http,https) Default Value:https Required:True |
| Custom Fields | allowInvalidCert | Name:allowInvalidCert Display Name:Allow Invalid Cert Type:Bool Default Value:false Required:True |
| Entry Parameters | N/A | There are no Entry Parameters |
Basic Settings:
Advanced Settings:
Custom Fields:
Entry Params:
2. Register the A10 vThunder Orchestrator with Keyfactor
- Stop the Keyfactor Universal Orchestrator Service for the orchestrator you plan to install this extension to run on.
- In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "extensions" folder. Underneath that, create a new folder named "vThunderU". You may choose to use a different name, but then you must edit the manifest.json file downloaded from GitHub (Step 3) and modify based on Step 5 below.
- Download the latest version of the A10 orchestrator extension from GitHub.
- Copy the contents of the download installation zip file to the folder created in Step 2.
- (Optional) If you decided to name the folder created in Step 2 to something different than the suggested name (vThunderU), you will need to edit the manifest.json file. Modify "CertStores.{folder name}.Capability" to the folder name you created in Step 2.
- Start the Keyfactor Universal Orchestrator Service.
Please reference the "Keyfactor Orchestrators Installation and Configuration Guide" obtainable from your Keyfactor contact/representative for more information regarding this step.
3. Create a A10 vThunder Certificate Store within Keyfactor Command In Keyfactor Command create a new Certificate Store similar to the one below
| CONFIG ELEMENT | DESCRIPTION |
|---|---|
| Category | The type of certificate store to be configured. Select category based on the display name configured above "VThunder Universal". |
| Container | This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. |
| Client Machine | The url to the vThunder api. This file should the url and port of the vThunder api sample vThunder.test.com:1113. |
| Store Path | This will be "cert". This is not used but just hard code it as "cert". |
| Allow Invalid Cert | Only used for testing should be false in production. |
| Protocol | http is only used for testing should be https in production |
| Orchestrator | This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. |
| Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. |
| Use SSL | This should be checked. |
| User | This is the user name for the vThunder api to access the certficate management functionality. |
| Password | This is the password for the vThunder api to access the certficate management functionality. |
Adding New Certificate New Alias
Replace Cert With Same Alias
Add Cert No Private Key
Replace Cert No Private Key
Remove Cert No Private Key
Remove Cert and Private Key
Certificate Inventory
| Case Number | Case Name | Case Description | Overwrite Flag | Alias Name | Expected Results | Passed |
|---|---|---|---|---|---|---|
| 1 | Fresh Add With Alias | Will create new certificate and private key on the vThunder appliance | true | KeyAndCertBTest | The new KeyAndCertBTest certificate and private key will be created in the ADC/SSL Cerificates area on vThunder. | True |
| 1a | Replace Alias with no overwrite flag | Should warn user that a cert cannot be replaced with the same name without overwrite flag | false | KeyAndCertBTest | Error Saying Overwrite Flag Needs To Be Used | True |
| 1b | Replace Alias with overwrite flag | Will create new certificate and private key on the vThunder appliance | true | KeyAndCertBTest | Cert will be replaced because overwrite flag was used | True |
| 2 | Add Cert Without Private Key | This will create a cert with no private key on vThunder | false | NewCertNoPk | Only Cert will be added to vThunder with no private key | True |
| 2a | Replace Cert Without Private Key | This will Replace a cert with no private key on vThunder | true | NewCertNoPk | Only Cert will be replaced on vThunder with no private key | True |
| 2b | Replace Cert Without Private Key no overwrite flag | Should warn user that a cert cannot be replaced with the same name without overwrite flag | false | NewCertNoPk | Error Saying Overwrite Flag Needs To Be Used | True |
| 3 | Remove Certificate and Private Key | Certificate and Private Key Will Be Removed from A10 | N/A | KeyAndCertBTest | Cert and Key will be removed from vThunder and Keyfactor Store | True |
| 3a | Remove Certificate without Private Key | Certificate Will Be Removed from A10 | N/A | KeyAndCertBTest | Cert will be removed from vThunder and Keyfactor Store | True |
| 4 | Inventory Certificates with Private Key | Inventory of Certificates with private keys will be pulled from vThunder up to 125 tested | N/A | N/A | 125 Certs will be inventoried, more should be supported but there is no paging in the API so limits apply | True |
| 4a | Inventory Certificates without Private Key | Inventory of Certificates without private keys will be pulled from vThunder up to 125 tested | N/A | N/A | 125 Certs will be inventoried, more should be supported but there is no paging in the API so limits apply | True |