Ab#62167

.github/workflows/keyfactor-starter-workflow.yml

@@ -11,9 +11,10 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    uses: keyfactor/actions/.github/workflows/starter.yml@v3
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}

RemoteFile/RemoteFile.csproj

@@ -4,13 +4,9 @@
     <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
     <TargetFramework>net6.0</TargetFramework>
     <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+    <ImplicitUsings>disable</ImplicitUsings>
   </PropertyGroup>
 
-  <ItemGroup>
-    <Compile Remove="ImplementedStoreTypes\JKS\JksStore.cs" />
-    <Compile Remove="RemoteHandlers\SSHHelper.cs" />
-  </ItemGroup>
-
   <ItemGroup>
     <PackageReference Include="BouncyCastle.Cryptography" Version="2.4.0" />
     <PackageReference Include="CliWrap" Version="3.6.6" />
@@ -19,19 +15,13 @@
     <PackageReference Include="Keyfactor.PKI" Version="5.0.0" />
     <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.2.12" />
     <PackageReference Include="SSH.NET" Version="2024.0.0" />
+
+    <None Update="manifest.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+    <None Update="config.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 
-  <ItemGroup>
-    <Reference Include="Renci.SshNet">
-      <HintPath>External References\Renci.SshNet.dll</HintPath>
-    </Reference>
-    <Reference Include="SshNet.Security.Cryptography">
-      <HintPath>External References\SshNet.Security.Cryptography.dll</HintPath>
-    </Reference>
-  </ItemGroup>
-
-  <Target Name="PostBuild" AfterTargets="PostBuildEvent">
-    <Exec Command="echo F | xcopy &quot;$(ProjectDir)config.json&quot; &quot;$(TargetDir)\config.json&quot; /Y&#xD;&#xA;echo F | xcopy &quot;$(ProjectDir)manifest.json&quot; &quot;$(TargetDir)\manifest.json&quot; /Y" />
-  </Target>
-
 </Project>

docs/rfder.md

@@ -0,0 +1,126 @@
+## RFDER
+
+The RFORA store type can be used to manage Pkcs12 Oracle Wallets.  Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows.  Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created.
+
+Use cases supported:
+1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store.  Each trust entry is identified with a custom alias.
+2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain.  Each certificate identified with a custom alias.
+3. A mix of trust and key entries.
+
+
+
+### Supported Job Types
+
+| Job Name | Supported |
+| -------- | --------- |
+| Inventory | ✅ |
+| Management Add | ✅ |
+| Management Remove | ✅ |
+| Discovery | ✅ |
+| Create | ✅ |
+| Reenrollment |  |
+
+## Requirements
+
+TODO Requirements is a required section
+
+
+## Certificate Store Type Configuration
+
+The recommended method for creating the `RFDER` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `RFDER` Certificate Store Type:
+
+```shell
+kfutil store-types create RFDER
+```
+
+<details><summary>RFDER</summary>
+
+Create a store type called `RFDER` with the attributes in the tables below:
+
+### Basic Tab
+| Attribute | Value | Description |
+| --------- | ----- | ----- |
+| Name | RFDER | Display name for the store type (may be customized) |
+| Short Name | RFDER | Short display name for the store type |
+| Capability | RFDER | Store type name orchestrator will register with. Check the box to allow entry of value |
+| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports |
+| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add |
+| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove |
+| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery |
+| Supports Reenrollment |  |  Indicates that the Store Type supports Reenrollment |
+| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation |
+| Needs Server | ✅ | Determines if a target server name is required when creating store |
+| Blueprint Allowed |  | Determines if store type may be included in an Orchestrator blueprint |
+| Uses PowerShell |  | Determines if underlying implementation is PowerShell |
+| Requires Store Password | ✅ | Determines if a store password is required when configuring an individual store. |
+| Supports Entry Password |  | Determines if an individual entry within a store can have a password. |
+
+The Basic tab should look like this:
+
+![RFDER Basic Tab](../docsource/images/RFDER-basic-store-type-dialog.png)
+
+### Advanced Tab
+| Attribute | Value | Description |
+| --------- | ----- | ----- |
+| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
+| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
+
+The Advanced tab should look like this:
+
+![RFDER Advanced Tab](../docsource/images/RFDER-advanced-store-type-dialog.png)
+
+### Custom Fields Tab
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
+
+| Name | Display Name | Type | Default Value/Options | Required | Description |
+| ---- | ------------ | ---- | --------------------- | -------- | ----------- |
+| LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | String |  |  | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. |
+| LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | String |  |  | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. |
+| SudoImpersonatingUser | Sudo Impersonating User | String |  |  | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. |
+| SeparatePrivateKeyFilePath | Separate Private Key File Location | String |  |  | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. |
+
+
+The Custom Fields tab should look like this:
+
+![RFDER Custom Fields Tab](../docsource/images/RFDER-custom-fields-store-type-dialog.png)
+
+
+
+</details>
+
+
+
+
+## Certificate Store Configuration
+
+After creating the `RFDER` Certificate Store Type and installing the Remote File Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform.
+
+The following table describes the required and optional fields for the `RFDER` certificate store type.
+
+| Attribute | Description | Attribute is PAM Eligible |
+| --------- | ----------- | ------------------------- |
+| Category | Select "RFDER" or the customized certificate store name from the previous step. | |
+| Container | Optional container to associate certificate store with. | |
+| Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. | |
+| Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.der) for Windows orchestrated servers. Example: '/folder/path/storename.der' or 'c:\folder\path\storename.der'. | |
+| Orchestrator | Select an approved orchestrator capable of managing `RFDER` certificates. Specifically, one with the `RFDER` capability. | |
+| LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. |  |
+| LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. |  |
+| SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. |  |
+| SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. |  |
+
+* **Using kfutil**
+
+    ```shell
+    # Generate a CSV template for the AzureApp certificate store
+    kfutil stores import generate-template --store-type-name RFDER --outpath RFDER.csv
+
+    # Open the CSV file and fill in the required fields for each certificate store.
+
+    # Import the CSV file to create the certificate stores
+    kfutil stores import csv --store-type-name RFDER --file RFDER.csv
+    ```
+
+* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above.
+