diff --git a/CHANGELOG.md b/CHANGELOG.md
index b0af976..dc64036 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+2.6.1
+* documentation updates for the 2.6 release
+* fix a naming typo in the 2.5 migration SQL script
+* update integration-manifest.json
+
2.6.0
* Added the ability to run the extension in a Linux environment. To utilize this change, for each Cert Store Types (WinCert/WinIIS/WinSQL), add ssh to the Custom Field WinRM Protocol. When using ssh as a protocol, make sure to enter the appropriate ssh port number under WinRM Port.
* NOTE: For legacy purposes the Display names WinRM Protocol and WinRM Port are maintained although the type of protocols now includes ssh.
diff --git a/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql b/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql
index 4122385..e36f829 100644
--- a/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql
+++ b/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql
@@ -37,28 +37,28 @@ BEGIN TRY
-- perform batch processing on certstoreinventoryitems to alter their EntryParameters to change the SNiFlag value to be a simple character instead of lots of text
-- replace 0 - No SNI
UPDATE inventoryitems
- SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '0 - No SNI', '0')
+ SET inventoryitems.[EntryParameters] = REPLACE(inventoryitems.[EntryParameters], '0 - No SNI', '0')
FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
WHERE inventoryitems.[EntryParameters] LIKE '%0 - No SNI%'
-- replace 1 - SNI Enabled
UPDATE inventoryitems
- SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '1 - SNI Enabled', '1')
+ SET inventoryitems.[EntryParameters] = REPLACE(inventoryitems.[EntryParameters], '1 - SNI Enabled', '1')
FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
WHERE inventoryitems.[EntryParameters] LIKE '%1 - SNI Enabled%'
-- replace 2 - Non SNI Binding
UPDATE inventoryitems
- SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '2 - Non SNI Binding', '2')
+ SET inventoryitems.[EntryParameters] = REPLACE(inventoryitems.[EntryParameters], '2 - Non SNI Binding', '2')
FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
WHERE inventoryitems.[EntryParameters] LIKE '%2 - Non SNI Binding%'
-- replace 3 - SNI Binding
UPDATE inventoryitems
- SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '3 - SNI Binding', '3')
+ SET inventoryitems.[EntryParameters] = REPLACE(inventoryitems.[EntryParameters], '3 - SNI Binding', '3')
FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems
INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id]
WHERE inventoryitems.[EntryParameters] LIKE '%3 - SNI Binding%'
diff --git a/README.md b/README.md
index 5e3e399..bc65fa0 100644
--- a/README.md
+++ b/README.md
@@ -31,17 +31,32 @@
## Overview
-The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command:
+The Windows Certificate Orchestrator Extension is a multi-purpose integration that can remotely manage certificates on a Windows Server's Local Machine Store. This extension currently manages certificates for the current store types:
+* WinCert - Certificates defined by path set for the Certificate Store
+* WinIIS - IIS Bound certificates
+* WinSQL - Certificates that are bound to the specified SQL Instances
+
+By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
+For a complete list of local machine cert stores you can execute the PowerShell command:
Get-ChildItem Cert:\LocalMachine
The returned list will contain the actual certificate store name to be used when entering store location.
-By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
-
This extension implements four job types: Inventory, Management Add/Remove, and Reenrollment.
-WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
+The Keyfactor Universal Orchestrator (UO) and WinCert Extension can be installed on either Windows or Linux operating systems. A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO Service managing local certificates on the same server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the orchestrator server hosting the WinCert extension to the orchestrated server hosting the certificate stores(s) being managed is achieved via either an SSH (for Linux orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent (Windows only), WinRM may still be used, OR the certificate store can be configured to bypass a WinRM connection and instead directly access the orchestrator server's certificate stores.
+
+
+
+Please refer to the READMEs for each supported store type for more information on proper configuration and setup for these different stores. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below:
+
+| | UO Installed on Windows | UO Installed on Linux |
+|-----|-----|------|
+|Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection |
+|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | Not Supported |
+
+WinRM is used to remotely manage the certificate stores and IIS bindings on Windows machines only. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
**Note:**
In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options:
@@ -87,6 +102,8 @@ The IISU store type represents the IIS servers and their certificate bindings. I
#### Limitations and Areas of Confusion
- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues.
+
When performing Inventory, all bound certificates regardless to their store location will be returned.
+
When executing an Add or Renew Management job, the Store Location will be considered and place the certificate in that location.
- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured.
@@ -122,6 +139,28 @@ The Windows Certificate Universal Orchestrator extension If you have a support i
Before installing the Windows Certificate Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
+
+Using the WinCert Extension on Linux servers:
+
+1. General SSH Setup Information: PowerShell 6 or higher and SSH must be installed on all computers. Install SSH, including ssh server, that's appropriate for your platform. You also need to install PowerShell from GitHub to get the SSH remoting feature. The SSH server must be configured to create a SSH subsysten to host a PowerShell process on the remote computer. It is suggested to turn off password authentication as this extension uses key-based authentication.
+
+2. SSH Authentication: When creating a Keyfactor certificate store for the WinCert orchestrator extension, the only protocol supported to communicate with Windows servers is ssh. When providing the user id and password, the connection is attempted by creating a temporary private key file using the contents in the Password textbox. Therefore, the password field must contain the full SSH Private key.
+
+
+
+
+Using the WinCert Extension on Windows servers:
+
+1. When orchestrating management of external (and potentially local) certificate stores, the WinCert Orchestrator Extension makes use of WinRM to connect to external certificate store servers. The security context used is the user id entered in the Keyfactor Command certificate store. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores jobs. If running as an agent, managing local certificate stores, local commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service.
+
+
+
+Please consult with your company's system administrator for more information on configuring SSH or WinRM in your environment.
+
+### PowerShell Requirements
+PowerShell is extensively used to inventory and manage certificates across each Certificate Store Type. Windows Desktop and Server includes PowerShell 5.1 that is capable of running all or most PowerShell functions. If the Orchestrator is to run in a Linux environment using SSH as their communication protocol, PowerShell 6.1 or greater is required (7.4 or greater is recommended).
+In addition to PowerShell, IISU requires additional PowerShell modules to be installed and available. These modules include: WebAdministration and IISAdministration, versions 1.1.
+
### Security and Permission Considerations
From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account.
@@ -206,10 +245,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Name | Display Name | Description | Type | Default Value/Options | Required |
| ---- | ------------ | ---- | --------------------- | -------- | ----------- |
| spnwithport | SPN With Port | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | false | 🔲 Unchecked |
- | WinRM Protocol | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | MultipleChoice | https,http | ✅ Checked |
- | WinRM Port | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | String | 5986 | ✅ Checked |
+ | WinRM Protocol | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | MultipleChoice | https,http,ssh | ✅ Checked |
+ | WinRM Port | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | String | 5986 | ✅ Checked |
| ServerUsername | Server Username | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | Secret | | 🔲 Unchecked |
- | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | Secret | | 🔲 Unchecked |
+ | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. | Secret | | 🔲 Unchecked |
| ServerUseSsl | Use SSL | Determine whether the server uses SSL or not (This field is automatically created) | Bool | true | ✅ Checked |
The Custom Fields tab should look like this:
@@ -289,10 +328,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Name | Display Name | Description | Type | Default Value/Options | Required |
| ---- | ------------ | ---- | --------------------- | -------- | ----------- |
| spnwithport | SPN With Port | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | false | 🔲 Unchecked |
- | WinRM Protocol | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | MultipleChoice | https,http | ✅ Checked |
- | WinRM Port | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | String | 5986 | ✅ Checked |
+ | WinRM Protocol | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | MultipleChoice | https,http,ssh | ✅ Checked |
+ | WinRM Port | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | String | 5986 | ✅ Checked |
| ServerUsername | Server Username | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | Secret | | 🔲 Unchecked |
- | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | Secret | | 🔲 Unchecked |
+ | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. | Secret | | 🔲 Unchecked |
| ServerUseSsl | Use SSL | Determine whether the server uses SSL or not (This field is automatically created) | Bool | true | ✅ Checked |
The Custom Fields tab should look like this:
@@ -378,10 +417,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Name | Display Name | Description | Type | Default Value/Options | Required |
| ---- | ------------ | ---- | --------------------- | -------- | ----------- |
| spnwithport | SPN With Port | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | false | 🔲 Unchecked |
- | WinRM Protocol | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | MultipleChoice | https,http | ✅ Checked |
- | WinRM Port | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | String | 5986 | ✅ Checked |
+ | WinRM Protocol | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | MultipleChoice | https,http,ssh | ✅ Checked |
+ | WinRM Port | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | String | 5986 | ✅ Checked |
| ServerUsername | Server Username | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | Secret | | 🔲 Unchecked |
- | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | Secret | | 🔲 Unchecked |
+ | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. | Secret | | 🔲 Unchecked |
| ServerUseSsl | Use SSL | Determine whether the server uses SSL or not (This field is automatically created) | Bool | true | ✅ Checked |
| RestartService | Restart SQL Service After Cert Installed | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | Bool | false | ✅ Checked |
@@ -474,10 +513,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Store Path | Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store. |
| Orchestrator | Select an approved orchestrator capable of managing `WinCert` certificates. Specifically, one with the `WinCert` capability. |
| spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
- | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. |
- | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. |
+ | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+ | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
| ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. |
- | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. |
+ | ServerPassword | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. |
| ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) |
@@ -505,10 +544,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Store Path | Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store. |
| Orchestrator | Select an approved orchestrator capable of managing `WinCert` certificates. Specifically, one with the `WinCert` capability. |
| spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
- | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. |
- | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. |
+ | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+ | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
| ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. |
- | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. |
+ | ServerPassword | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. |
| ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) |
@@ -548,10 +587,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Store Path | Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store. |
| Orchestrator | Select an approved orchestrator capable of managing `IISU` certificates. Specifically, one with the `IISU` capability. |
| spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
- | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. |
- | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. |
+ | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+ | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
| ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. |
- | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. |
+ | ServerPassword | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. |
| ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) |
@@ -579,10 +618,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Store Path | Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store. |
| Orchestrator | Select an approved orchestrator capable of managing `IISU` certificates. Specifically, one with the `IISU` capability. |
| spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
- | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. |
- | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. |
+ | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+ | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
| ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. |
- | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. |
+ | ServerPassword | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. |
| ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) |
@@ -622,10 +661,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Store Path | Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server. |
| Orchestrator | Select an approved orchestrator capable of managing `WinSql` certificates. Specifically, one with the `WinSql` capability. |
| spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
- | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. |
- | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. |
+ | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+ | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
| ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. |
- | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. |
+ | ServerPassword | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. |
| ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) |
| RestartService | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. |
@@ -654,10 +693,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
| Store Path | Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server. |
| Orchestrator | Select an approved orchestrator capable of managing `WinSql` certificates. Specifically, one with the `WinSql` capability. |
| spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
- | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. |
- | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. |
+ | WinRM Protocol | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. |
+ | WinRM Port | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. |
| ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. |
- | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. |
+ | ServerPassword | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. |
| ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) |
| RestartService | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. |
@@ -678,11 +717,10 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat
-## Note Regarding Client Machine
-
-If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection.
+## Client Machine Instructions
+Prior to version 2.6, this extension would only run in the Windows environment. Version 2.6 and greater is capable of running on Linux, however, only the SSH protocol is supported.
-Here are the settings required for each Store Type previously configured.
+If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection.
## License
diff --git a/WindowsCertStore.sln b/WindowsCertStore.sln
index 883ef0b..bbc52c3 100644
--- a/WindowsCertStore.sln
+++ b/WindowsCertStore.sln
@@ -23,6 +23,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{630203
images\IISUCertStoreBasic.png = images\IISUCertStoreBasic.png
images\IISUCustomFields.png = images\IISUCustomFields.png
images\IISUEntryParams.png = images\IISUEntryParams.png
+ images\orchestrator-agent.png = images\orchestrator-agent.png
images\ReEnrollment1.png = images\ReEnrollment1.png
images\ReEnrollment1a.png = images\ReEnrollment1a.png
images\ReEnrollment1b.png = images\ReEnrollment1b.png
@@ -36,6 +37,30 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{630203
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WinCertTestConsole", "WinCertTestConsole\WinCertTestConsole.csproj", "{D0F4A3CC-5236-4393-9C97-AE55ACE319F2}"
EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docsource", "docsource", "{CFCAC7FE-C9E1-4822-A1B5-45F16E62F5FF}"
+ ProjectSection(SolutionItems) = preProject
+ docsource\content.md = docsource\content.md
+ docsource\iisu.md = docsource\iisu.md
+ docsource\wincert.md = docsource\wincert.md
+ docsource\winsql.md = docsource\winsql.md
+ EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{60C10FF8-54FC-4C18-A2EA-F3580ABF0405}"
+ ProjectSection(SolutionItems) = preProject
+ docsource\images\IISU-advanced-store-type-dialog.png = docsource\images\IISU-advanced-store-type-dialog.png
+ docsource\images\IISU-basic-store-type-dialog.png = docsource\images\IISU-basic-store-type-dialog.png
+ docsource\images\IISU-custom-fields-store-type-dialog.png = docsource\images\IISU-custom-fields-store-type-dialog.png
+ docsource\images\IISU-entry-parameters-store-type-dialog.png = docsource\images\IISU-entry-parameters-store-type-dialog.png
+ docsource\images\WinCert-advanced-store-type-dialog.png = docsource\images\WinCert-advanced-store-type-dialog.png
+ docsource\images\WinCert-basic-store-type-dialog.png = docsource\images\WinCert-basic-store-type-dialog.png
+ docsource\images\WinCert-custom-fields-store-type-dialog.png = docsource\images\WinCert-custom-fields-store-type-dialog.png
+ docsource\images\WinCert-entry-parameters-store-type-dialog.png = docsource\images\WinCert-entry-parameters-store-type-dialog.png
+ docsource\images\WinSql-advanced-store-type-dialog.png = docsource\images\WinSql-advanced-store-type-dialog.png
+ docsource\images\WinSql-basic-store-type-dialog.png = docsource\images\WinSql-basic-store-type-dialog.png
+ docsource\images\WinSql-custom-fields-store-type-dialog.png = docsource\images\WinSql-custom-fields-store-type-dialog.png
+ docsource\images\WinSql-entry-parameters-store-type-dialog.png = docsource\images\WinSql-entry-parameters-store-type-dialog.png
+ EndProjectSection
+EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
@@ -65,6 +90,8 @@ Global
EndGlobalSection
GlobalSection(NestedProjects) = preSolution
{6302034E-DF8C-4B65-AC36-CED24C068999} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}
+ {CFCAC7FE-C9E1-4822-A1B5-45F16E62F5FF} = {1A6C93E7-24FD-47FD-883D-EDABF5CEE4C6}
+ {60C10FF8-54FC-4C18-A2EA-F3580ABF0405} = {CFCAC7FE-C9E1-4822-A1B5-45F16E62F5FF}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {E0FA12DA-6B82-4E64-928A-BB9965E636C1}
diff --git a/docsource/content.md b/docsource/content.md
index 8acf59d..39d1793 100644
--- a/docsource/content.md
+++ b/docsource/content.md
@@ -1,16 +1,30 @@
## Overview
+The Windows Certificate Orchestrator Extension is a multi-purpose integration that can remotely manage certificates on a Windows Server's Local Machine Store. This extension currently manages certificates for the current store types:
+* WinCert - Certificates defined by path set for the Certificate Store
+* WinIIS - IIS Bound certificates
+* WinSQL - Certificates that are bound to the specified SQL Instances
-The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command:
+By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
+For a complete list of local machine cert stores you can execute the PowerShell command:
Get-ChildItem Cert:\LocalMachine
The returned list will contain the actual certificate store name to be used when entering store location.
-By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
-
This extension implements four job types: Inventory, Management Add/Remove, and Reenrollment.
-WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
+The Keyfactor Universal Orchestrator (UO) and WinCert Extension can be installed on either Windows or Linux operating systems. A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO Service managing local certificates on the same server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the orchestrator server hosting the WinCert extension to the orchestrated server hosting the certificate stores(s) being managed is achieved via either an SSH (for Linux orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent (Windows only), WinRM may still be used, OR the certificate store can be configured to bypass a WinRM connection and instead directly access the orchestrator server's certificate stores.
+
+
+
+Please refer to the READMEs for each supported store type for more information on proper configuration and setup for these different stores. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below:
+
+| | UO Installed on Windows | UO Installed on Linux |
+|-----|-----|------|
+|Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection |
+|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | Not Supported |
+
+WinRM is used to remotely manage the certificate stores and IIS bindings on Windows machines only. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
**Note:**
In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options:
@@ -24,6 +38,28 @@ In version 2.0 of the IIS Orchestrator, the certificate store type has been rena
## Requirements
+
+Using the WinCert Extension on Linux servers:
+
+1. General SSH Setup Information: PowerShell 6 or higher and SSH must be installed on all computers. Install SSH, including ssh server, that's appropriate for your platform. You also need to install PowerShell from GitHub to get the SSH remoting feature. The SSH server must be configured to create a SSH subsysten to host a PowerShell process on the remote computer. It is suggested to turn off password authentication as this extension uses key-based authentication.
+
+2. SSH Authentication: When creating a Keyfactor certificate store for the WinCert orchestrator extension, the only protocol supported to communicate with Windows servers is ssh. When providing the user id and password, the connection is attempted by creating a temporary private key file using the contents in the Password textbox. Therefore, the password field must contain the full SSH Private key.
+
+
+
+
+Using the WinCert Extension on Windows servers:
+
+1. When orchestrating management of external (and potentially local) certificate stores, the WinCert Orchestrator Extension makes use of WinRM to connect to external certificate store servers. The security context used is the user id entered in the Keyfactor Command certificate store. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores jobs. If running as an agent, managing local certificate stores, local commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service.
+
+
+
+Please consult with your company's system administrator for more information on configuring SSH or WinRM in your environment.
+
+### PowerShell Requirements
+PowerShell is extensively used to inventory and manage certificates across each Certificate Store Type. Windows Desktop and Server includes PowerShell 5.1 that is capable of running all or most PowerShell functions. If the Orchestrator is to run in a Linux environment using SSH as their communication protocol, PowerShell 6.1 or greater is required (7.4 or greater is recommended).
+In addition to PowerShell, IISU requires additional PowerShell modules to be installed and available. These modules include: WebAdministration and IISAdministration, versions 1.1.
+
### Security and Permission Considerations
From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account.
@@ -46,8 +82,8 @@ For customers wishing to use something other than the local administrator accoun
- Access any Cryptographic Service Provider (CSP) referenced in re-enrollment jobs.
- Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding.
-## Note Regarding Client Machine
+## Client Machine Instructions
+Prior to version 2.6, this extension would only run in the Windows environment. Version 2.6 and greater is capable of running on Linux, however, only the SSH protocol is supported.
If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection.
-Here are the settings required for each Store Type previously configured.
diff --git a/docsource/iisu.md b/docsource/iisu.md
index ad9209e..8d549bf 100644
--- a/docsource/iisu.md
+++ b/docsource/iisu.md
@@ -9,6 +9,8 @@ The IISU store type represents the IIS servers and their certificate bindings. I
### Limitations and Areas of Confusion
- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues.
+
When performing Inventory, all bound certificates regardless to their store location will be returned.
+
When executing an Add or Renew Management job, the Store Location will be considered and place the certificate in that location.
- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured.
diff --git a/docsource/images/IISU-advanced-store-type-dialog.png b/docsource/images/IISU-advanced-store-type-dialog.png
index 18402cb..73ada7d 100644
Binary files a/docsource/images/IISU-advanced-store-type-dialog.png and b/docsource/images/IISU-advanced-store-type-dialog.png differ
diff --git a/docsource/images/IISU-basic-store-type-dialog.png b/docsource/images/IISU-basic-store-type-dialog.png
index a168f94..30e486e 100644
Binary files a/docsource/images/IISU-basic-store-type-dialog.png and b/docsource/images/IISU-basic-store-type-dialog.png differ
diff --git a/docsource/images/IISU-custom-fields-store-type-dialog.png b/docsource/images/IISU-custom-fields-store-type-dialog.png
index cb0d115..a3c1017 100644
Binary files a/docsource/images/IISU-custom-fields-store-type-dialog.png and b/docsource/images/IISU-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/IISU-entry-parameters-store-type-dialog.png b/docsource/images/IISU-entry-parameters-store-type-dialog.png
index 415d843..c351f10 100644
Binary files a/docsource/images/IISU-entry-parameters-store-type-dialog.png and b/docsource/images/IISU-entry-parameters-store-type-dialog.png differ
diff --git a/docsource/images/WinCert-advanced-store-type-dialog.png b/docsource/images/WinCert-advanced-store-type-dialog.png
index fb418e6..033a466 100644
Binary files a/docsource/images/WinCert-advanced-store-type-dialog.png and b/docsource/images/WinCert-advanced-store-type-dialog.png differ
diff --git a/docsource/images/WinCert-basic-store-type-dialog.png b/docsource/images/WinCert-basic-store-type-dialog.png
index ff825da..c2be5c0 100644
Binary files a/docsource/images/WinCert-basic-store-type-dialog.png and b/docsource/images/WinCert-basic-store-type-dialog.png differ
diff --git a/docsource/images/WinCert-custom-fields-store-type-dialog.png b/docsource/images/WinCert-custom-fields-store-type-dialog.png
index cb0d115..a3c1017 100644
Binary files a/docsource/images/WinCert-custom-fields-store-type-dialog.png and b/docsource/images/WinCert-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/WinCert-entry-parameters-store-type-dialog.png b/docsource/images/WinCert-entry-parameters-store-type-dialog.png
index ff17c42..a27cd95 100644
Binary files a/docsource/images/WinCert-entry-parameters-store-type-dialog.png and b/docsource/images/WinCert-entry-parameters-store-type-dialog.png differ
diff --git a/docsource/images/WinSql-advanced-store-type-dialog.png b/docsource/images/WinSql-advanced-store-type-dialog.png
index fb418e6..033a466 100644
Binary files a/docsource/images/WinSql-advanced-store-type-dialog.png and b/docsource/images/WinSql-advanced-store-type-dialog.png differ
diff --git a/docsource/images/WinSql-basic-store-type-dialog.png b/docsource/images/WinSql-basic-store-type-dialog.png
index 5d29a87..00cc691 100644
Binary files a/docsource/images/WinSql-basic-store-type-dialog.png and b/docsource/images/WinSql-basic-store-type-dialog.png differ
diff --git a/docsource/images/WinSql-custom-fields-store-type-dialog.png b/docsource/images/WinSql-custom-fields-store-type-dialog.png
index 54cc862..9beed3c 100644
Binary files a/docsource/images/WinSql-custom-fields-store-type-dialog.png and b/docsource/images/WinSql-custom-fields-store-type-dialog.png differ
diff --git a/docsource/images/WinSql-entry-parameters-store-type-dialog.png b/docsource/images/WinSql-entry-parameters-store-type-dialog.png
index a1604c6..6f1f669 100644
Binary files a/docsource/images/WinSql-entry-parameters-store-type-dialog.png and b/docsource/images/WinSql-entry-parameters-store-type-dialog.png differ
diff --git a/images/orchestrator-agent.png b/images/orchestrator-agent.png
new file mode 100644
index 0000000..bdeaea4
Binary files /dev/null and b/images/orchestrator-agent.png differ
diff --git a/integration-manifest.json b/integration-manifest.json
index 4b555b0..13088fd 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -26,10 +26,10 @@
"linux": {
"supportsCreateStore": false,
"supportsDiscovery": false,
- "supportsManagementAdd": false,
- "supportsManagementRemove": false,
- "supportsReenrollment": false,
- "supportsInventory": false,
+ "supportsManagementAdd": true,
+ "supportsManagementRemove": true,
+ "supportsReenrollment": true,
+ "supportsInventory": true,
"platformSupport": "Unused"
},
"store_types": [
@@ -55,24 +55,24 @@
"Required": false,
"Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
},
- {
- "Name": "WinRM Protocol",
- "DisplayName": "WinRM Protocol",
- "Type": "MultipleChoice",
- "DependsOn": "",
- "DefaultValue": "https,http",
- "Required": true,
- "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication."
- },
- {
- "Name": "WinRM Port",
- "DisplayName": "WinRM Port",
- "Type": "String",
- "DependsOn": "",
- "DefaultValue": "5986",
- "Required": true,
- "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP."
- },
+ {
+ "Name": "WinRM Protocol",
+ "DisplayName": "WinRM Protocol",
+ "Type": "MultipleChoice",
+ "DependsOn": "",
+ "DefaultValue": "https,http,ssh",
+ "Required": true,
+ "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment."
+ },
+ {
+ "Name": "WinRM Port",
+ "DisplayName": "WinRM Port",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "5986",
+ "Required": true,
+ "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22."
+ },
{
"Name": "ServerUsername",
"DisplayName": "Server Username",
@@ -82,15 +82,15 @@
"Required": false,
"Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'."
},
- {
- "Name": "ServerPassword",
- "DisplayName": "Server Password",
- "Type": "Secret",
- "DependsOn": "",
- "DefaultValue": "",
- "Required": false,
- "Description": "Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'."
- },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key."
+ },
{
"Name": "ServerUseSsl",
"DisplayName": "Use SSL",
@@ -174,9 +174,9 @@
"DisplayName": "WinRM Protocol",
"Type": "MultipleChoice",
"DependsOn": "",
- "DefaultValue": "https,http",
+ "DefaultValue": "https,http,ssh",
"Required": true,
- "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication."
+ "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment."
},
{
"Name": "WinRM Port",
@@ -185,7 +185,7 @@
"DependsOn": "",
"DefaultValue": "5986",
"Required": true,
- "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP."
+ "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22."
},
{
"Name": "ServerUsername",
@@ -196,15 +196,15 @@
"Required": false,
"Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'."
},
- {
- "Name": "ServerPassword",
- "DisplayName": "Server Password",
- "Type": "Secret",
- "DependsOn": "",
- "DefaultValue": "",
- "Required": false,
- "Description": "Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'."
- },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key."
+ },
{
"Name": "ServerUseSsl",
"DisplayName": "Use SSL",
@@ -373,24 +373,24 @@
"Required": false,
"Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations."
},
- {
- "Name": "WinRM Protocol",
- "DisplayName": "WinRM Protocol",
- "Type": "MultipleChoice",
- "DependsOn": "",
- "DefaultValue": "https,http",
- "Required": true,
- "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication."
- },
- {
- "Name": "WinRM Port",
- "DisplayName": "WinRM Port",
- "Type": "String",
- "DependsOn": "",
- "DefaultValue": "5986",
- "Required": true,
- "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP."
- },
+ {
+ "Name": "WinRM Protocol",
+ "DisplayName": "WinRM Protocol",
+ "Type": "MultipleChoice",
+ "DependsOn": "",
+ "DefaultValue": "https,http,ssh",
+ "Required": true,
+ "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment."
+ },
+ {
+ "Name": "WinRM Port",
+ "DisplayName": "WinRM Port",
+ "Type": "String",
+ "DependsOn": "",
+ "DefaultValue": "5986",
+ "Required": true,
+ "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22."
+ },
{
"Name": "ServerUsername",
"DisplayName": "Server Username",
@@ -400,15 +400,15 @@
"Required": false,
"Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'."
},
- {
- "Name": "ServerPassword",
- "DisplayName": "Server Password",
- "Type": "Secret",
- "DependsOn": "",
- "DefaultValue": "",
- "Required": false,
- "Description": "Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'."
- },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": "",
+ "DefaultValue": "",
+ "Required": false,
+ "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key."
+ },
{
"Name": "ServerUseSsl",
"DisplayName": "Use SSL",
@@ -479,9 +479,6 @@
},
"StorePathValue": "My",
"PrivateKeyAllowed": "Optional",
- "JobProperties": [
- "InstanceName"
- ],
"ServerRequired": true,
"PowerShell": false,
"BlueprintAllowed": true,
@@ -492,4 +489,4 @@
]
}
}
-}
\ No newline at end of file
+}