diff --git a/store_types.json b/store_types.json index caeb3df5..6fac9af3 100644 --- a/store_types.json +++ b/store_types.json @@ -1,12 +1,27 @@ [ { - "Name": "Azure Keyvault", "BlueprintAllowed": false, "Capability": "AKV", + "ClientMachineDescription": "The GUID of the tenant ID of the Azure Keyvault instance; for example, '12345678-1234-1234-1234-123456789abc'.", "CustomAliasAllowed": "Optional", - "EntryParameters": null, + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the KeyVault entries. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "DefaultValue": "", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], "JobProperties": [], "LocalStore": false, + "Name": "Azure Keyvault", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -18,14 +33,15 @@ { "Name": "TenantId", "DisplayName": "Tenant Id", + "Description": "The ID of the primary Azure Tenant where the KeyVaults are hosted", "Type": "String", "DependsOn": "", - "DefaultValue": null, "Required": false }, { "Name": "SkuType", "DisplayName": "SKU Type", + "Description": "The SKU type for newly created KeyVaults (only needed if needing to create new KeyVaults in your Azure subscription via Command)", "Type": "MultipleChoice", "DependsOn": "", "DefaultValue": "standard,premium", @@ -34,6 +50,7 @@ { "Name": "VaultRegion", "DisplayName": "Vault Region", + "Description": "The Azure Region to put newly created KeyVaults (only needed if needing to create new KeyVaults in your Azure subscription via Command)", "Type": "MultipleChoice", "DependsOn": "", "DefaultValue": "eastus,eastus2,westus2,westus3,westus", @@ -42,22 +59,24 @@ { "Name": "AzureCloud", "DisplayName": "Azure Cloud", + "Description": "The Azure Cloud where the KeyVaults are located (only necessary if not using the standard Azure Public cloud)", "Type": "MultipleChoice", "DependsOn": "", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Required": false }, { "Name": "PrivateEndpoint", "DisplayName": "Private KeyVault Endpoint", + "Description": "The private endpoint of your vault instance (if a private endpoint is configured in Azure)", "Type": "String", "DependsOn": "", - "DefaultValue": null, "Required": false } ], "ServerRequired": true, "ShortName": "AKV", + "StorePathDescription": "A string formatted as '{subscription id}:{resource group name}:{vault name}'; for example, '12345678-1234-1234-1234-123456789abc:myResourceGroup:myVault'.", "StorePathType": "", "StorePathValue": "", "SupportedOperations": { @@ -81,29 +100,55 @@ "Remove": true }, "Properties": [ + { + "Name": "UseEC2AssumeRole", + "DisplayName": "Assume new Account / Role in EC2", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Account ID and Role when using EC2 credentials" + }, { "Name": "UseOAuth", "DisplayName": "Use OAuth 2.0 Provider", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "false", - "Required": true + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS ACM" }, { "Name": "UseIAM", "DisplayName": "Use IAM User Auth", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "false", - "Required": true + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS ACM" + }, + { + "Name": "EC2AssumeRole", + "DisplayName": "AWS Role to Assume (EC2)", + "Type": "String", + "DependsOn": "UseEC2AssumeRole", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "The AWS Role to assume using the EC2 instance credentials" }, { "Name": "OAuthScope", "DisplayName": "OAuth Scope", "Type": "String", "DependsOn": "UseOAuth", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" }, { "Name": "OAuthGrantType", @@ -111,7 +156,9 @@ "Type": "String", "DependsOn": "UseOAuth", "DefaultValue": "client_credentials", - "Required": false + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term \ufffdgrant type\ufffd refers to the way an application gets an access token. In Okta this is `client_credentials`" }, { "Name": "OAuthUrl", @@ -119,47 +166,59 @@ "Type": "String", "DependsOn": "UseOAuth", "DefaultValue": "https://***/oauth2/default/v1/token", - "Required": false + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" }, { "Name": "IAMAssumeRole", "DisplayName": "AWS Role to Assume (IAM)", "Type": "String", "DependsOn": "UseIAM", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "The AWS Role to assume as the IAM User." }, { "Name": "OAuthAssumeRole", "DisplayName": "AWS Role to Assume (OAuth)", "Type": "String", "DependsOn": "UseOAuth", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "The AWS Role to assume after getting an OAuth token." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User or Client ID for OAuth. Depends on Auth method in use." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": null, - "DefaultValue": "true", - "Required": true + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User or Client Secret for OAuth. Depends on Auth method in use." } ], "EntryParameters": [ @@ -172,7 +231,20 @@ "OnAdd": true, "OnRemove": false, "OnReenrollment": false - } + }, + "Description": "When adding, this is the Region that the Certificate will be added to" + }, + { + "Name": "ACM Tags", + "DisplayName": "ACM Tags", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN`" } ], "PasswordOptions": { @@ -184,7 +256,198 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Optional", + "ClientMachineDescription": "This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account.", + "StorePathDescription": "The AWS Region, or a comma-separated list of multiple regions, the store will operate in." + }, + { + "Name": "AWS Certificate Manager v3", + "ShortName": "AWS-ACM-v3", + "Capability": "AWS-ACM-v3", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "ACM Tags", + "DisplayName": "ACM Tags", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN`" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Optional", + "ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.", + "StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined." + }, + { + "Name": "Airlock Application Firewall Certificate", + "ShortName": "AirlockWAF", + "Capability": "AirlockWAF", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": false + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Required", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Allowed" }, { "Name": "Akamai Certificate Provisioning Service", @@ -200,36 +463,38 @@ }, "Properties": [ { - "StoreTypeId;omitempty": 0, "Name": "access_token", "DisplayName": "Access Token", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": true + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": false, + "Description": "The Akamai access_token for authentication." }, { - "StoreTypeId;omitempty": 0, "Name": "client_token", "DisplayName": "Client Token", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": true + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": false, + "Description": "The Akamai client_token for authentication." }, { - "StoreTypeId;omitempty": 0, "Name": "client_secret", "DisplayName": "Client Secret", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": true + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": false, + "Description": "The Akamai client_secret for authentication." } ], "EntryParameters": [ { - "StoreTypeId;omitempty": 0, "Name": "EnrollmentId", "DisplayName": "Enrollment ID", "Type": "String", @@ -238,10 +503,10 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": false - } + }, + "Description": "Enrollment ID of a certificate enrollment in Akamai. This should only be supplied for ODKG when replacing an existing certificate." }, { - "StoreTypeId;omitempty": 0, "Name": "ContractId", "DisplayName": "Contract ID", "Type": "String", @@ -251,10 +516,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "The Contract ID of your account in Akamai." }, { - "StoreTypeId;omitempty": 0, "Name": "Sans", "DisplayName": "SANs", "Type": "String", @@ -263,10 +528,10 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": true - } + }, + "Description": "SANs for the new certificate. If multiple are supplied, they should be split with an ampersand character '&'" }, { - "StoreTypeId;omitempty": 0, "Name": "admin-addressLineOne", "DisplayName": "Admin - Address Line 1", "Type": "String", @@ -276,10 +541,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-addressLineTwo", "DisplayName": "Admin - Address Line 2", "Type": "String", @@ -288,10 +553,10 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": false - } + }, + "Description": "Optional field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-city", "DisplayName": "Admin - City", "Type": "String", @@ -301,10 +566,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-country", "DisplayName": "Admin - Country", "Type": "String", @@ -314,10 +579,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-email", "DisplayName": "Admin - Email", "Type": "String", @@ -327,10 +592,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-firstName", "DisplayName": "Admin - First Name", "Type": "String", @@ -340,10 +605,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-lastName", "DisplayName": "Admin - Last Name", "Type": "String", @@ -353,10 +618,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-organizationName", "DisplayName": "Admin - Organization Name", "Type": "String", @@ -366,10 +631,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-phone", "DisplayName": "Admin - Phone", "Type": "String", @@ -379,10 +644,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-postalCode", "DisplayName": "Admin - Postal Code", "Type": "String", @@ -392,10 +657,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-region", "DisplayName": "Admin - Region", "Type": "String", @@ -405,10 +670,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "admin-title", "DisplayName": "Admin - Title", "Type": "String", @@ -418,10 +683,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Administrator contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-addressLineOne", "DisplayName": "Org - Address Line 1", "Type": "String", @@ -431,10 +696,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-addressLineTwo", "DisplayName": "Org - Address Line 2", "Type": "String", @@ -443,10 +708,10 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": false - } + }, + "Description": "Optional field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-city", "DisplayName": "Org - City", "Type": "String", @@ -456,10 +721,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-country", "DisplayName": "Org - Country", "Type": "String", @@ -469,10 +734,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-organizationName", "DisplayName": "Org - Organization Name", "Type": "String", @@ -482,10 +747,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-phone", "DisplayName": "Org - Phone", "Type": "String", @@ -495,10 +760,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-postalCode", "DisplayName": "Org - Postal Code", "Type": "String", @@ -508,10 +773,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "org-region", "DisplayName": "Org - Region", "Type": "String", @@ -521,10 +786,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Organization contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-addressLineOne", "DisplayName": "Tech - Address Line 1", "Type": "String", @@ -534,10 +799,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-addressLineTwo", "DisplayName": "Tech - Address Line 2", "Type": "String", @@ -546,10 +811,10 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": false - } + }, + "Description": "Optional field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-city", "DisplayName": "Tech - City", "Type": "String", @@ -559,10 +824,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-country", "DisplayName": "Tech - Country", "Type": "String", @@ -572,10 +837,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-email", "DisplayName": "Tech - Email", "Type": "String", @@ -585,10 +850,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact. Must be an akamai.com email address." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-firstName", "DisplayName": "Tech - First Name", "Type": "String", @@ -598,10 +863,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-lastName", "DisplayName": "Tech - Last Name", "Type": "String", @@ -611,10 +876,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-organizationName", "DisplayName": "Tech - Organization Name", "Type": "String", @@ -624,10 +889,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "Akamai", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-phone", "DisplayName": "Tech - Phone", "Type": "String", @@ -637,10 +902,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-postalCode", "DisplayName": "Tech - Postal Code", "Type": "String", @@ -650,10 +915,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-region", "DisplayName": "Tech - Region", "Type": "String", @@ -663,10 +928,10 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." }, { - "StoreTypeId;omitempty": 0, "Name": "tech-title", "DisplayName": "Tech - Title", "Type": "String", @@ -676,7 +941,8 @@ "OnRemove": false, "OnReenrollment": true }, - "DefaultValue": null + "DefaultValue": "SET-DEFAULT", + "Description": "Required field for Akamai Tech contact." } ], "PasswordOptions": { @@ -690,7 +956,49 @@ "ServerRequired": false, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the the \"host\" value from the API credentials file.", + "StorePathDescription": "The Akamai network the certificate will be managed from. Value can be either \"Production\" or \"Staging\"." + }, + { + "Name": "Alteon Load Balancer", + "ShortName": "AlteonLB", + "Capability": "AlteonLB", + "ClientMachineDescription": "The Alteon Load Balancer Server and port", + "StorePathDescription": "This value isn't used for this integration (other than to uniquely identify the cert store in certificate searches).", + "SupportedOperations": { + "Add": true, + "Remove": true, + "Enrollment": false, + "Discovery": false, + "Inventory": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Alteon user ID with sufficient permissions to manage certs in the Alteon Load Balancer.", + "Required": true + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "Password associated with Alteon user ID entered above.", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Optional" }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1084,38 +1392,50 @@ "Name": "Bosch IP Camera", "ShortName": "BIPCamera", "Capability": "BIPCamera", - "LocalStore": false, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", "SupportedOperations": { - "Add": true, + "Add": false, "Create": false, "Discovery": false, "Enrollment": true, - "Remove": true + "Remove": false + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" }, "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the username of the configured \"service\" user on the camera" }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the password of the configured \"service\" user on the camera" }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." } ], "EntryParameters": [ @@ -1129,7 +1449,8 @@ "OnRemove": false, "OnReenrollment": false }, - "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client" + "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", + "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." }, { "Name": "Name", @@ -1140,7 +1461,8 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": true - } + }, + "Description": "The certificate Alias, entered again." }, { "Name": "Overwrite", @@ -1152,19 +1474,12 @@ "OnRemove": false, "OnReenrollment": false }, - "DefaultValue": "false" + "DefaultValue": "false", + "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." } ], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required" + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" }, { "Name": "CiscoAsa", @@ -1183,33 +1498,41 @@ "Name": "CommitToDisk", "DisplayName": "Commit To Disk", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": true, + "IsPAMEligible": false, + "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts." }, { "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts." }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "IsPAMEligible": false, + "Description": "Determines whether the server uses SSL or not (This field is automatically created)." } ], "EntryParameters": [ @@ -1217,6 +1540,7 @@ "Name": "interfaces", "DisplayName": "Interfaces Comma Separated", "Type": "String", + "Description": "Comma separated list of Interfaces to bind to. One can be the primary certificate and the other can be the load balancing certificate. For inside here is a sample of binding to both primary and load balancing inside,inside vpnlb-ip.", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, @@ -1234,13 +1558,19 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, - "CustomAliasAllowed": "Required" + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "Hostname or IP of the Cisco Asa Device without the http:// or https:// prefix same sample would be 10.5.0.4.", + "StorePathDescription": "Cisco Asa Certificate Types to manage for Now all that is supported is /Identity." }, { "Name": "CitrixAdc", "ShortName": "CitrixAdc", "Capability": "CitrixAdc", - "LocalStore": false, + "ServerRequired": true, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Required", "SupportedOperations": { "Add": true, "Create": false, @@ -1248,38 +1578,40 @@ "Enrollment": false, "Remove": true }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": null, - "DefaultValue": "true", - "Required": true + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device." }, { "Name": "linkToIssuer", "DisplayName": "Link To Issuer", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": false, + "Description": "Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate." } ], "EntryParameters": [ @@ -1287,6 +1619,7 @@ "Name": "virtualServerName", "DisplayName": "Virtual Server Name", "Type": "String", + "Description": "When adding a certificate, this can be a single VServer name or a comma separated list of VServers to bind to Note: must match the number of Virtual SNI Cert values.", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, @@ -1298,32 +1631,125 @@ "Name": "sniCert", "DisplayName": "SNI Cert", "Type": "String", + "Description": "When adding a certificate, this can be a single boolean value (true/false) or a comma separated list of boolean values to determine whether the binding should use server name indication. Note: must match the number of Virtual Server Name values.", "RequiredWhen": { "HasPrivateKey": false, - "OnAdd": true, + "OnAdd": false, "OnRemove": false, "OnReenrollment": false - }, - "DefaultValue": "FALSE" + } + } + ], + "ClientMachineDescription": "The DNS or IP Address of the Citrix ADC Appliance.", + "StorePathDescription": "The path where certificate files are located on the Citrix ADC appliance. This value will likely be /nsconfig/ssl/" + }, + { + "Name": "IBM Data Power", + "ShortName": "DataPower", + "Capability": "DataPower", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Api UserName for DataPower. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "A password for DataPower API access. Used for inventory.(or valid PAM key if the password is stored in a KF Command configured PAM integration)." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Should be true, http is not supported." + }, + { + "Name": "InventoryBlackList", + "DisplayName": "Inventory Black List", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "Comma seperated list of alias values you do not want to inventory from DataPower." + }, + { + "Name": "Protocol", + "DisplayName": "Protocol Name", + "Type": "String", + "DependsOn": "", + "DefaultValue": "https", + "Required": true, + "IsPAMEligible": false, + "Description": "Comma seperated list of alias values you do not want to inventory from DataPower." + }, + { + "Name": "PublicCertStoreName", + "DisplayName": "Public Cert Store Name", + "Type": "String", + "DependsOn": "", + "DefaultValue": "pubcert", + "Required": true, + "IsPAMEligible": false, + "Description": "This probably will remain pubcert unless someone changed the default name in DataPower." + }, + { + "Name": "InventoryPageSize", + "DisplayName": "Inventory Page Size", + "Type": "String", + "DependsOn": "", + "DefaultValue": "100", + "Required": true, + "IsPAMEligible": false, + "Description": "This determines the page size during the inventory calls. (100 should be fine)." } ], + "EntryParameters": [], + "ClientMachineDescription": "The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used.", + "StorePathDescription": "The Store Path field should always be / unless we later determine there are alternate locations needed.", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Required", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Required", - "InventoryEndpoint": "/AnyInventory/Update" + "CustomAliasAllowed": "Required" }, { "Name": "F5 Big IQ", "ShortName": "F5-BigIQ", "Capability": "F5-BigIQ", - "LocalStore": false, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", "SupportedOperations": { "Add": true, "Create": false, @@ -1331,6 +1757,11 @@ "Enrollment": true, "Remove": true }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, "Properties": [ { "Name": "DeployCertificateOnRenewal", @@ -1338,7 +1769,8 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": false, + "Description": "This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device." }, { "Name": "IgnoreSSLWarning", @@ -1346,7 +1778,8 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": false, + "Description": "If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store." }, { "Name": "UseTokenAuth", @@ -1354,7 +1787,8 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": false, + "Description": "If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls." }, { "Name": "LoginProviderName", @@ -1362,7 +1796,28 @@ "Type": "String", "DependsOn": "UseTokenAuth", "DefaultValue": "", - "Required": false + "Required": false, + "Description": "If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of \"TMOS\" will be used." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login credential for the F5 Big IQ device. MUST be an Admin account." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login password for the F5 Big IQ device." } ], "EntryParameters": [ @@ -1378,7 +1833,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "The name F5 Big IQ uses to identify the certificate" }, { "Name": "Overwrite", @@ -1392,7 +1848,8 @@ }, "DependsOn": "", "DefaultValue": "False", - "Options": "" + "Options": "", + "Description": "Allow overwriting an existing certificate when reenrolling?" }, { "Name": "SANs", @@ -1406,24 +1863,18 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field." } - ], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "PrivateKeyAllowed": "Required", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required" + ] }, { "Name": "F5 CA Profiles REST", "ShortName": "F5-CA-REST", "Capability": "F5-CA-REST", + "ServerRequired": true, + "ClientMachineDescription": "The server name or IP Address for the F5 device.", + "StorePathDescription": "Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is \"Common/BundleName\", it must be entered as \"Common/BundleName\" and not \"common/bundlename\",", "SupportedOperations": { "Add": true, "Create": false, @@ -1431,6 +1882,16 @@ "Enrollment": false, "Remove": true }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": false + }, + "PrivateKeyAllowed": "Forbidden", + "JobProperties": [], + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", "Properties": [ { "Name": "PrimaryNode", @@ -1438,7 +1899,8 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "", - "Required": true + "Required": true, + "Description": "Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive." }, { "Name": "PrimaryNodeCheckRetryWaitSecs", @@ -1446,7 +1908,8 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "120", - "Required": true + "Required": true, + "Description": "Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive." }, { "Name": "PrimaryNodeCheckRetryMax", @@ -1454,31 +1917,55 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "3", - "Required": true + "Required": true, + "Description": "Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing." }, { - "Name": "F5Version", - "DisplayName": "Version of F5", - "Type": "MultipleChoice", + "Name": "PrimaryNodeOnlineRequired", + "DisplayName": "Primary Node Online Required", + "Type": "Bool", "DependsOn": "", - "DefaultValue": "v12,v13,v14,v15", - "Required": true + "DefaultValue": "", + "Required": true, + "Description": "Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed." + }, + { + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "False", + "Required": true, + "Description": "Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs." + }, + { + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "Description": "Select this if you wish to use F5's token authentiation instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests." }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login credential for the F5 device. MUST be an Admin account." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login password for the F5 device." }, { "Name": "ServerUseSsl", @@ -1486,50 +1973,23 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "true", - "Required": true - }, - { - "Name": "PrimaryNodeOnlineRequired", - "DisplayName": "Primary Node Online Required", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "", - "Required": true - }, - { - "Name": "IgnoreSSLWarning", - "DisplayName": "Ignore SSL Warning", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "False", - "Required": true - }, - { - "Name": "UseTokenAuth", - "DisplayName": "Use Token Authentication", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "false", - "Required": true + "Required": true, + "Description": "True if using https to access the F5 device. False if using http." } ], - "EntryParameters": [], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "PrivateKeyAllowed": "Forbidden", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required" + "EntryParameters": [] }, { "Name": "F5 SSL Profiles REST", "ShortName": "F5-SL-REST", "Capability": "F5-SL-REST", + "ServerRequired": true, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Optional", + "ClientMachineDescription": "The server name or IP Address for the F5 device.", + "StorePathDescription": "Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is \"Common\", it must be entered as \"Common\" and not \"common\",", "SupportedOperations": { "Add": true, "Create": false, @@ -1537,6 +1997,15 @@ "Enrollment": false, "Remove": true }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": true, + "StorePassword": { + "Description": "Check \"No Password\" if you wish the private key of any added certificate to be set to Key Security Type \"Normal\". Enter a value (either a password or pointer to an installed PAM provider key for the password) to be used to encrypt the private key of any added certificate for Key Security Type of \"Password\".", + "IsPAMEligible": true + } + }, "Properties": [ { "Name": "PrimaryNode", @@ -1544,7 +2013,8 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "", - "Required": true + "Required": true, + "Description": "Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive." }, { "Name": "PrimaryNodeCheckRetryWaitSecs", @@ -1552,7 +2022,8 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "120", - "Required": true + "Required": true, + "Description": "Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive." }, { "Name": "PrimaryNodeCheckRetryMax", @@ -1560,82 +2031,104 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "3", - "Required": true + "Required": true, + "Description": "Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing." }, { - "Name": "F5Version", - "DisplayName": "Version of F5", - "Type": "MultipleChoice", + "Name": "PrimaryNodeOnlineRequired", + "DisplayName": "Primary Node Online Required", + "Type": "Bool", "DependsOn": "", - "DefaultValue": "v12,v13,v14,v15", - "Required": true + "DefaultValue": "", + "Required": true, + "Description": "Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed." }, { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", + "Name": "RemoveChain", + "DisplayName": "Remove Chain on Add", + "Type": "Bool", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "False", + "Required": false, + "Description": "Optional setting. Set this to true if you would like to remove the certificate chain before adding or replacing a certificate on your F5 device." }, { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "False", + "Required": true, + "Description": "Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs." }, { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", "Type": "Bool", "DependsOn": "", - "DefaultValue": "true", - "Required": true + "DefaultValue": "false", + "Required": true, + "Description": "Select this if you wish to use F5's token authentication instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests." }, { - "Name": "PrimaryNodeOnlineRequired", - "DisplayName": "Primary Node Online Required", - "Type": "Bool", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", "DefaultValue": "", - "Required": true + "IsPAMEligible": true, + "Required": false, + "Description": "Login credential for the F5 device. MUST be an Admin account." }, { - "Name": "IgnoreSSLWarning", - "DisplayName": "Ignore SSL Warning", - "Type": "Bool", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "False", - "Required": true + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login password for the F5 device." }, { - "Name": "UseTokenAuth", - "DisplayName": "Use Token Authentication", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", - "DefaultValue": "false", - "Required": true + "DefaultValue": "true", + "Required": true, + "Description": "True if using https to access the F5 device. False if using http." } ], - "EntryParameters": [], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": true, - "Style": "Default" - }, - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required" + "EntryParameters": [ + { + "Name": "SSLProfiles", + "DisplayName": "SSL Profiles", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "One to many comma delimited F5 SSL Profiles to bind the certificate to (new certificates ONLY)" + } + ] }, { "Name": "F5 WS Profiles REST", "ShortName": "F5-WS-REST", "Capability": "F5-WS-REST", + "ServerRequired": true, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "PowerShell": false, + "PrivateKeyAllowed": "Required", + "ClientMachineDescription": "The server name or IP Address for the F5 device.", + "StorePathDescription": "Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is \"Common\", it must be entered as \"Common\" and not \"common\",", "SupportedOperations": { "Add": true, "Create": false, @@ -1643,6 +2136,11 @@ "Enrollment": false, "Remove": false }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": false + }, "Properties": [ { "Name": "PrimaryNode", @@ -1650,7 +2148,8 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "", - "Required": true + "Required": true, + "Description": "Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive." }, { "Name": "PrimaryNodeCheckRetryWaitSecs", @@ -1658,7 +2157,8 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "120", - "Required": true + "Required": true, + "Description": "Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive." }, { "Name": "PrimaryNodeCheckRetryMax", @@ -1666,31 +2166,55 @@ "Type": "String", "DependsOn": "PrimaryNodeOnlineRequired", "DefaultValue": "3", - "Required": true + "Required": true, + "Description": "Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing." }, { - "Name": "F5Version", - "DisplayName": "Version of F5", - "Type": "MultipleChoice", + "Name": "PrimaryNodeOnlineRequired", + "DisplayName": "Primary Node Online Required", + "Type": "Bool", "DependsOn": "", - "DefaultValue": "v12,v13,v14,v15", - "Required": true + "DefaultValue": "", + "Required": true, + "Description": "Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed." + }, + { + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "False", + "Required": true, + "Description": "Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs." + }, + { + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "Description": "Select this if you wish to use F5's token authentiation instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests." }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login credential for the F5 device. MUST be an Admin account." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "IsPAMEligible": true, + "Required": false, + "Description": "Login password for the F5 device." }, { "Name": "ServerUseSsl", @@ -1698,45 +2222,79 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "Description": "True if using https to access the F5 device. False if using http." + } + ], + "EntryParameters": [] + }, + { + "Name": "FortiWeb", + "ShortName": "FortiWeb", + "Capability": "FortiWeb", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "A username for CLI/SSH and REST API access. Used for inventory. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." }, { - "Name": "PrimaryNodeOnlineRequired", - "DisplayName": "Primary Node Online Required", - "Type": "Bool", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", "DependsOn": "", "DefaultValue": "", - "Required": true + "Required": false, + "IsPAMEligible": true, + "Description": "A password for CLI/SSH and REST API access. Used for inventory.(or valid PAM key if the password is stored in a KF Command configured PAM integration)." }, { - "Name": "IgnoreSSLWarning", - "DisplayName": "Ignore SSL Warning", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", - "DefaultValue": "False", - "Required": true + "DefaultValue": "true", + "Required": true, + "Description": "Should be true, http is not supported." }, { - "Name": "UseTokenAuth", - "DisplayName": "Use Token Authentication", - "Type": "Bool", + "Name": "ADom", + "DisplayName": "Administrative Domain", + "Type": "String", "DependsOn": "", - "DefaultValue": "false", - "Required": true + "DefaultValue": "root", + "Required": true, + "IsPAMEligible": false, + "Description": "Specifies the administrative or virtual domain within the FortiWeb system that the API user is targeting." } ], "EntryParameters": [], + "ClientMachineDescription": "The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used.", + "StorePathDescription": "The Store Path field should always be / unless we later determine there are alternate locations needed.", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Required", + "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Forbidden" + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" }, { "Name": "Fortigate", @@ -1750,17 +2308,23 @@ "SupportedOperations": { "Add": true, "Create": false, - "Discovery": true, + "Discovery": false, "Enrollment": false, "Remove": true }, + "Properties": [], + "EntryParameters": [], "PasswordOptions": { "Style": "Default", "EntrySupported": false, - "StoreRequired": true + "StoreRequired": true, + "StorePassword": { + "Description": "Enter the Fortigate API Token here", + "IsPAMEligible": true + } }, - "Properties": [], - "EntryParameters": [] + "ClientMachineDescription": "The IP address or DNS of the Fortigate server", + "StorePathDescription": "This is not used in this integration, but is a required field in the UI. Just enter any value here" }, { "Name": "GCP Load Balancer", @@ -1788,13 +2352,64 @@ "Name": "jsonKey", "DisplayName": "Service Account Key", "Required": true, + "IsPAMEligible": false, "DependsOn": "", "Type": "Secret", - "DefaultValue": "" + "DefaultValue": "", + "Description": "If authenticating by passing credentials from Keyfactor Command, this is the JSON-based service account key created from within Google Cloud. If authenticating via Application Default Credentials (ADC), select No Value" } ], + "ClientMachineDescription": "Not used, but required when creating a store. Just enter any value.", + "StorePathDescription": "Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59).", "EntryParameters": [] }, + { + "Name": "Google Cloud Provider Apigee", + "ShortName": "GcpApigee", + "Capability": "GcpApigee", + "ServerRequired": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Optional", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "isTrustStore", + "DisplayName": "Is Trust Store?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "Should be checked if the Apigee keystore being managed is a truststore." + }, + { + "Name": "jsonKey", + "DisplayName": "Google Json Key File", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": false, + "Description": "The JSON key tied to the Apigee service account. You can copy and paste the entire Json key in the textbox when creating a certificate store in the Keyfactor Command UI." + } + ], + "EntryParameters": [], + "ClientMachineDescription": "The Base URL for the GCP Apigee REST Api. Should be *apigee.googleapis.com*", + "StorePathDescription": "The Apigee keystore being managed. Must be provided in the following format: organizations/{org}/environments/{env}/keystores/{keystore}, where {org}, {env}, and {keystore} will be replaced with your environment-specific values." + }, { "Name": "GCP Certificate Manager", "ShortName": "GcpCertMgr", @@ -1825,17 +2440,23 @@ "Type": "String", "DependsOn": "", "DefaultValue": "global", - "Required": true + "Required": true, + "IsPAMEligible": false, + "Description": "The GCP region used for this Certificate Manager instance. **global** is the default but could be another region based on the project." }, { "Name": "ServiceAccountKey", "DisplayName": "Service Account Key File Path", "Type": "String", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "The file name of the Google Cloud Service Account Key File installed in the same folder as the orchestrator extension. Empty if the orchestrator server resides in GCP and you are not using a service account key." } ], + "ClientMachineDescription": "GCP Project ID for your account.", + "StorePathDescription": "This is not used and should be defaulted to n/a per the certificate store type set up.", "EntryParameters": [] }, { @@ -1911,7 +2532,17 @@ "Name": "Hashicorp Vault Key-Value JKS", "ShortName": "HCVKVJKS", "Capability": "HCVKVJKS", + "ClientMachineDescription": "This can be any value to help uniquely identify the store. It is not used by this integration.", + "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", "SupportedOperations": { "Add": true, "Create": true, @@ -1921,16 +2552,29 @@ }, "Properties": [ { - "Name": "SubfolderInventory", - "DisplayName": "Sub-folder Inventory", - "Type": "Bool", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "false", - "Required": false + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" }, { "Name": "IncludeCertChain", "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -1939,42 +2583,31 @@ { "Name": "MountPoint", "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", "Type": "String", "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, + "DefaultValue": "", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, - "Style": "Default" - }, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } + }, + { + "Name": "Hashicorp Vault Key-Value PKCS12", + "ShortName": "HCVKVP12", + "Capability": "HCVKVP12", + "ClientMachineDescription": "This can be any value to help uniquely identify the store. It is not used by this integration.", + "StorePathDescription": "This is the path to the secret containing the store.", + "LocalStore": false, "StorePathType": "", "StorePathValue": "", "PrivateKeyAllowed": "Optional", @@ -1982,13 +2615,7 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" - }, - { - "Name": "Hashicorp Vault Key-Value PKCS12", - "ShortName": "HCVKVP12", - "Capability": "HCVKVP12", - "LocalStore": false, + "CustomAliasAllowed": "Required", "SupportedOperations": { "Add": true, "Create": true, @@ -1998,74 +2625,68 @@ }, "Properties": [ { - "Name": "SubfolderInventory", - "DisplayName": "Sub-folder Inventory", - "Type": "Bool", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "false", - "Required": false + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" }, { - "Name": "MountPoint", - "DisplayName": "Mount Point", - "Type": "String", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" }, { "Name": "IncludeCertChain", "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", "Required": false }, { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", "DependsOn": "", - "DefaultValue": null, + "DefaultValue": "", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } }, { "Name": "Hashicorp Vault Key-Value PEM", "ShortName": "HCVKVPEM", "Capability": "HCVKVPEM", "LocalStore": false, + "ClientMachineDescription": "This can be any value to help uniquely identify the store. It is not used by this integration.", + "StorePathDescription": "This is the path after mount point where the certificates will be stored.", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", "SupportedOperations": { "Add": true, "Create": true, @@ -2074,9 +2695,30 @@ "Remove": true }, "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, { "Name": "SubfolderInventory", "DisplayName": "Subfolder Inventory", + "Description": "Should certificates found in sub-paths be included when performing an inventory?", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -2085,6 +2727,7 @@ { "Name": "IncludeCertChain", "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -2093,54 +2736,39 @@ { "Name": "MountPoint", "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", "Type": "String", "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, + "DefaultValue": "", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, - "Style": "Default" - }, - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } }, { "Name": "Hashicorp Vault Key-Value PFX", "ShortName": "HCVKVPFX", "Capability": "HCVKVPFX", + "ClientMachineDescription": "This can be any value to help uniquely identify the store. It is not used by this integration.", + "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", "SupportedOperations": { "Add": true, "Create": true, @@ -2150,16 +2778,29 @@ }, "Properties": [ { - "Name": "SubfolderInventory", - "DisplayName": "Sub-folder Inventory", - "Type": "Bool", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "false", - "Required": false + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" }, { "Name": "IncludeCertChain", "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -2168,98 +2809,154 @@ { "Name": "MountPoint", "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", "Type": "String", "DependsOn": "", - "DefaultValue": null, + "DefaultValue": "", "Required": false - }, + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } + }, + { + "Name": "Hashicorp Vault PKI", + "ShortName": "HCVPKI", + "Capability": "HCVPKI", + "LocalStore": false, + "ClientMachineDescription": "This can be any value to help uniquely identify the store. It is not used by this integration.", + "StorePathDescription": "For HCVPKI, this will be '/'", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "PrivateKeyAllowed": "Forbidden", + "CustomAliasAllowed": "Forbidden", + "StorePathType": "Fixed", + "StorePathValue": "/", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" }, { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: /", + "Type": "String", "DependsOn": "", - "DefaultValue": "true", + "DefaultValue": "", "Required": true } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } }, { - "Name": "Hashicorp Vault PKI", - "ShortName": "HCVPKI", - "Capability": "HCVPKI", + "Name": "HP iLO Cert Store", + "ShortName": "HPiLO", + "Capability": "HPiLO", "LocalStore": false, + "StorePathDescription": "This should contain the path pointing to the HPiLO instance address, IP or domain name.", + "ClientMachineDescription": "Should contain a copy of the store path for compatibility reasons but is currently unused.", "SupportedOperations": { - "Add": false, + "Add": true, "Create": false, "Discovery": false, - "Enrollment": false, - "Remove": false + "Enrollment": true, + "Remove": true }, "Properties": [ { - "Name": "MountPoint", - "DisplayName": "Mount Point", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": true + "Name": "InventoryAll", + "DisplayName": "InventoryAll", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "false", + "Required": true, + "Description": "If true, allows for inventory of additional factory-installed certificates and their chains: `Platform Cert`,`SystemIAK`,`SystemIDevID`, `iLOIDevID/BMCIDevIDPCA`" }, { - "Name": "VaultToken", - "DisplayName": "VaultToken", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": true + "Name": "IgnoreValidation", + "DisplayName": "IgnoreValidation", + "Type": "Bool", + "DefaultValue": "false", + "DependsOn": null, + "Required": true, + "Description": "WARNING: Only enable if testing. Used to disable certificate validation checks at the API endpoint. Should be set to false in any production scenario." }, { - "Name": "VaultServerUrl", - "DisplayName": "Vault Server URL", + "Name": "HTTPSCertWaitTime", + "DisplayName": "HTTPS Cert Wait Time", "Type": "String", + "DefaultValue": "60", + "DependsOn": null, + "Required": true, + "Description": "The HPiLO API requires the user to wait while the HTTPS Cert CSR is generated. HP suggests a time of 60 seconds, as is the default setting, but it can be adjusted." + } + ], + "EntryParameters": [ + { + "Name": "IncludeIP", + "DisplayName": "IncludeIP", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "false", + "Description": "Enables the addition of the device IP as a SAN to the CSR during reenrollment. Used particularly during HTTPSCert reenrollment, where it can be set as desired, and should be set to false during all other operations." } ], - "EntryParameters": null, "PasswordOptions": { - "EntrySupported": false, + "EntrySupported": true, "StoreRequired": false, "Style": "Default" }, "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": false, + "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, "CustomAliasAllowed": "Optional" @@ -2283,39 +2980,44 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, { - "Name": "WinRm Protocol", - "DisplayName": "WinRm Protocol", + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", "Type": "MultipleChoice", "DependsOn": "", - "DefaultValue": "https,http", - "Required": true + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." }, { - "Name": "WinRm Port", - "DisplayName": "WinRm Port", + "Name": "WinRM Port", + "DisplayName": "WinRM Port", "Type": "String", "DependsOn": "", "DefaultValue": "5986", - "Required": true + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." }, { "Name": "ServerUseSsl", @@ -2323,7 +3025,8 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" } ], "EntryParameters": [ @@ -2339,7 +3042,8 @@ }, "DependsOn": "", "DefaultValue": "443", - "Options": "" + "Options": "", + "Description": "String value specifying the IP port to bind the certificate to for the IIS site. Example: '443' for HTTPS." }, { "Name": "IPAddress", @@ -2353,7 +3057,8 @@ }, "DependsOn": "", "DefaultValue": "*", - "Options": "" + "Options": "", + "Description": "String value specifying the IP address to bind the certificate to for the IIS site. Example: '*' for all IP addresses or '192.168.1.1' for a specific IP address." }, { "Name": "HostName", @@ -2367,7 +3072,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "String value specifying the host name (host header) to bind the certificate to for the IIS site. Leave blank for all host names or enter a specific hostname such as 'www.example.com'." }, { "Name": "SiteName", @@ -2381,12 +3087,13 @@ }, "DependsOn": "", "DefaultValue": "Default Web Site", - "Options": "" + "Options": "", + "Description": "String value specifying the name of the IIS web site to bind the certificate to. Example: 'Default Web Site' or any custom site name such as 'MyWebsite'." }, { "Name": "SniFlag", - "DisplayName": "SNI Support", - "Type": "MultipleChoice", + "DisplayName": "SSL Flags", + "Type": "String", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, @@ -2394,8 +3101,9 @@ "OnReenrollment": false }, "DependsOn": "", - "DefaultValue": "0 - No SNI", - "Options": "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding" + "DefaultValue": "0", + "Options": "", + "Description": "A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.)" }, { "Name": "Protocol", @@ -2409,7 +3117,8 @@ }, "DependsOn": "", "DefaultValue": "https", - "Options": "https,http" + "Options": "https,http", + "Description": "Multiple choice value specifying the protocol to bind to. Example: 'https' for secure communication." }, { "Name": "ProviderName", @@ -2423,7 +3132,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." }, { "Name": "SAN", @@ -2437,7 +3147,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -2450,7 +3161,9 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Hostname of the Windows Server containing the IIS certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).", + "StorePathDescription": "Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store." }, { "Name": "Imperva", @@ -2471,10 +3184,16 @@ "PasswordOptions": { "Style": "Default", "EntrySupported": false, - "StoreRequired": true + "StoreRequired": true, + "StorePassword": { + "Description": "Your Imperva API id and API key concatenated with a comma (,}. For example: 12345,12345678-1234-1234-1234-123456789ABC. Please refer to the [Imperva documentation](https://docs.imperva.com/bundle/cloud-application-security/page/settings/api-keys.htm#:~:text=In%20the%20Cloud%20Security%20Console%20top%20menu%20bar%2C%20click%20Account,to%20create%20a%20new%20key.) as to how to create an API id and key.", + "IsPAMEligible": true + } }, "Properties": [], - "EntryParameters": [] + "EntryParameters": [], + "ClientMachineDescription": "The URL that will be used as the base URL for Imperva endpoint calls. Should be https://my.imperva.com", + "StorePathDescription": "Your Imperva account id. Please refer to the [Imperva documentation](https://docs.imperva.com/howto/bd68301b) as to how to find your Imperva account id." }, { "Name": "K8SCert", @@ -3001,6 +3720,135 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Optional" }, + { + "Name": "OktaApp", + "ShortName": "OktaApp", + "LocalStore": false, + "StorePathDescription": "This should contain the Okta App ID (please see overview for description).", + "ClientMachineDescription": "This should contain your Okta URL (e.g. https://trial-1111.okta.com).", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": true, + "Remove": false + }, + "Properties": [ + { + "Name": "DefaultValidityYears", + "DisplayName": "DefaultValidityYears", + "Type": "String", + "DependsOn": null, + "DefaultValue": "1", + "Required": true, + "Description": "Number of years the certificate will be valid for by default. Required by Okta." + } + ], + "EntryParameters": [ + { + "Name": "SANList", + "DisplayName": "SANList", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN." + }, + { + "Name": "ActivateCredential", + "DisplayName": "ActivateCredential", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "false", + "Options": "", + "Description": "This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Forbidden", + "ServerRequired": true, + "CustomAliasAllowed": "Forbidden" + }, + { + "Name": "OktaIdP", + "ShortName": "OktaIdP", + "StorePathDescription": "This should contain the Okta IdP ID (please see overview for description).", + "ClientMachineDescription": "This should contain your Okta URL (e.g. https://trial-1111.okta.com).", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": true, + "Remove": false + }, + "Properties": [ + { + "Name": "DefaultValidityYears", + "DisplayName": "DefaultValidityYears", + "Type": "String", + "DependsOn": null, + "DefaultValue": "1", + "Required": true, + "Description": "Number of years the certificate will be valid for by default. Required by Okta." + } + ], + "EntryParameters": [ + { + "Name": "SANList", + "DisplayName": "SANList", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN." + }, + { + "Name": "ActivateCredential", + "DisplayName": "ActivateCredential", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "true", + "Options": "", + "Description": "This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Forbidden", + "ServerRequired": true, + "CustomAliasAllowed": "Forbidden" + }, { "Name": "PaloAlto", "ShortName": "PaloAlto", @@ -3018,36 +3866,66 @@ "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Palo Alto or Panorama Api User. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Palo Alto or Panorama Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "IsPAMEligible": false, + "Description": "Should be true, http is not supported." + }, + { + "Name": "DeviceGroup", + "DisplayName": "Device Group", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "A semicolon delimited list of Device Groups that Panorama will push changes to (i.e. 'Group 1', 'Group 1;Group 2', or 'Group 1; Group 2', etc.)." + }, + { + "Name": "InventoryTrustedCerts", + "DisplayName": "Inventory Trusted Certs", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "If false, will not inventory default trusted certs, saves time." }, { - "Name": "DeviceGroup", - "DisplayName": "Device Group", + "Name": "TemplateStack", + "DisplayName": "Template Stack", "Type": "String", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "Template stack used for device push of certificates via Template." } ], "EntryParameters": [], + "ClientMachineDescription": "Either the Panorama or Palo Alto Firewall URI or IP address.", + "StorePathDescription": "The Store Path field should be reviewed in the store path explanation section. It varies depending on configuration.", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3113,7 +3991,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'." + "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "LinuxFileOwnerOnStoreCreation", @@ -3122,7 +4000,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'." + "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "SudoImpersonatingUser", @@ -3131,7 +4009,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'." + "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting." }, { "Name": "SeparatePrivateKeyFilePath", @@ -3141,6 +4019,42 @@ "Type": "String", "DefaultValue": "", "Description": "The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'." + }, + { + "Name": "RemoveRootCertificate", + "DisplayName": "Remove Root Certificate from Chain", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Remove root certificate from chain when adding/renewing a certificate in a store." + }, + { + "Name": "IncludePortInSPN", + "DisplayName": "Include Port in SPN for WinRM", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "FileTransferProtocol", + "DisplayName": "File Transfer Protocol to Use", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": ",SCP,SFTP,Both", + "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." + }, + { + "Name": "SSHPort", + "DisplayName": "SSH Port", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "", + "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." } ], "EntryParameters": [], @@ -3200,7 +4114,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'." + "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "LinuxFileOwnerOnStoreCreation", @@ -3209,7 +4123,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'." + "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "SudoImpersonatingUser", @@ -3218,7 +4132,43 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'." + "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting." + }, + { + "Name": "RemoveRootCertificate", + "DisplayName": "Remove Root Certificate from Chain", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Remove root certificate from chain when adding/renewing a certificate in a store." + }, + { + "Name": "IncludePortInSPN", + "DisplayName": "Include Port in SPN for WinRM", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "FileTransferProtocol", + "DisplayName": "File Transfer Protocol to Use", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": ",SCP,SFTP,Both", + "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." + }, + { + "Name": "SSHPort", + "DisplayName": "SSH Port", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "", + "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." } ], "EntryParameters": [], @@ -3278,7 +4228,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'." + "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "LinuxFileOwnerOnStoreCreation", @@ -3287,7 +4237,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'." + "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "SudoImpersonatingUser", @@ -3296,7 +4246,43 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'." + "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting." + }, + { + "Name": "RemoveRootCertificate", + "DisplayName": "Remove Root Certificate from Chain", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Remove root certificate from chain when adding/renewing a certificate in a store." + }, + { + "Name": "IncludePortInSPN", + "DisplayName": "Include Port in SPN for WinRM", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "FileTransferProtocol", + "DisplayName": "File Transfer Protocol to Use", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": ",SCP,SFTP,Both", + "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." + }, + { + "Name": "SSHPort", + "DisplayName": "SSH Port", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "", + "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." } ], "EntryParameters": [], @@ -3356,7 +4342,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'." + "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "LinuxFileOwnerOnStoreCreation", @@ -3365,7 +4351,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'." + "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "SudoImpersonatingUser", @@ -3374,7 +4360,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'." + "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting." }, { "Name": "WorkFolder", @@ -3384,6 +4370,42 @@ "Type": "String", "DefaultValue": "", "Description": "The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'." + }, + { + "Name": "RemoveRootCertificate", + "DisplayName": "Remove Root Certificate from Chain", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Remove root certificate from chain when adding/renewing a certificate in a store." + }, + { + "Name": "IncludePortInSPN", + "DisplayName": "Include Port in SPN for WinRM", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "FileTransferProtocol", + "DisplayName": "File Transfer Protocol to Use", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": ",SCP,SFTP,Both", + "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." + }, + { + "Name": "SSHPort", + "DisplayName": "SSH Port", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "", + "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." } ], "EntryParameters": [], @@ -3443,7 +4465,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'." + "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "LinuxFileOwnerOnStoreCreation", @@ -3452,7 +4474,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'." + "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "SudoImpersonatingUser", @@ -3461,7 +4483,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'." + "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.." }, { "Name": "IsTrustStore", @@ -3497,7 +4519,43 @@ "DependsOn": "", "Type": "Bool", "DefaultValue": "false", - "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it." + "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it." + }, + { + "Name": "RemoveRootCertificate", + "DisplayName": "Remove Root Certificate from Chain", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Remove root certificate from chain when adding/renewing a certificate in a store." + }, + { + "Name": "IncludePortInSPN", + "DisplayName": "Include Port in SPN for WinRM", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "FileTransferProtocol", + "DisplayName": "File Transfer Protocol to Use", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": ",SCP,SFTP,Both", + "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." + }, + { + "Name": "SSHPort", + "DisplayName": "SSH Port", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "", + "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." } ], "EntryParameters": [], @@ -3557,7 +4615,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'." + "Description": "The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "LinuxFileOwnerOnStoreCreation", @@ -3566,7 +4624,7 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'." + "Description": "The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting." }, { "Name": "SudoImpersonatingUser", @@ -3575,7 +4633,43 @@ "DependsOn": "", "Type": "String", "DefaultValue": "", - "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'." + "Description": "The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting." + }, + { + "Name": "RemoveRootCertificate", + "DisplayName": "Remove Root Certificate from Chain", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Remove root certificate from chain when adding/renewing a certificate in a store." + }, + { + "Name": "IncludePortInSPN", + "DisplayName": "Include Port in SPN for WinRM", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "False", + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "FileTransferProtocol", + "DisplayName": "File Transfer Protocol to Use", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": ",SCP,SFTP,Both", + "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." + }, + { + "Name": "SSHPort", + "DisplayName": "SSH Port", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "", + "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." } ], "EntryParameters": [], @@ -3583,37 +4677,127 @@ "StorePathDescription": "The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.p12) for Windows orchestrated servers. Example: '/folder/path/storename.p12' or 'c:\\folder\\path\\storename.p12'." }, { - "Name": "SampleStoreType", - "ShortName": "SAMPLETYPE", - "Capability": "SAMPLETYPE", + "Name": "Sample Orchestrator Solution", + "ShortName": "SOS", + "Capability": "SOS", + "LocalStore": false, + "StorePathDescription": "Path points to a local .json file. Orchestrator and its account should have read/write access.", + "ClientMachineDescription": "Runs on a Windows based machine.", "SupportedOperations": { - "Add": false, - "Create": false, - "Discovery": false, - "Enrollment": false, - "Remove": false + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": true, + "Remove": true }, - "Properties": [], - "EntryParameters": [], + "Properties": [ + { + "Name": "StoreNameString", + "DisplayName": "Store Name", + "Type": "String", + "Required": false, + "Description": "The Store name for the particular SOS store." + }, + { + "Name": "ForTestingOnlyBool", + "DisplayName": "For Testing Only", + "Type": "Bool", + "DefaultValue": "true", + "Required": false, + "Description": "Test bool variable." + }, + { + "Name": "CollectionNameMultipleChoice", + "DisplayName": "Collection Name", + "Type": "MultipleChoice", + "DefaultValue": "internal", + "Options": "internal,public,single use,ssl", + "Required": true, + "Description": "A test collection." + }, + { + "Name": "PrivateDetailsSecret", + "DisplayName": "Private Details", + "Type": "Secret", + "Required": false, + "DefaultValue": "test", + "Description": "A test secret." + } + ], + "EntryParameters": [ + { + "Name": "CommaSeparatedSansString", + "DisplayName": "SANs", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "SAN string." + }, + { + "Name": "CertColorMultipleChoice", + "DisplayName": "Certificate Color", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "red", + "Options": "red,green,blue,orange", + "Description": "A test variable with multiple choice." + }, + { + "Name": "ForTestingOnlyBool", + "DisplayName": "For Testing Only", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": true, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "true", + "Description": "Another test boolean." + }, + { + "Name": "PrivateCertDetailsSecret", + "DisplayName": "Private Cert Details", + "Type": "Secret", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "test", + "Description": "A per cert secret." + } + ], "PasswordOptions": { - "EntrySupported": false, + "EntrySupported": true, "StoreRequired": false, "Style": "Default" }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Forbidden", - "JobProperties": [], - "ServerRequired": false, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" + "BlueprintAllowed": true, + "CustomAliasAllowed": "Optional" }, { "Name": "Signum", "ShortName": "Signum", "Capability": "Signum", - "LocalStore": false, + "ServerRequired": true, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Required", "SupportedOperations": { "Add": false, "Create": false, @@ -3621,21 +4805,36 @@ "Enrollment": false, "Remove": false }, - "Properties": [], + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The password (or PAM key pointing to the password) for the user ID you entered for Server User Name." + } + ], "EntryParameters": [], + "ClientMachineDescription": "The URL that will be used as the base URL for Signum endpoint calls. Should be something like https://{base url for your signum install}/rtadminservice.svc/basic. The API service port can be configured so yours may use something other than default https/443. The '/basic' at the end is required, as this integration makes use of Basic Authentication only when consuming the Signum SOAP API library.", + "StorePathDescription": "Not used and hardcoded to NA for 'not applicable'", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "na", - "PrivateKeyAllowed": "Required", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" + } }, { "Name": "VMware-NSX", @@ -3655,24 +4854,20 @@ "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": true + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The username of the user to log on as in VMware NSX ALB." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The password of the user to log on as in VMware NSX ALB." }, { "Name": "ApiVersion", @@ -3680,10 +4875,12 @@ "Type": "String", "DependsOn": "", "DefaultValue": "20.1.1", - "Required": true + "Required": true, + "IsPAMEligible": false, + "Description": "The API Version of Avi / NSX to target. A default is set for the version this was originally developed and tested against." } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3696,7 +4893,9 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ ", + "StorePathDescription": "A selection from the different certificate types supported: Application, Controller, or CA." }, { "Name": "WinCerMgmt", @@ -3753,15 +4952,17 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "false", - "Required": false + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, { "Name": "WinRM Protocol", "DisplayName": "WinRM Protocol", "Type": "MultipleChoice", "DependsOn": "", - "DefaultValue": "https,http", - "Required": true + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." }, { "Name": "WinRM Port", @@ -3769,23 +4970,26 @@ "Type": "String", "DependsOn": "", "DefaultValue": "5986", - "Required": true + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." }, { "Name": "ServerUseSsl", @@ -3793,7 +4997,8 @@ "Type": "Bool", "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" } ], "EntryParameters": [ @@ -3809,7 +5014,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." }, { "Name": "SAN", @@ -3823,7 +5029,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -3836,7 +5043,9 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).", + "StorePathDescription": "Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store." }, { "Name": "WinSql", @@ -3852,52 +5061,67 @@ }, "Properties": [ { - "Name": "WinRm Protocol", - "DisplayName": "WinRm Protocol", + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", "Type": "MultipleChoice", - "DependsOn": null, - "DefaultValue": "https,http", - "Required": true + "DependsOn": "", + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." }, { - "Name": "WinRm Port", - "DisplayName": "WinRm Port", + "Name": "WinRM Port", + "DisplayName": "WinRM Port", "Type": "String", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "5986", - "Required": true + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "true", - "Required": true + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" }, { "Name": "RestartService", "DisplayName": "Restart SQL Service After Cert Installed", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "false", - "Required": true + "Required": true, + "Description": "Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation." } ], "EntryParameters": [ @@ -3910,7 +5134,8 @@ "OnAdd": false, "OnRemove": false, "OnReenrollment": false - } + }, + "Description": "String value specifying the SQL Server instance name to bind the certificate to. Example: 'MSSQLServer' for the default instance or 'Instance1' for a named instance." }, { "Name": "ProviderName", @@ -3924,7 +5149,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'." }, { "Name": "SAN", @@ -3938,7 +5164,8 @@ }, "DependsOn": "", "DefaultValue": "", - "Options": "" + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs." } ], "PasswordOptions": { @@ -3951,6 +5178,204 @@ "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Hostname of the Windows Server containing the SQL Server Certificate Store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).", + "StorePathDescription": "Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server." + }, + { + "Name": "F5 WAF CA", + "ShortName": "f5WafCa", + "Capability": "f5WafCa", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "Not used. Set to No Value." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The API Token configured in the F5 Distributed Cloud instance's Account Settings. Please review the Requirements & Prerequisites section in this README for more information on creating this API token." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Forbidden", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "The URL for the F5 Distributed Cloud instance (typically ending in '.console.ves.volterra.io').", + "StorePathDescription": "The Multi-Cloud App Connect namespace containing the certificates you wish to manage." + }, + { + "Name": "F5 WAF TLS", + "ShortName": "f5WafTls", + "Capability": "f5WafTls", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "Not used. Set to No Value." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "The API Token configured in the F5 Distributed Cloud instance's Account Settings. Please review the Requirements & Prerequisites section in this README for more information on creating this API token." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "The URL for the F5 Distributed Cloud instance (typically ending in '.console.ves.volterra.io').", + "StorePathDescription": "The Multi-Cloud App Connect namespace containing the certificates you wish to manage." + }, + { + "Name": "iDRAC", + "ShortName": "iDRAC", + "Capability": "iDRAC", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The user ID (or, if using a PAM provider, the key pointing to the user ID) to log into the iDRAC instance being managed." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The password (or, if using a PAM provider, the key pointing to the password) for the user ID above." + } + ], + "ClientMachineDescription": "The IP address of the iDRAC instance being managed.", + "StorePathDescription": "Enter the full path where the Racadm executable is installed on the orchestrator server. See [Requirements & Prerequisites](#requirements--prerequisites) above for more details.", + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, "CustomAliasAllowed": "Forbidden" + }, + { + "Name": "VMware vCenter", + "ShortName": "vCenter", + "Capability": "vCenter", + "LocalStore": false, + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "StorePathType": "", + "StorePathValue": "", + "CustomAliasAllowed": "Optional", + "ClientMachineDescription": "The domain name of the vSphere client managing vCenter (url to vCenter host without the 'https://'.", + "StorePathDescription": "A unique identifier for this store. The actual value is unused by the orchestrator extension", + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "EntryParameters": [], + "JobProperties": [], + "PrivateKeyAllowed": "Optional", + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPamEligable": false, + "Description": "The vCenter username used to manage the vCenter connection" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPamEligable": false, + "Description": "The secret vCenter password used to manage the vCenter connection" + } + ] } ] \ No newline at end of file