Citrix Netscaler Universal Orchestrator Extension

Support · Installation · License · Related Integrations

Overview

The Citrix ADC Orchestrator remotely manages certificate objects on a Citrix ADC device. Since the ADC supports services including: Load Balancing, Authentication/Authorization/Auditing (AAA), and Gateways, this orchestrator can bind to any of these virtual servers when using unique virtual server names for each service.

Compatibility

This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.

Support

The Citrix Netscaler Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.

If you want to contribute bug fixes or additional enhancements, use the Pull requests tab.

Requirements & Prerequisites

Before installing the Citrix Netscaler Universal Orchestrator extension, we recommend that you install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.

The Citrix ADC user needs permission to perform the following API calls:

API Endpoint	Methods
/nitro/v1/config/login	post
/nitro/v1/config/lbvserver	get
/nitro/v1/config/sslcertkey	get, update, add, delete
/nitro/v1/config/sslcertkey_service_binding	get, update, add, delete
/nitro/v1/config/systemfile	get, add, delete

Here is a sample policy with Min Permissions:

• Action: Allow
• Command Spec: (^stat\s+(cr|cs|lb|system|vpn))|(^(add|rm|show)\s+system\s+file\s+.)|(^\S+\s+ssl\s+.)|(^(show|stat|sync)\s+HA\s+.)|(^save\s+ns\s+config)|(^(switch|show)\s+ns\s+partition.)

CitrixAdc Certificate Store Type

To use the Citrix Netscaler Universal Orchestrator extension, you must create the CitrixAdc Certificate Store Type. This only needs to happen once per Keyfactor Command instance.

Supported Operations

Operation	Is Supported
Add	✅ Checked
Remove	✅ Checked
Discovery	🔲 Unchecked
Reenrollment	🔲 Unchecked
Create	🔲 Unchecked

Store Type Creation

Using kfutil:

kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on kfutil check out the docs

Click to expand CitrixAdc kfutil details

Using online definition from GitHub:

This will reach out to GitHub and pull the latest store-type definition

# CitrixAdc
kfutil store-types create CitrixAdc

Offline creation using integration-manifest file:

If required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.

kfutil store-types create --from-file integration-manifest.json

Manual Creation

Below are instructions on how to create the CitrixAdc store type manually in the Keyfactor Command Portal

Click to expand manual CitrixAdc details

Create a store type called CitrixAdc with the attributes in the tables below:

Basic Tab

Attribute	Value	Description
Name	CitrixAdc	Display name for the store type (may be customized)
Short Name	CitrixAdc	Short display name for the store type
Capability	CitrixAdc	Store type name orchestrator will register with. Check the box to allow entry of value
Supports Add	✅ Checked	Check the box. Indicates that the Store Type supports Management Add
Supports Remove	✅ Checked	Check the box. Indicates that the Store Type supports Management Remove
Supports Discovery	🔲 Unchecked	Indicates that the Store Type supports Discovery
Supports Reenrollment	🔲 Unchecked	Indicates that the Store Type supports Reenrollment
Supports Create	🔲 Unchecked	Indicates that the Store Type supports store creation
Needs Server	✅ Checked	Determines if a target server name is required when creating store
Blueprint Allowed	🔲 Unchecked	Determines if store type may be included in an Orchestrator blueprint
Uses PowerShell	🔲 Unchecked	Determines if underlying implementation is PowerShell
Requires Store Password	✅ Checked	Enables users to optionally specify a store password when defining a Certificate Store.
Supports Entry Password	🔲 Unchecked	Determines if an individual entry within a store can have a password.

The Basic tab should look like this:

Advanced Tab

Attribute	Value	Description
Supports Custom Alias	Required	Determines if an individual entry within a store can have a custom Alias.
Private Key Handling	Required	This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid.
PFX Password Style	Default	'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.)

The Advanced tab should look like this:

For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.

Custom Fields Tab

Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:

Name	Display Name	Description	Type	Default Value/Options	Required
ServerUsername	Server Username	The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.	Secret		🔲 Unchecked
ServerPassword	Server Password	The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.	Secret		🔲 Unchecked
linkToIssuer	Link To Issuer	Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate.	Bool	false	🔲 Unchecked
timeout	Login Timeout in seconds	Determines timeout in seconds for all Citrix ADC API calls.	String	3600	🔲 Unchecked

The Custom Fields tab should look like this:

Server Username

The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.

[!IMPORTANT] This field is created by the Needs Server on the Basic tab, do not create this field manually.

Server Password

The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.

[!IMPORTANT] This field is created by the Needs Server on the Basic tab, do not create this field manually.

Link To Issuer

Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate.

Login Timeout in seconds

Determines timeout in seconds for all Citrix ADC API calls.

Entry Parameters Tab

Name	Display Name	Description	Type	Default Value	Entry has a private key	Adding an entry	Removing an entry	Reenrolling an entry
virtualServerName	Virtual Server Name	When adding a certificate, this can be a single VServer name or a comma separated list of VServers to bind to Note: must match the number of Virtual SNI Cert values.	String		🔲 Unchecked	🔲 Unchecked	🔲 Unchecked	🔲 Unchecked
sniCert	SNI Cert	When adding a certificate, this can be a single boolean value (true/false) or a comma separated list of boolean values to determine whether the binding should use server name indication. Note: must match the number of Virtual Server Name values.	String		🔲 Unchecked	🔲 Unchecked	🔲 Unchecked	🔲 Unchecked

The Entry Parameters tab should look like this:

Virtual Server Name

When adding a certificate, this can be a single VServer name or a comma separated list of VServers to bind to Note: must match the number of Virtual SNI Cert values.

SNI Cert

When adding a certificate, this can be a single boolean value (true/false) or a comma separated list of boolean values to determine whether the binding should use server name indication. Note: must match the number of Virtual Server Name values.

Installation

1. Download the latest Citrix Netscaler Universal Orchestrator extension from GitHub.

   Navigate to the Citrix Netscaler Universal Orchestrator extension GitHub version page. Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive.

   Universal Orchestrator Version	Latest .NET version installed on the Universal Orchestrator server	rollForward condition in Orchestrator.runtimeconfig.json	citrix-adc-orchestrator .NET version to download
   Between 11.0.0 and 11.5.1 (inclusive)	net8.0	LatestMajor	net8.0
   11.6 and newer	net8.0		net8.0

   Unzip the archive containing extension assemblies to a known location.

   Note If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for net8.0.

2. Locate the Universal Orchestrator extensions directory.

   • Default on Windows - C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions
   • Default on Linux - /opt/keyfactor/orchestrator/extensions

3. Create a new directory for the Citrix Netscaler Universal Orchestrator extension inside the extensions directory.

   Create a new directory called citrix-adc-orchestrator.

   The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.

4. Copy the contents of the downloaded and unzipped assemblies from step 2 to the citrix-adc-orchestrator directory.

5. Restart the Universal Orchestrator service.

   Refer to Starting/Restarting the Universal Orchestrator service.

6. (optional) PAM Integration

   The Citrix Netscaler Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.

   To configure a PAM provider, reference the Keyfactor Integration Catalog to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).

The above installation steps can be supplemented by the official Command documentation.

Post Installation

An optional config.json configuration file has been provided in the extensions folder with a single setting - AutoSaveConfig. Setting this value to "Y" means successful changes made by a management job will automatically be saved to disk; no interaction with the Citrix ADC UI is necessary. Setting this value to "N" (or if the config entry or config file is missing) will keep these changes in memory only.

NOTE: Any changes in-process through the Citrix ADC UI will also be persisted to disk when a management job is performed and the AutoSaveConfig flag is set to 'Y'.

Defining Certificate Stores

Store Creation

Manually with the Command UI

Click to expand details

1. Navigate to the Certificate Stores page in Keyfactor Command.

   Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.

2. Add a Certificate Store.

   Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.

   Attribute	Description
   Category	Select "CitrixAdc" or the customized certificate store name from the previous step.
   Container	Optional container to associate certificate store with.
   Client Machine	The DNS or IP Address of the Citrix ADC Appliance.
   Store Path	The path where certificate files are located on the Citrix ADC appliance. This value will likely be /nsconfig/ssl/
   Store Password	Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.
   Orchestrator	Select an approved orchestrator capable of managing CitrixAdc certificates. Specifically, one with the CitrixAdc capability.
   ServerUsername	The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.
   ServerPassword	The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.
   linkToIssuer	Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate.
   timeout	Determines timeout in seconds for all Citrix ADC API calls.

Using kfutil CLI

Click to expand details

1. Generate a CSV template for the CitrixAdc certificate store

   kfutil stores import generate-template --store-type-name CitrixAdc --outpath CitrixAdc.csv

2. Populate the generated CSV file

   Open the CSV file, and reference the table below to populate parameters for each Attribute.

   Attribute	Description
   Category	Select "CitrixAdc" or the customized certificate store name from the previous step.
   Container	Optional container to associate certificate store with.
   Client Machine	The DNS or IP Address of the Citrix ADC Appliance.
   Store Path	The path where certificate files are located on the Citrix ADC appliance. This value will likely be /nsconfig/ssl/
   Store Password	Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.
   Orchestrator	Select an approved orchestrator capable of managing CitrixAdc certificates. Specifically, one with the CitrixAdc capability.
   Properties.ServerUsername	The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.
   Properties.ServerPassword	The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.
   Properties.linkToIssuer	Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate.
   Properties.timeout	Determines timeout in seconds for all Citrix ADC API calls.

3. Import the CSV file to create the certificate stores

   kfutil stores import csv --store-type-name CitrixAdc --file CitrixAdc.csv

PAM Provider Eligible Fields

Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator

If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.

Attribute	Description
ServerUsername	The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.
ServerPassword	The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device.
StorePassword	Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.

Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.

Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.

The content in this section can be supplemented by the official Command documentation.

Notes and Limitations

• As of release 2.2.0, ONLY certificate objects (installed certificates) will be managed by the Citrix ADC Orchestrator Extension. Prior versions also managed certificate/key file combinations uploaded to the Citrix ADC device but not yet installed. This functionality has been removed due to issues attempting to match certificate and key files due to inconsistent file naming.

• Direct PFX Binding Inventory: In NetScaler you can directly Bind a Pfx file to a Virtual Server. Keyfactor cannot inventory these because it does not have access to the password. The recommended way to Import PFX Files in NetScaler is descibed in this NetScaler Documentation

• Removing Certs from Store: Certificates that are bound to a server will not be removed. This was done to limit the possibility of bringing production servers down. Users are currently required to manually unbind the certificate from the server first and then remove via the Command and this orchestrator extension.

License

Apache License 2.0, see LICENSE.

Related Integrations

See all Keyfactor Universal Orchestrator extensions.