Signum Universal Orchestrator Extension

Support · Installation · License · Related Integrations

Overview

The Signum Orchestrator Extension supports inventorying certificate stored in a Signum instance. Adding, renewing existing and removing certificates is not supported.

Compatibility

This integration is compatible with Keyfactor Universal Orchestrator version 10.4.1 and later.

Support

The Signum Universal Orchestrator extension If you have a support issue, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.

To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.

Requirements & Prerequisites

Before installing the Signum Universal Orchestrator extension, we recommend that you install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.

Create the Signum Certificate Store Type

To use the Signum Universal Orchestrator extension, you must create the Signum Certificate Store Type. This only needs to happen once per Keyfactor Command instance.

• Create Signum using kfutil:

  # Signum
  kfutil store-types create Signum

• Create Signum manually in the Command UI:

  Create Signum manually in the Command UI

  Create a store type called Signum with the attributes in the tables below:

  Basic Tab

  Attribute	Value	Description
  Name	Signum	Display name for the store type (may be customized)
  Short Name	Signum	Short display name for the store type
  Capability	Signum	Store type name orchestrator will register with. Check the box to allow entry of value
  Supports Add	🔲 Unchecked	Indicates that the Store Type supports Management Add
  Supports Remove	🔲 Unchecked	Indicates that the Store Type supports Management Remove
  Supports Discovery	🔲 Unchecked	Indicates that the Store Type supports Discovery
  Supports Reenrollment	🔲 Unchecked	Indicates that the Store Type supports Reenrollment
  Supports Create	🔲 Unchecked	Indicates that the Store Type supports store creation
  Needs Server	✅ Checked	Determines if a target server name is required when creating store
  Blueprint Allowed	🔲 Unchecked	Determines if store type may be included in an Orchestrator blueprint
  Uses PowerShell	🔲 Unchecked	Determines if underlying implementation is PowerShell
  Requires Store Password	🔲 Unchecked	Enables users to optionally specify a store password when defining a Certificate Store.
  Supports Entry Password	🔲 Unchecked	Determines if an individual entry within a store can have a password.

  The Basic tab should look like this:

  

  Advanced Tab

  Attribute	Value	Description
  Supports Custom Alias	Required	Determines if an individual entry within a store can have a custom Alias.
  Private Key Handling	Required	This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid.
  PFX Password Style	Default	'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.)

  The Advanced tab should look like this:

  

  Custom Fields Tab

  Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:

  Name	Display Name	Description	Type	Default Value/Options	Required
  ServerUsername	Server Username	The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment.	Secret		✅ Checked
  ServerPassword	Server Password	The password (or PAM key pointing to the password) for the user ID you entered for Server User Name.	Secret		✅ Checked

  The Custom Fields tab should look like this:

  

Installation

1. Download the latest Signum Universal Orchestrator extension from GitHub.

   Navigate to the Signum Universal Orchestrator extension GitHub version page. Refer to the compatibility matrix below to determine whether the net6.0 or net8.0 asset should be downloaded. Then, click the corresponding asset to download the zip archive.

   Universal Orchestrator Version	Latest .NET version installed on the Universal Orchestrator server	rollForward condition in Orchestrator.runtimeconfig.json	signum-orchestrator .NET version to download
   Older than 11.0.0			net6.0
   Between 11.0.0 and 11.5.1 (inclusive)	net6.0		net6.0
   Between 11.0.0 and 11.5.1 (inclusive)	net8.0	Disable	net6.0
   Between 11.0.0 and 11.5.1 (inclusive)	net8.0	LatestMajor	net8.0
   11.6 and newer	net8.0		net8.0

   Unzip the archive containing extension assemblies to a known location.

   Note If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for net6.0.

2. Locate the Universal Orchestrator extensions directory.

   • Default on Windows - C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions
   • Default on Linux - /opt/keyfactor/orchestrator/extensions

3. Create a new directory for the Signum Universal Orchestrator extension inside the extensions directory.

   Create a new directory called signum-orchestrator.

   The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.

4. Copy the contents of the downloaded and unzipped assemblies from step 2 to the signum-orchestrator directory.

5. Restart the Universal Orchestrator service.

   Refer to Starting/Restarting the Universal Orchestrator service.

6. (optional) PAM Integration

   The Signum Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.

   To configure a PAM provider, reference the Keyfactor Integration Catalog to select an extension, and follow the associated instructions to install it on the Universal Orchestrator (remote).

The above installation steps can be supplimented by the official Command documentation.

Defining Certificate Stores

• Manually with the Command UI

  Create Certificate Stores manually in the UI

  1. Navigate to the Certificate Stores page in Keyfactor Command.

     Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.

  2. Add a Certificate Store.

     Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.

     Attribute	Description
     Category	Select "Signum" or the customized certificate store name from the previous step.
     Container	Optional container to associate certificate store with.
     Client Machine	The URL that will be used as the base URL for Signum endpoint calls. Should be something like https://{base url for your signum install}/rtadminservice.svc/basic. The API service port can be configured so yours may use something other than default https/443. The '/basic' at the end is required, as this integration makes use of Basic Authentication only when consuming the Signum SOAP API library.
     Store Path	Not used and hardcoded to NA for 'not applicable'
     Orchestrator	Select an approved orchestrator capable of managing Signum certificates. Specifically, one with the Signum capability.
     ServerUsername	The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment.
     ServerPassword	The password (or PAM key pointing to the password) for the user ID you entered for Server User Name.

     Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator

     If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.

     Attribute	Description
     ServerUsername	The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment.
     ServerPassword	The password (or PAM key pointing to the password) for the user ID you entered for Server User Name.

     Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.

     Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.

• Using kfutil

  Create Certificate Stores with kfutil

  1. Generate a CSV template for the Signum certificate store

     kfutil stores import generate-template --store-type-name Signum --outpath Signum.csv

  2. Populate the generated CSV file

     Open the CSV file, and reference the table below to populate parameters for each Attribute.

     Attribute	Description
     Category	Select "Signum" or the customized certificate store name from the previous step.
     Container	Optional container to associate certificate store with.
     Client Machine	The URL that will be used as the base URL for Signum endpoint calls. Should be something like https://{base url for your signum install}/rtadminservice.svc/basic. The API service port can be configured so yours may use something other than default https/443. The '/basic' at the end is required, as this integration makes use of Basic Authentication only when consuming the Signum SOAP API library.
     Store Path	Not used and hardcoded to NA for 'not applicable'
     Orchestrator	Select an approved orchestrator capable of managing Signum certificates. Specifically, one with the Signum capability.
     ServerUsername	The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment.
     ServerPassword	The password (or PAM key pointing to the password) for the user ID you entered for Server User Name.

     Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator

     If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.

     Attribute	Description
     ServerUsername	The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment.
     ServerPassword	The password (or PAM key pointing to the password) for the user ID you entered for Server User Name.

     Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.

  3. Import the CSV file to create the certificate stores

     kfutil stores import csv --store-type-name Signum --file Signum.csv

The content in this section can be supplimented by the official Command documentation.

License

Apache License 2.0, see LICENSE.

Related Integrations

See all Keyfactor Universal Orchestrator extensions.