diff --git a/CHANGELOG.md b/CHANGELOG.md index d79d9be..dfe5274 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +v2.3 +- Add new config.json setting DefaultLinuxPermissionsOnStoreCreation, and certificate store type custom parameter linuxFilePermissionsOnStoreCreation +- Add ability to use client machine credentials for WinRM Windows servers rather than always using the Keyfactor service account + + + v2.2 - Limit the valid characters that can be used for store paths to protect against command injection. diff --git a/Images/Image12.png b/Images/Image12.png index a085988..d44f6a9 100644 Binary files a/Images/Image12.png and b/Images/Image12.png differ diff --git a/Images/custom-field-5.png b/Images/custom-field-5.png new file mode 100644 index 0000000..8e2d9b6 Binary files /dev/null and b/Images/custom-field-5.png differ diff --git a/Images/setup-3.png b/Images/setup-3.png index 9c7c1a7..17d5288 100644 Binary files a/Images/setup-3.png and b/Images/setup-3.png differ diff --git a/PEMStoreSSH/ApplicationSettings.cs b/PEMStoreSSH/ApplicationSettings.cs index 0d85c6b..2d1d0b8 100644 --- a/PEMStoreSSH/ApplicationSettings.cs +++ b/PEMStoreSSH/ApplicationSettings.cs @@ -19,6 +19,9 @@ class ApplicationSettings public static string SeparateUploadFilePath { get; set; } public static bool UseNegotiateAuth { get; set; } public static bool UseSCP { get; set; } + public static string DefaultLinuxPermissionsOnStoreCreation { get; set; } + + private const string DEFAULT_LINUX_PERMISSION_SETTING = "600"; public static void Initialize(string currLocation) { @@ -40,6 +43,7 @@ public static void Initialize(string currLocation) SeparateUploadFilePath = AddTrailingSlash(jsonContents.SeparateUploadFilePath.Value); UseNegotiateAuth = jsonContents.UseNegotiateAuth.Value.Equals("Y", System.StringComparison.OrdinalIgnoreCase); UseSCP = jsonContents.UseSCP == null || !jsonContents.UseSCP.Value.Equals("Y", System.StringComparison.OrdinalIgnoreCase) ? false : true; + DefaultLinuxPermissionsOnStoreCreation = jsonContents.DefaultLinuxPermissionsOnStoreCreation == null ? DEFAULT_LINUX_PERMISSION_SETTING : jsonContents.DefaultLinuxPermissionsOnStoreCreation.Value; } private static string AddTrailingSlash(string path) diff --git a/PEMStoreSSH/Management.cs b/PEMStoreSSH/Management.cs index 0725e2d..a3f212d 100644 --- a/PEMStoreSSH/Management.cs +++ b/PEMStoreSSH/Management.cs @@ -39,7 +39,11 @@ public JobResult ProcessJob(ManagementJobConfiguration config) { throw new PEMException("Certificate store is set has having a separate private key but no private key path is specified in the store definition."); } - + + string linuxFilePermissions = properties.linuxFilePermissionsOnStoreCreation == null || string.IsNullOrEmpty(properties.linuxFilePermissionsOnStoreCreation.Value) ? + ApplicationSettings.DefaultLinuxPermissionsOnStoreCreation : + properties.linuxFilePermissionsOnStoreCreation.Value; + PEMStore pemStore = new PEMStore ( certStore.ClientMachine, @@ -67,9 +71,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config) if (ApplicationSettings.CreateStoreOnAddIfMissing && !storeExists) { - pemStore.CreateEmptyStoreFile(certStore.StorePath); + pemStore.CreateEmptyStoreFile(certStore.StorePath, linuxFilePermissions); if (hasSeparatePrivateKey && privateKeyPath != null) - pemStore.CreateEmptyStoreFile(privateKeyPath); + pemStore.CreateEmptyStoreFile(privateKeyPath, linuxFilePermissions); } if (!ApplicationSettings.CreateStoreOnAddIfMissing && !storeExists) @@ -95,7 +99,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config) throw new PEMException($"Certificate store {certStore.StorePath} does not exist."); } - pemStore.RemoveCertificate(jobCert.Alias); + pemStore.RemoveCertificate(jobCert.Alias, linuxFilePermissions); break; @@ -105,10 +109,10 @@ public JobResult ProcessJob(ManagementJobConfiguration config) throw new PEMException($"Certificate store {certStore.StorePath} already exists and cannot be created."); } - pemStore.CreateEmptyStoreFile(certStore.StorePath); + pemStore.CreateEmptyStoreFile(certStore.StorePath, linuxFilePermissions); if (hasSeparatePrivateKey && privateKeyPath != null) { - pemStore.CreateEmptyStoreFile(privateKeyPath); + pemStore.CreateEmptyStoreFile(privateKeyPath, linuxFilePermissions); } break; diff --git a/PEMStoreSSH/PEMStore.cs b/PEMStoreSSH/PEMStore.cs index 2918fc0..922ccea 100644 --- a/PEMStoreSSH/PEMStore.cs +++ b/PEMStoreSSH/PEMStore.cs @@ -137,7 +137,7 @@ internal X509Certificate2Collection GetCertificates(string storePassword, out bo } } - internal void RemoveCertificate(string alias) + internal void RemoveCertificate(string alias, string linuxFilePermissions) { try { @@ -159,7 +159,7 @@ internal void RemoveCertificate(string alias) { mutex.WaitOne(); SSH.RemoveCertificateFile(PrivateKeyPath); - SSH.CreateEmptyStoreFile(PrivateKeyPath); + SSH.CreateEmptyStoreFile(PrivateKeyPath, linuxFilePermissions); } catch (Exception ex) { @@ -196,9 +196,9 @@ internal bool IsValidStore(string path) return CertificateHandler.IsValidStore(path, ServerType, SSH); } - internal void CreateEmptyStoreFile(string path) + internal void CreateEmptyStoreFile(string path, string linuxFilePermissions) { - SSH.CreateEmptyStoreFile(path); + SSH.CreateEmptyStoreFile(path, linuxFilePermissions); } internal bool IsStorePathValid(string path) diff --git a/PEMStoreSSH/RemoteHandlers/BaseRemoteHandler.cs b/PEMStoreSSH/RemoteHandlers/BaseRemoteHandler.cs index 4d5d02d..602f61b 100644 --- a/PEMStoreSSH/RemoteHandlers/BaseRemoteHandler.cs +++ b/PEMStoreSSH/RemoteHandlers/BaseRemoteHandler.cs @@ -33,7 +33,7 @@ public BaseRemoteHandler() public abstract void RemoveCertificateFile(string path); - public abstract void CreateEmptyStoreFile(string path); + public abstract void CreateEmptyStoreFile(string path, string linuxFilePermissions); } } diff --git a/PEMStoreSSH/RemoteHandlers/IRemoteHandler.cs b/PEMStoreSSH/RemoteHandlers/IRemoteHandler.cs index 7d8fb4f..81d4b97 100644 --- a/PEMStoreSSH/RemoteHandlers/IRemoteHandler.cs +++ b/PEMStoreSSH/RemoteHandlers/IRemoteHandler.cs @@ -23,6 +23,6 @@ interface IRemoteHandler void RemoveCertificateFile(string path); - void CreateEmptyStoreFile(string path); + void CreateEmptyStoreFile(string path, string linuxFilePermissions); } } diff --git a/PEMStoreSSH/RemoteHandlers/SSHHandler.cs b/PEMStoreSSH/RemoteHandlers/SSHHandler.cs index 7cdc2ed..0700a86 100644 --- a/PEMStoreSSH/RemoteHandlers/SSHHandler.cs +++ b/PEMStoreSSH/RemoteHandlers/SSHHandler.cs @@ -10,12 +10,15 @@ using System; using System.Collections.Generic; using System.IO; +using System.Text.RegularExpressions; using System.Text; namespace Keyfactor.Extensions.Orchestrator.PEMStoreSSH.RemoteHandlers { class SSHHandler : BaseRemoteHandler { + private const string LINUX_PERMISSION_REGEXP = "^[0-7]{3}$"; + private ConnectionInfo Connection { get; set; } internal SSHHandler(string server, string serverLogin, string serverPassword) @@ -79,7 +82,7 @@ public override string RunCommand(string commandText, object[] arguments, bool w _logger.LogDebug($"RunCommand: {displayCommand}"); command.Execute(); _logger.LogDebug($"SSH Results: {displayCommand}::: {command.Result}::: {command.Error}"); - return command.Result; + return commandText.StartsWith("ls ", StringComparison.OrdinalIgnoreCase) && string.IsNullOrEmpty(command.Result) && !string.IsNullOrEmpty(command.Error) ? command.Error : command.Result; } } finally @@ -247,9 +250,10 @@ public override void RemoveCertificateFile(string path) RunCommand($"rm {path}", null, ApplicationSettings.UseSudo, null); } - public override void CreateEmptyStoreFile(string path) + public override void CreateEmptyStoreFile(string path, string linuxFilePermissions) { - RunCommand($"touch {path}", null, ApplicationSettings.UseSudo, null); + AreLinuxPermissionsValid(linuxFilePermissions); + RunCommand($"install -m {linuxFilePermissions} /dev/null {path}", null, false, null); // modify file owner if cert store file was created with sudo if (ApplicationSettings.UseSudo) @@ -258,6 +262,13 @@ public override void CreateEmptyStoreFile(string path) } } + public static void AreLinuxPermissionsValid(string permissions) + { + Regex regex = new Regex(LINUX_PERMISSION_REGEXP); + if (!regex.IsMatch(permissions)) + throw new PEMException($"Invalid format for Linux file permissions. This value must be exactly 3 digits long with each digit between 0-7 but found {permissions} instead."); + } + private string ReplaceSpacesWithLF(string privateKey) { return privateKey.Replace(" RSA PRIVATE ", "^^^").Replace(" ", System.Environment.NewLine).Replace("^^^", " RSA PRIVATE "); diff --git a/PEMStoreSSH/RemoteHandlers/WinRMHandler.cs b/PEMStoreSSH/RemoteHandlers/WinRMHandler.cs index e6d7950..9c3dd90 100644 --- a/PEMStoreSSH/RemoteHandlers/WinRMHandler.cs +++ b/PEMStoreSSH/RemoteHandlers/WinRMHandler.cs @@ -10,12 +10,15 @@ using System.Collections.Generic; using System.Management.Automation; using System.Management.Automation.Runspaces; +using System.Net; using System.Text; namespace Keyfactor.Extensions.Orchestrator.PEMStoreSSH.RemoteHandlers { class WinRMHandler : BaseRemoteHandler { + WSManConnectionInfo connectionInfo { get; set; } + internal WinRMHandler(string server, string serverLogin, string serverPassword) { if (string.IsNullOrEmpty(server)) @@ -24,6 +27,11 @@ internal WinRMHandler(string server, string serverLogin, string serverPassword) } Server = server; + connectionInfo = new WSManConnectionInfo(new System.Uri($"{Server}/wsman")); + if (!string.IsNullOrEmpty(serverLogin)) + { + connectionInfo.Credential = new PSCredential(serverLogin, new NetworkCredential(serverLogin, serverPassword).SecurePassword); + } } public override string RunCommand(string commandText, object[] parameters, bool withSudo, string[] passwordsToMaskInLog) @@ -32,7 +40,6 @@ public override string RunCommand(string commandText, object[] parameters, bool try { - WSManConnectionInfo connectionInfo = new WSManConnectionInfo(new System.Uri($"{Server}/wsman")); if (ApplicationSettings.UseNegotiateAuth) { connectionInfo.AuthenticationMechanism = AuthenticationMechanism.Negotiate; @@ -146,7 +153,7 @@ public override void RemoveCertificateFile(string path) RunCommand($@"rm ""{path}""", null, false, null); } - public override void CreateEmptyStoreFile(string path) + public override void CreateEmptyStoreFile(string path, string linuxFilePermissions) { RunCommand($@"Out-File -FilePath ""{path}""", null, false, null); } diff --git a/PEMStoreSSH/config.json b/PEMStoreSSH/config.json index 6b77ffb..407f6dd 100644 --- a/PEMStoreSSH/config.json +++ b/PEMStoreSSH/config.json @@ -4,5 +4,6 @@ "UseSeparateUploadFilePath": "N", "SeparateUploadFilePath": "/path/to/upload/folder/", "UseNegotiateAuth": "N", - "UseSCP": "N" + "UseSCP": "N", + "DefaultLinuxPermissionsOnStoreCreation": "600" } diff --git a/README.md b/README.md index 182daf2..3de0a6c 100644 --- a/README.md +++ b/README.md @@ -61,8 +61,10 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo - **Private Keys** – Optional (a certificate in a PEM/PKCS12 Keystore may or may not contain a private key) - **PFX Password Style** – Select Custom. - **Job Types** – Discovery, Inventory, Add, and Remove are the 3 job types implemented by this Orchestrator -- **Parameters** – Three custom parameters are used for this store type. They are: +- **Parameters** – Five custom parameters are used for this store type. They are: + ![](Images/setup-3.png) + - **Type (Name MUST be "type"):** ![](Images/custom-field-1.png) @@ -79,6 +81,9 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo ![](Images/custom-field-4.png) + - **Linux File Permissions on Store Creation (Name MUST be "linuxFilePermissionsOnStoreCreation"):** - Optional parameter. Overrides the optional config.json DefaultLinuxPermissionsOnStoreCreation setting (see section 4 below) for a specific certificate store. This value will set the file permissions (Linux only) of a new certificate store created via a Management-Create job. If this parameter is not added or added but not set, the permissions used will be derived from the DefaultLinuxPermissionsOnStoreCreation setting. +![](Images/custom-field-5.png) + **2. Register the PEM_PKCS12 Orchestrator with Keyfactor** @@ -100,13 +105,14 @@ If you choose to manually create a PEM_PKCS12 store In Keyfactor Command rather - PAM provider information to pass the UserId/Password or UserId/SSH private key credentials - When setting up a Windows server, the format of the machine name must be – [http://_ServerName_:5985](http://ServerName:5985/), where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different, use that. The credentials used will be the Keyfactor Command service account. Because of this, for Windows orchestrated servers, setting an additional set of credentials is not necessary. **However, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** + When setting up a Windows server, the format of the machine name must be – http://ServerName:5985, where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different port, use that. The Keyfactor Command service account will be used if the credentials are left blank. **However, if you choose to not enter credentials and use the Keyfactor Command service account, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** - **Store Path** – Required. The FULL PATH and file name of the PEM/PKCS12 store being managed. File paths on Linux servers will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:\\". Valid characters for Linux store paths include any alphanumeric character, space, forward slash, hyphen, underscore, and period. For Windows servers, the aforementioned characters as well as a colon and backslash. - **Type** – Select either PEM or PKCS12 - **Separate Private Key File** – Check if the store has a separate private key file. - **Path to Private Key File** – If Separate Private Key File is checked, enter the FULL PATH to the private key file. File paths on Linux servers will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:". - **Orchestrator** – Select the orchestrator you wish to use to manage this store -- **Store Password** – Set the store password or set no password after clicking the supplied button. If a store password is entered, this value will be used when encrypting private keys that get written to the certificate store during certificate add operations. Selecting "No Password" will cause an unencrypted private key to be saved during add operations. +- **Store Password** – Required. Set the store password or set no password after clicking the supplied button. If a store password is entered, this value will be used when encrypting private keys that get written to the certificate store during certificate add operations. Selecting "No Password" will cause an unencrypted private key to be saved during add operations. +- **Linux File Permissions on Store Creation** - Optional (Linux only). Set the Linux file permissions you wish to be set when creating a new physical certificate store via checking Create Certificate Store above. This value must be 3 digits all betwwen 0-7. - **Inventory Schedule** – Set a schedule for running Inventory jobs or none, if you choose not to schedule Inventory at this time. **3b. (Optional) Schedule a PEM_PKCS12 Discovery Job** @@ -127,7 +133,7 @@ First, in Keyfactor Command navigate to Certificate Locations =\> Certificate St - PAM provider information to pass the UserId/Password or UserId/SSH private key credentials - When setting up a Windows server, the format of the machine name must be – [http://_ServerName_:5985](http://ServerName:5985/), where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different, use that. The credentials used will be the Keyfactor Command service account. Because of this, for Windows orchestrated servers, setting an additional set of credentials is not necessary. **However, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** + When setting up a Windows server, the format of the machine name must be – http://ServerName:5985, where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different port, use that. The Keyfactor Command service account will be used if the credentials are left blank. **However, if you choose to not enter credentials and use the Keyfactor Command service account, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** - **When** – Required. The date and time when you would like this to execute. - **Directories to search** – Required. A comma delimited list of the FULL PATHs and file names where you would like to recursively search for PEM/PKCS12 stores. File paths on Linux servers will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:\\". Entering the string "fullscan" when Discovering against a Windows server will automatically do a recursive search on ALL local drives on the server. - **Directories to ignore** – Optional. A comma delimited list of the FULL PATHs that should be recursively ignored when searching for PEM/PKCS12 stores. Linux file paths will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:\\". @@ -150,7 +156,8 @@ The PEM_PKCS12 Orchestrator uses a JSON config file: "UseSeparateUploadFilePath": "N", "SeparateUploadFilePath": "/path/to/upload/folder/", "UseNegotiateAuth": "N", -"UseSCP": "N" +"UseSCP": "N", +"DefaultLinuxPermissionsOnStoreCreation": "600" } **UseSudo** - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands ssh uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For orchestrated Windows servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. @@ -158,7 +165,8 @@ The PEM_PKCS12 Orchestrator uses a JSON config file: **UseSeparateUploadFilePath** (Linux only) – When adding a certificate to a PEM or PKCS12 store, the PEM_PKCS12 Orchestrator must upload the certificate being deployed to the server where the certificate store resides. Setting this value to "Y" looks to the next setting, SeparateUploadFilePath, to determine where this file should be uploaded. Set this value to "N" to use the same path where the certificate store being managed resides. **SeparateUploadFilePath** (Linux only) – Only used when UseSeparateUploadFilePath is set to "Y". Set this to the path you wish to use as the location to upload and later remove PEM/PKCS12 certificate store data before being moved to the final destination. **UseNegotiateAuth** (Windows only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. -**UseSCP** (Optional, Linux only) - Y/N - Detemines if SCP (Y) or SFTP (N) should be used in uploading certificate files during Management-Add jobs. +**UseSCP** (Optional, Linux only) - Y/N - Detemines if SCP (Y) or SFTP (N) should be used in uploading certificate files during Management-Add jobs. +**DefaultLinuxPermissionsOnStoreCreation** (Linux only) - Optional. Value must be 3 digits all between 0-7. The Linux file permissions that will be set on a new certificate store created via a Management Create job. This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store. If "Linux File Permissions on Store Creation" and DefaultLinuxPermissionsOnStoreCreation are not set, a default permission of 600 will be used. *** diff --git a/README.md.tpl b/README.md.tpl index aec0cde..4a690bd 100644 --- a/README.md.tpl +++ b/README.md.tpl @@ -61,8 +61,10 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo - **Private Keys** – Optional (a certificate in a PEM/PKCS12 Keystore may or may not contain a private key) - **PFX Password Style** – Select Custom. - **Job Types** – Discovery, Inventory, Add, and Remove are the 3 job types implemented by this Orchestrator -- **Parameters** – Three custom parameters are used for this store type. They are: +- **Parameters** – Five custom parameters are used for this store type. They are: + ![](Images/setup-3.png) + - **Type (Name MUST be "type"):** ![](Images/custom-field-1.png) @@ -79,6 +81,9 @@ In Keyfactor Command create a new Certificate Store Type similar to the one belo ![](Images/custom-field-4.png) + - **Linux File Permissions on Store Creation (Name MUST be "linuxFilePermissionsOnStoreCreation"):** - Optional parameter. Overrides the optional config.json DefaultLinuxPermissionsOnStoreCreation setting (see section 4 below) for a specific certificate store. This value will set the file permissions (Linux only) of a new certificate store created via a Management-Create job. If this parameter is not added or added but not set, the permissions used will be derived from the DefaultLinuxPermissionsOnStoreCreation setting. +![](Images/custom-field-5.png) + **2. Register the PEM_PKCS12 Orchestrator with Keyfactor** @@ -100,13 +105,14 @@ If you choose to manually create a PEM_PKCS12 store In Keyfactor Command rather - PAM provider information to pass the UserId/Password or UserId/SSH private key credentials - When setting up a Windows server, the format of the machine name must be – [http://_ServerName_:5985](http://ServerName:5985/), where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different, use that. The credentials used will be the Keyfactor Command service account. Because of this, for Windows orchestrated servers, setting an additional set of credentials is not necessary. **However, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** + When setting up a Windows server, the format of the machine name must be – http://ServerName:5985, where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different port, use that. The Keyfactor Command service account will be used if the credentials are left blank. **However, if you choose to not enter credentials and use the Keyfactor Command service account, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** - **Store Path** – Required. The FULL PATH and file name of the PEM/PKCS12 store being managed. File paths on Linux servers will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:\\". Valid characters for Linux store paths include any alphanumeric character, space, forward slash, hyphen, underscore, and period. For Windows servers, the aforementioned characters as well as a colon and backslash. - **Type** – Select either PEM or PKCS12 - **Separate Private Key File** – Check if the store has a separate private key file. - **Path to Private Key File** – If Separate Private Key File is checked, enter the FULL PATH to the private key file. File paths on Linux servers will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:". - **Orchestrator** – Select the orchestrator you wish to use to manage this store -- **Store Password** – Set the store password or set no password after clicking the supplied button. If a store password is entered, this value will be used when encrypting private keys that get written to the certificate store during certificate add operations. Selecting "No Password" will cause an unencrypted private key to be saved during add operations. +- **Store Password** – Required. Set the store password or set no password after clicking the supplied button. If a store password is entered, this value will be used when encrypting private keys that get written to the certificate store during certificate add operations. Selecting "No Password" will cause an unencrypted private key to be saved during add operations. +- **Linux File Permissions on Store Creation** - Optional (Linux only). Set the Linux file permissions you wish to be set when creating a new physical certificate store via checking Create Certificate Store above. This value must be 3 digits all betwwen 0-7. - **Inventory Schedule** – Set a schedule for running Inventory jobs or none, if you choose not to schedule Inventory at this time. **3b. (Optional) Schedule a PEM_PKCS12 Discovery Job** @@ -127,7 +133,7 @@ First, in Keyfactor Command navigate to Certificate Locations =\> Certificate St - PAM provider information to pass the UserId/Password or UserId/SSH private key credentials - When setting up a Windows server, the format of the machine name must be – [http://_ServerName_:5985](http://ServerName:5985/), where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different, use that. The credentials used will be the Keyfactor Command service account. Because of this, for Windows orchestrated servers, setting an additional set of credentials is not necessary. **However, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** + When setting up a Windows server, the format of the machine name must be – http://ServerName:5985, where "5985" is the WinRM port number. 5985 is the standard, but if your organization uses a different port, use that. The Keyfactor Command service account will be used if the credentials are left blank. **However, if you choose to not enter credentials and use the Keyfactor Command service account, it is required that the *Change Credentials* link still be clicked on and the resulting dialog closed by clicking OK.** - **When** – Required. The date and time when you would like this to execute. - **Directories to search** – Required. A comma delimited list of the FULL PATHs and file names where you would like to recursively search for PEM/PKCS12 stores. File paths on Linux servers will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:\\". Entering the string "fullscan" when Discovering against a Windows server will automatically do a recursive search on ALL local drives on the server. - **Directories to ignore** – Optional. A comma delimited list of the FULL PATHs that should be recursively ignored when searching for PEM/PKCS12 stores. Linux file paths will always begin with a "/". Windows servers will always begin with the drive letter, colon, and backslash, such as "c:\\". @@ -150,7 +156,8 @@ The PEM_PKCS12 Orchestrator uses a JSON config file: "UseSeparateUploadFilePath": "N", "SeparateUploadFilePath": "/path/to/upload/folder/", "UseNegotiateAuth": "N", -"UseSCP": "N" +"UseSCP": "N", +"DefaultLinuxPermissionsOnStoreCreation": "600" } **UseSudo** - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands ssh uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For orchestrated Windows servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. @@ -158,7 +165,8 @@ The PEM_PKCS12 Orchestrator uses a JSON config file: **UseSeparateUploadFilePath** (Linux only) – When adding a certificate to a PEM or PKCS12 store, the PEM_PKCS12 Orchestrator must upload the certificate being deployed to the server where the certificate store resides. Setting this value to "Y" looks to the next setting, SeparateUploadFilePath, to determine where this file should be uploaded. Set this value to "N" to use the same path where the certificate store being managed resides. **SeparateUploadFilePath** (Linux only) – Only used when UseSeparateUploadFilePath is set to "Y". Set this to the path you wish to use as the location to upload and later remove PEM/PKCS12 certificate store data before being moved to the final destination. **UseNegotiateAuth** (Windows only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. -**UseSCP** (Optional, Linux only) - Y/N - Detemines if SCP (Y) or SFTP (N) should be used in uploading certificate files during Management-Add jobs. +**UseSCP** (Optional, Linux only) - Y/N - Detemines if SCP (Y) or SFTP (N) should be used in uploading certificate files during Management-Add jobs. +**DefaultLinuxPermissionsOnStoreCreation** (Linux only) - Optional. Value must be 3 digits all between 0-7. The Linux file permissions that will be set on a new certificate store created via a Management Create job. This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store. If "Linux File Permissions on Store Creation" and DefaultLinuxPermissionsOnStoreCreation are not set, a default permission of 600 will be used. ***