Merge pull request #18 from Keyfactor/ab#61223

ab#61223 remove logging of sensitive data

.github/workflows/keyfactor-bootstrap-workflow.yml

@@ -0,0 +1,19 @@
+name: Keyfactor Bootstrap Workflow
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, closed, synchronize, edited, reopened]
+  push:
+  create:
+    branches:
+      - 'release-*.*'
+
+jobs:
+  call-starter-workflow:
+    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    secrets:
+      token: ${{ secrets.V2BUILDTOKEN}}
+      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}

CHANGELOG.md

@@ -1,3 +1,7 @@
+2.0.1
+* Remove logging of sensitive data
+* Update Private Key to required for certificates in this store in docs and store definition
+
 2.0.0
 * Consolidate all AWS auth types under one Store Type: `AWS-ACM`
 * Continues to provide backwards support for previous Store Types `AwsCerManO` and `AwsCerManA`

README.md

@@ -1,10 +1,10 @@
+
 # AWS Certificate Manager (ACM) Orchestrator
 
 The AWS ACM Orchestrator supports Inventory and Management of certificates in the AWS Certificate Manager. It supports three methods of authentication: Environmental Credentials loaded via the AWS SDK e.g. inside an EC2 instance; IAM User Credentials for assuming a Role as a specific user; OAuth-based Credentials to authenticate with an OAuth provider to assume a Role.
 
 #### Integration status: Production - Ready for use in production environments.
 
-
 ## About the Keyfactor Universal Orchestrator Extension
 
 This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
@@ -13,23 +13,22 @@ The Universal Orchestrator is part of the Keyfactor software distribution and is
 
 The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
 
-
 ## Support for AWS Certificate Manager (ACM) Orchestrator
 
 AWS Certificate Manager (ACM) Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
-
 ---
 
 
+---
+
 
 
 ## Keyfactor Version Supported
 
 The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
-
 ## Platform Specific Notes
 
 The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
@@ -39,7 +38,7 @@ The Keyfactor Universal Orchestrator may be installed on either Windows or Linux
 |Supports Management Remove|✓ |✓ |
 |Supports Create Store|  |  |
 |Supports Discovery|  |  |
-|Supports Renrollment|  |  |
+|Supports Reenrollment|  |  |
 |Supports Inventory|✓ |✓ |
 
 
@@ -164,7 +163,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION
 Store Path Type	| Freeform | Determines what restrictions are applied to the store path field when configuring a new store.
 Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store.
 Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias.
-Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store.
 PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
 
 **Custom Fields:**
@@ -391,3 +390,6 @@ Cert Store Settings
 </details>
 </details>
 
+When creating cert store type manually, that store property names and entry parameter names are case sensitive
+
+

aws-orchestrator-core/Jobs/Management.cs

@@ -100,7 +100,7 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf
                         if (!string.IsNullOrWhiteSpace(config.JobCertificate.Alias))
                         {
                             // Alias is specified, this is a replace / renewal
-                            Logger.LogTrace($"Alias specified, validating existing cert can be renewed / replaced: {config.JobCertificate.Alias}");
+                            Logger.LogDebug($"Alias specified, validating existing cert can be renewed / replaced: {config.JobCertificate.Alias}");
                             // ARN Provided, Verify It is Not A PCA/Amazon Issued Cert
                             DescribeCertificateResponse DescribeCertificateResponse = AsyncHelpers.RunSync(() => AcmClient.DescribeCertificateAsync(config.JobCertificate.Alias));
                             Logger.LogTrace($"DescribeCertificateResponse JSON: {JsonConvert.SerializeObject(DescribeCertificateResponse)}");
@@ -152,7 +152,7 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf
                                 pemWriter.WriteObject(keyPair.Private);
                                 streamWriter.Flush();
                                 privateKeyString = Encoding.ASCII.GetString(memoryStream.GetBuffer()).Trim().Replace("\r", "").Replace("\0", "");
-                                Logger.LogTrace($"Got Private Key String {privateKeyString}");
+                                Logger.LogTrace("Loaded private key.");
                                 memoryStream.Close();
                                 streamWriter.Close();
                             }

integration-manifest.json

@@ -3,13 +3,15 @@
   "integration_type": "orchestrator",
   "name": "AWS Certificate Manager (ACM) Orchestrator",
   "status": "production",
+  "update_catalog": true,
   "link_github": true,
   "release_dir":  "aws-orchestrator-core/bin/Release/netcoreapp3.1",
   "support_level": "kf-supported",
   "description": "The AWS ACM Orchestrator supports Inventory and Management of certificates in the AWS Certificate Manager. It supports three methods of authentication: Environmental Credentials loaded via the AWS SDK e.g. inside an EC2 instance; IAM User Credentials for assuming a Role as a specific user; OAuth-based Credentials to authenticate with an OAuth provider to assume a Role.",
   "about": {
     "orchestrator": {
       "UOFramework": "10.1",
+      "keyfactor_platform_version": "9.10",
       "pam_support": true,
       "win": {
         "supportsCreateStore": false,
@@ -142,7 +144,7 @@
             "StoreRequired": false,
             "Style": "Default"
           },
-          "PrivateKeyAllowed": "Optional",
+          "PrivateKeyAllowed": "Required",
           "ServerRequired": true,
           "PowerShell": false,
           "BlueprintAllowed": true,

readme_source.md

@@ -64,7 +64,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION
 Store Path Type	| Freeform | Determines what restrictions are applied to the store path field when configuring a new store.
 Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store.
 Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias.
-Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store.
+Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store.
 PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
 
 **Custom Fields:**