diff --git a/CHANGELOG.md b/CHANGELOG.md index 01932ac..8c6ed28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +2.1.0 +* Support for Pan Level Certficates +* Support for Pushing Entire Certificate Chain to Panorama +* Auto Detection of Trusted Root Certificates +* Fix Inventory Check For Private Key from Dummy to Anything + 2.0.1 * Fix Epoch Time in Model from int to long to prevent inventory errors diff --git a/PaloAlto/Client/PaloAltoClient.cs b/PaloAlto/Client/PaloAltoClient.cs index 0cb66d8..81bd464 100644 --- a/PaloAlto/Client/PaloAltoClient.cs +++ b/PaloAlto/Client/PaloAltoClient.cs @@ -17,6 +17,7 @@ using System.Net.Http; using System.Net.Http.Headers; using System.Reflection; +using System.Text.RegularExpressions; using System.Threading.Tasks; using System.Xml; using System.Xml.Serialization; @@ -136,26 +137,15 @@ public async Task GetCommitAllResponse(string deviceGroup) } } - public async Task SubmitEditProfile(EditProfileRequest request, string templateName) + public async Task SubmitEditProfile(EditProfileRequest request, string templateName, string storePath) { try { var editXml = $"{request.ProtocolSettings.MinVersion.Text}{request.ProtocolSettings.MaxVersion.Text}{request.Certificate}"; - string uri; - //if not Panorama use firewall path - if (templateName == "/") - { - templateName = ""; - uri = - $@"/api/?type=config&action=edit&xpath=/config/shared/ssl-tls-service-profile/entry[@name='{request.Name}']&element={editXml}&key={ApiKey}&target-tpl={templateName}"; - } - else - { - uri = - $@"/api/?type=config&action=edit&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/ssl-tls-service-profile/entry&element={editXml}&key={ApiKey}&target-tpl={templateName}"; - } + string uri= + $@"/api/?type=config&action=edit&xpath={storePath}/ssl-tls-service-profile/entry[@name='{request.Name}']&element={editXml}&key={ApiKey}&target-tpl={GetTemplateName(storePath)}"; var response = await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); return response; @@ -165,17 +155,29 @@ public async Task SubmitEditProfile(EditProfileRequest req _logger.LogError($"Error Occured in PaloAltoClient.SubmitDeleteCertificate: {e.Message}"); throw; } - } - - public async Task GetProfileByCertificate(string templateName, - string certificate) + } + + private string GetTemplateName(string storePath) + { + string pattern = @"\/template\/entry\[@name='([^']+)'\]"; + Regex regex = new Regex(pattern); + Match match = regex.Match(storePath); + + string templateName = string.Empty; + if (match.Success) + { + templateName = match.Groups[1].Value; + } + + return templateName; + } + + public async Task GetProfileByCertificate(string storePath, string certificate) { try { - var xPath = templateName == "/" - ? $"/config/shared/ssl-tls-service-profile/entry[@name='{certificate}']" - : $"/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/ssl-tls-service-profile/entry[./certificate='{certificate}']"; - var uri = $"/api/?type=config&action=get&target-tpl={templateName}&xpath={xPath}&key={ApiKey}"; + var xPath = $"{storePath}/ssl-tls-service-profile/entry[./certificate='{certificate}']"; + var uri = $"/api/?type=config&action=get&target-tpl={GetTemplateName(storePath)}&xpath={xPath}&key={ApiKey}"; var response = await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); return response; @@ -231,23 +233,11 @@ public async Task GetCertificateByName(string name) } } - public async Task SubmitDeleteCertificate(string name, string templateName) + public async Task SubmitDeleteCertificate(string name, string storePath) { try { - string uri; - if (templateName == "/") - { - templateName = ""; - uri = - $@"/api/?type=config&action=delete&xpath=/config/shared/certificate/entry[@name='{name}']&key={ApiKey}&target-tpl={templateName}"; - } - else - { - uri = - $@"/api/?type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/certificate/entry[@name='{name}']&key={ApiKey}&target-tpl={templateName}"; - } - + string uri =$@"/api/?type=config&action=delete&xpath={storePath}/certificate/entry[@name='{name}']&key={ApiKey}&target-tpl={GetTemplateName(storePath)}"; return await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); } catch (Exception e) @@ -257,23 +247,11 @@ public async Task SubmitDeleteCertificate(string name, str } } - public async Task SubmitDeleteTrustedRoot(string name, string templateName) + public async Task SubmitDeleteTrustedRoot(string name, string storePath) { try { - string uri; - if (templateName == "/") - { - templateName = ""; - uri = - $@"/api/?type=config&action=delete&xpath=/config/shared/ssl-decrypt/trusted-root-CA/member[text()='{name}']&key={ApiKey}&target-tpl={templateName}"; - } - else - { - uri = - $@"/api/?type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/ssl-decrypt/trusted-root-CA/member[text()='{name}']&key={ApiKey}&target-tpl={templateName}"; - } - + string uri= $@"/api/?type=config&action=delete&xpath={storePath}/ssl-decrypt/trusted-root-CA/member[text()='{name}']&key={ApiKey}&target-tpl={GetTemplateName(storePath)}"; return await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); } catch (Exception e) @@ -283,23 +261,11 @@ public async Task SubmitDeleteTrustedRoot(string name, str } } - public async Task SubmitSetTrustedRoot(string name, string templateName) + public async Task SubmitSetTrustedRoot(string name, string storePath) { try - { - string uri; - if (templateName == "/") - { - templateName = ""; - uri = - $@"/api/?type=config&action=set&xpath=/config/shared/ssl-decrypt&element={name}&key={ApiKey}&target-tpl={templateName}"; - } - else - { - uri = - $@"/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/ssl-decrypt&element={name}&key={ApiKey}&target-tpl={templateName}"; - } - + { + string uri = $@"/api/?type=config&action=set&xpath={storePath}/ssl-decrypt&element={name}&key={ApiKey}&target-tpl={GetTemplateName(storePath)}"; return await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); } catch (Exception e) @@ -309,79 +275,12 @@ public async Task SubmitSetTrustedRoot(string name, string } } - public async Task GetBinding(JobEntryParams jobEntryParams, string templateName) - { - try - { - string uri; - if (templateName == "/") - { - templateName = ""; - uri = - $@"/api/?type=config&action=get&xpath=/config/shared/ssl-tls-service-profile/entry[@name='{jobEntryParams.TlsProfileName}']&key={ApiKey}&target-tpl={templateName}"; - } - else - { - uri = - $@"/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/ssl-tls-service-profile/entry[@name='{jobEntryParams.TlsProfileName}']&key={ApiKey}&target-tpl={templateName}"; - } - return await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); - } - catch (Exception e) - { - _logger.LogError($"Error Occured in PaloAltoClient.GetBinding: {e.Message}"); - throw; - } - } - - public async Task SubmitDeleteBinding(JobEntryParams jobEntryParams, string templateName) - { - try - { - string uri; - if (templateName == "/") - { - templateName = ""; - uri = - $@"/api/?type=config&action=delete&xpath=/config/shared/ssl-tls-service-profile/entry[@name='{jobEntryParams.TlsProfileName}']&key={ApiKey}&target-tpl={templateName}"; - } - else - { - uri = - $@"/api/?type=config&action=delete&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{templateName}']/config/shared/ssl-tls-service-profile/entry[@name='{jobEntryParams.TlsProfileName}']&key={ApiKey}&target-tpl={templateName}"; - } - - return await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); - } - catch (Exception e) - { - _logger.LogError($"Error Occured in PaloAltoClient.SubmitDeleteBinding: {e.Message}"); - throw; - } - } - - public async Task SubmitSetForwardTrust(string name) - { - try - { - var uri = - $@"/api/?type=config&action=set&xpath=/config/shared/ssl-decrypt&element={name}&key={ApiKey}"; - return await GetXmlResponseAsync(await HttpClient.GetAsync(uri)); - } - catch (Exception e) - { - _logger.LogError($"Error Occured in PaloAltoClient.SubmitSetForwardTrust: {e.Message}"); - throw; - } - } - public async Task ImportCertificate(string name, string passPhrase, byte[] bytes, - string includeKey, string category, string templateName) + string includeKey, string category, string storePath) { try { - if (templateName == "/") - templateName = ""; + var templateName=GetTemplateName(storePath); var uri = $@"/api/?type=import&category={category}&certificate-name={name}&format=pem&include-key={includeKey}&passphrase={passPhrase}&target-tpl={templateName}&target-tpl-vsys=&vsys&key={ApiKey}"; var boundary = $"--------------------------{Guid.NewGuid():N}"; diff --git a/PaloAlto/Jobs/Inventory.cs b/PaloAlto/Jobs/Inventory.cs index 8f72dad..74d343d 100644 --- a/PaloAlto/Jobs/Inventory.cs +++ b/PaloAlto/Jobs/Inventory.cs @@ -90,14 +90,7 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven _logger.LogTrace("Inventory Palo Alto Client Created"); //Change the path if you are pointed to a Panorama Device - CertificateListResponse rawCertificatesResult; - if (IsPanoramaDevice(config)) - rawCertificatesResult = - client.GetCertificateList( - $"/config/devices/entry/template/entry[@name='{config.CertificateStoreDetails.StorePath}']//certificate/entry") - .Result; - else - rawCertificatesResult = client.GetCertificateList("/config/shared/certificate/entry").Result; + var rawCertificatesResult = client.GetCertificateList($"{config.CertificateStoreDetails.StorePath}/certificate/entry").Result; var certificatesResult = rawCertificatesResult.CertificateResult.Entry.FindAll(c => c.PublicKey != null); @@ -118,10 +111,10 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven try { _logger.LogTrace( - $"Building Cert List Inventory Item Alias: {c.Name} Pem: {c.PublicKey} Private Key: dummy (from PA API)"); + $"Building Cert List Inventory Item Alias: {c.Name} Pem: {c.PublicKey} Private Key: {c.PrivateKey?.Length > 0}"); var bindings = client.GetProfileByCertificate(config.CertificateStoreDetails.StorePath, c.Name).Result; - return BuildInventoryItem(c.Name, c.PublicKey, c.PrivateKey == "dummy",bindings,false); + return BuildInventoryItem(c.Name, c.PublicKey, c.PrivateKey?.Length>0,bindings,false); } catch { @@ -193,11 +186,6 @@ private JobResult ReturnJobResult(InventoryJobConfiguration config, bool warning }; } - private static bool IsPanoramaDevice(InventoryJobConfiguration config) - { - return config.CertificateStoreDetails.StorePath.Length > 1; - } - private void LogResponse(T content) { var resWriter = new StringWriter(); @@ -215,7 +203,7 @@ protected virtual CurrentInventoryItem BuildInventoryItem(string alias, string c //Add Entry Params so the show up in the UI Inventory Store Popup var siteSettingsDict = new Dictionary { - { "ProfileName", string.IsNullOrEmpty(bindings.Result?.Entry?.Name)?"":bindings.Result?.Entry?.Name}, + { "TlsProfileName", string.IsNullOrEmpty(bindings.Result?.Entry?.Name)?"":bindings.Result?.Entry?.Name}, { "TlsMinVersion", string.IsNullOrEmpty(bindings.Result?.Entry?.ProtocolSettings?.MinVersion?.Text)?"":bindings.Result?.Entry?.ProtocolSettings?.MinVersion?.Text}, { "TlsMaxVersion", string.IsNullOrEmpty(bindings.Result?.Entry?.ProtocolSettings?.MaxVersion?.Text)?"":bindings.Result?.Entry?.ProtocolSettings?.MaxVersion?.Text }, { "Trusted Root", trustedRoot}, diff --git a/PaloAlto/Jobs/Management.cs b/PaloAlto/Jobs/Management.cs index 372ef7d..32bdf8d 100644 --- a/PaloAlto/Jobs/Management.cs +++ b/PaloAlto/Jobs/Management.cs @@ -13,8 +13,10 @@ // limitations under the License. using System; +using System.Collections.Generic; using System.IO; using System.Linq; +using System.Security.Cryptography.X509Certificates; using System.Text; using System.Threading; using System.Threading.Tasks; @@ -143,16 +145,16 @@ private JobResult PerformRemoval(ManagementJobConfiguration config) _logger.LogTrace( $"Alias to Remove From Palo Alto: {config.JobCertificate.Alias}"); - if (!DeleteCertificate(config, client, warnings, out var deleteResult)) return deleteResult; - + if (!DeleteCertificate(config, client, warnings, out var deleteResult)) return deleteResult; + warnings = CommitChanges(config, client, warnings); if (warnings.Length > 0) { deleteResult.FailureMessage = warnings; deleteResult.Result = OrchestratorJobStatusJobResult.Warning; - } - + } + return deleteResult; } catch (Exception e) @@ -175,15 +177,10 @@ private bool CheckForDuplicate(ManagementJobConfiguration config, PaloAltoClient { try { - CertificateListResponse rawCertificatesResult; + var rawCertificatesResult = client.GetCertificateList( + $"{config.CertificateStoreDetails.StorePath}/certificate/entry[@name='{certificateName}']") + .Result; - if (IsPanoramaDevice(config)) - rawCertificatesResult = - client.GetCertificateList( - $"/config/devices/entry/template/entry[@name='{config.CertificateStoreDetails.StorePath}']//certificate/entry[@name='{certificateName}']") - .Result; - else - rawCertificatesResult = client.GetCertificateList($"/config/shared/certificate/entry[@name='{certificateName}']").Result; var certificatesResult = rawCertificatesResult.CertificateResult.Entry.FindAll(c => c.PublicKey != null); @@ -209,8 +206,7 @@ private JobResult PerformAddition(ManagementJobConfiguration config) var success = false; //Store path is "/" for direct integration with Firewall or the Template Name for integration with Panorama - if (config.CertificateStoreDetails.StorePath == "/" || - config.CertificateStoreDetails.StorePath.Length > 0) + if (config.CertificateStoreDetails.StorePath.Length > 0) { _logger.LogTrace( $"Credentials JSON: Url: {config.CertificateStoreDetails.ClientMachine} Server UserName: {config.ServerUsername}"); @@ -228,121 +224,102 @@ private JobResult PerformAddition(ManagementJobConfiguration config) if (duplicate && config.Overwrite || !duplicate) { _logger.LogTrace("Either not a duplicate or overwrite was chosen...."); - string certPem; - if (!string.IsNullOrWhiteSpace(config.JobCertificate.PrivateKeyPassword)) // This is a PFX Entry - { - _logger.LogTrace($"Found Private Key {config.JobCertificate.PrivateKeyPassword}"); - - if (string.IsNullOrWhiteSpace(config.JobCertificate.Alias)) - _logger.LogTrace("No Alias Found"); - - certPem = GetPemFile(config); - _logger.LogTrace($"Got certPem {certPem}"); - - //1. If duplicate, delete the old cert/bindings/Trusted Root first, otherwise you'll get a private/public Key mismatch and binding errors from Palo - if (duplicate) - { - //1a. See if there are bindings for this certificate need to to delete/insert them so you can replace the cert - if (!Validators.ValidateBindings(JobEntryParams).Contains("You are missing the TlsProfileName") && client.GetBinding(JobEntryParams, config.CertificateStoreDetails.StorePath).Result.Result.TotalCount == 1) - { - var delBindingsResponse = client.SubmitDeleteBinding(JobEntryParams, config.CertificateStoreDetails.StorePath).Result; - if (delBindingsResponse.Status.ToUpper() == "ERROR") - { - //Delete Failed Return Error - return ReturnJobResult(config, warnings, false, Validators.BuildPaloError(delBindingsResponse)); - } - } - - //1b. See if this is a trusted root, if so, you need to set this to false so the delete/insert will work - if (!DeleteCertificate(config, client, warnings, out var deleteErrorResult)) return deleteErrorResult; - } - - //1a. Import the Keypair to Palo Alto - var importResult = client.ImportCertificate(config.JobCertificate.Alias, - config.JobCertificate.PrivateKeyPassword, - Encoding.UTF8.GetBytes(certPem), "yes", "keypair", - config.CertificateStoreDetails.StorePath); - var content = importResult.Result; - LogResponse(content); - - //If 1. was successful, then set trusted root, bindings then commit - if (content.Status.ToUpper() == "SUCCESS") - { - //2.Validate if this is going to have the trusted Root - var trustedRoot = Convert.ToBoolean(JobEntryParams.TrustedRoot); - var rootResponse = SetTrustedRoot(trustedRoot, config.JobCertificate.Alias, client, - config.CertificateStoreDetails.StorePath); - - if (trustedRoot && rootResponse.Status.ToUpper() == "ERROR") - warnings += - $"Setting to Trusted Root Failed. {Validators.BuildPaloError(rootResponse)}"; - - //3. Check if Bindings were added in the entry params and if so bind the cert to a tls profile in palo - var bindingsValidation = Validators.ValidateBindings(JobEntryParams); - if (string.IsNullOrEmpty(bindingsValidation)) - { - var bindingsResponse = SetBindings(config, client, - config.CertificateStoreDetails.StorePath); - if (bindingsResponse.Result.Status.ToUpper() == "ERROR") - warnings += - $"Could not Set The Bindings. There was an error calling out to bindings in the device. {Validators.BuildPaloError(bindingsResponse.Result)}"; - } - else - { - warnings += bindingsValidation; - } - - //4. Try to commit to firewall or Palo Alto then Push to the devices - warnings = CommitChanges(config, client, warnings); - - success = true; - } - - string errorMsg; - if (content.LineMsg != null) - { - errorMsg = Validators.BuildPaloError(content); - } - else - { - errorMsg = content.Text; - } - return ReturnJobResult(config, warnings, success, errorMsg); - } - else - { - _logger.LogTrace("Adding a certificate without a private key to Palo Alto....."); - certPem = certStart + Pemify(config.JobCertificate.Contents) + certEnd; - _logger.LogTrace($"Pem: {certPem}"); - - //1. Import the Keypair to Palo Alto No Private Key - var importResult = client.ImportCertificate(config.JobCertificate.Alias, - config.JobCertificate.PrivateKeyPassword, - Encoding.UTF8.GetBytes(certPem), "no", "certificate", - config.CertificateStoreDetails.StorePath); - var content = importResult.Result; - LogResponse(content); - - //if 1. was successful then set trusted root and commit, no bindings allowed without private key - if (content.Status.ToUpper() == "SUCCESS") - { - //2.Validate if this is going to have the trusted Root - var trustedRoot = - Convert.ToBoolean(JobEntryParams.TrustedRoot); - var rootResponse = SetTrustedRoot(trustedRoot, config.JobCertificate.Alias, client, - config.CertificateStoreDetails.StorePath); - - if (trustedRoot && rootResponse.Status.ToUpper() == "ERROR") - warnings += - $"Setting to Trusted Root Failed. {Validators.BuildPaloError(rootResponse)}"; - - //3. Try to commit to firewall or Palo Alto then Push to the devices - warnings = CommitChanges(config, client, warnings); - success = true; - } - - return ReturnJobResult(config, warnings, success, content.Text); - } + string certPem; + + _logger.LogTrace($"Found Private Key {config.JobCertificate.PrivateKeyPassword}"); + + if (string.IsNullOrWhiteSpace(config.JobCertificate.Alias)) + _logger.LogTrace("No Alias Found"); + + certPem = GetPemFile(config); + _logger.LogTrace($"Got certPem {certPem}"); + + + //1. Get the chain in a list starting with root first, any intermediate then leaf + var orderedChainList = GetCertificateChain(config.JobCertificate.Contents, config.JobCertificate.PrivateKeyPassword); + var alias = config.JobCertificate.Alias; + + //1. If the leaf cert is a duplicate then you rename the cert and update it. So you don't have to delete tls profile and cause downtime + if (duplicate) + { + DateTime currentTime = DateTime.Now; + alias = RightTrimAfter(alias, 19) + "_" + currentTime.ToString("yyMMddHHmmss"); //fix name length + } + + //2. Check palo alto for existing thumbprints of anything in the chain + var rawCertificatesResult = client.GetCertificateList($"{config.CertificateStoreDetails.StorePath}/certificate/entry").Result; + List certificates = new List(); + ErrorSuccessResponse content = null; + string errorMsg = string.Empty; + + foreach (var cert in orderedChainList) + { + //root and intermediate just upload the cert from the chain no private key + if (((cert.type == "root" || cert.type == "intermediate") && !ThumbprintFound(cert.certificate.Thumbprint, certificates, rawCertificatesResult))) + { + var certName = BuildName(cert); + var importResult = client.ImportCertificate(certName, + config.JobCertificate.PrivateKeyPassword, + Encoding.UTF8.GetBytes(ExportToPem(cert.certificate)), "no", "certificate", + config.CertificateStoreDetails.StorePath); + content = importResult.Result; + LogResponse(content); + + + //Set as trusted Root if you successfully imported the root certificate + if (content != null && content.Status.ToUpper() != "ERROR") + { + ErrorSuccessResponse rootResponse = null; + if (cert.type == "root") + rootResponse = SetTrustedRoot(certName, client, config.CertificateStoreDetails.StorePath); + + if (rootResponse != null && rootResponse.Status.ToUpper() == "ERROR") + warnings += + $"Setting to Trusted Root Failed. {Validators.BuildPaloError(rootResponse)}"; + } + } + + //Leafs need the keypair only put leaf out there if root and intermediate succeeded + if (cert.type == "leaf" && errorMsg.Length == 0) + { + var type = string.IsNullOrWhiteSpace(config.JobCertificate.PrivateKeyPassword) ? "certificate" : "keypair"; + var importResult = client.ImportCertificate(alias, + config.JobCertificate.PrivateKeyPassword, + Encoding.UTF8.GetBytes(certPem), "yes", type, + config.CertificateStoreDetails.StorePath); + content = importResult.Result; + LogResponse(content); + + //If 1. was successful, then set trusted root, bindings then commit + if (content != null && content.Status.ToUpper() == "SUCCESS") + { + //3. Check if Bindings were added in the entry params and if so bind the cert to a tls profile in palo + var bindingsValidation = Validators.ValidateBindings(JobEntryParams); + if (string.IsNullOrEmpty(bindingsValidation)) + { + var bindingsResponse = SetBindings(config, client, + config.CertificateStoreDetails.StorePath,alias); + if (bindingsResponse.Result.Status.ToUpper() == "ERROR") + warnings += + $"Could not Set The Bindings. There was an error calling out to bindings in the device. {Validators.BuildPaloError(bindingsResponse.Result)}"; + } + if (errorMsg.Length == 0) + success = true; + } + } + + if (content != null) + { + errorMsg += content.LineMsg != null ? Validators.BuildPaloError(content) : content.Text; + } + } + + + //4. Try to commit to firewall or Palo Alto then Push to the devices + if (errorMsg.Length == 0) + warnings = CommitChanges(config, client, warnings); + + return ReturnJobResult(config, warnings, success, errorMsg); } return new JobResult @@ -372,8 +349,58 @@ private JobResult PerformAddition(ManagementJobConfiguration config) $"Management/Add {e.Message}" }; } - } + } + + private static string BuildName((X509Certificate2 certificate, string type) cert) + { + string subject = cert.certificate?.Subject; + string commonName = null; + + // Find the common name in the subject string + if (subject != null) + { + int startIndex = subject.IndexOf("CN=", StringComparison.Ordinal); + if (startIndex >= 0) + { + startIndex += 3; // Move startIndex to the beginning of the common name value + int endIndex = subject.IndexOf(',', startIndex); // Find the end of the common name value + + if (endIndex < 0) + { + // If no comma is found, the common name extends to the end of the string + endIndex = subject.Length; + } + + // Extract the common name value + commonName = subject.Substring(startIndex, endIndex - startIndex); + } + } + + // Replace spaces with underscores + commonName = commonName?.Replace(" ", "_"); + + //Only 31 characters allowed for cert name + return DateTime.Now.ToString("yyyyMM") + "_" + RightTrimAfter(commonName, 23); + + } + + public static string RightTrimAfter(string input, int maxLength) + { + if (input.Length > maxLength) + { + // If the input string is longer than the specified length, + // trim it to the specified length + return input.Substring(0, maxLength); + } + else + { + // If the input string is shorter than or equal to the specified length, + // return the input string unchanged + return input; + } + } + private static bool DeleteCertificate(ManagementJobConfiguration config, PaloAltoClient client, string warnings, out JobResult deleteResult) { @@ -462,7 +489,7 @@ private string GetPemFile(ManagementJobConfiguration config) using (var pfxBytesMemoryStream = new MemoryStream(pfxBytes)) { p = new Pkcs12Store(pfxBytesMemoryStream, - config.JobCertificate.PrivateKeyPassword.ToCharArray()); + config.JobCertificate?.PrivateKeyPassword?.ToCharArray()); } _logger.LogTrace( @@ -535,7 +562,7 @@ private string CommitChanges(ManagementJobConfiguration config, PaloAltoClient c } private Task SetBindings(ManagementJobConfiguration config, PaloAltoClient client, - string templateName) + string templateName,string aliasName) { //Handle the Profile Bindings try @@ -543,7 +570,7 @@ private Task SetBindings(ManagementJobConfiguration config var profileRequest = new EditProfileRequest { Name = JobEntryParams.TlsProfileName, - Certificate = config.JobCertificate.Alias + Certificate = aliasName }; var pMinVersion = new ProfileMinVersion { Text = JobEntryParams.TlsMinVersion }; var pMaxVersion = new ProfileMaxVersion { Text = JobEntryParams.TlsMaxVersion }; @@ -555,32 +582,198 @@ private Task SetBindings(ManagementJobConfiguration config reqSerializer.Serialize(reqWriter, profileRequest); _logger.LogTrace($"Profile Request {reqWriter}"); - return client.SubmitEditProfile(profileRequest, templateName); + return client.SubmitEditProfile(profileRequest, templateName, config.CertificateStoreDetails.StorePath); } catch (Exception e) { _logger.LogError($"Error Occurred in Management.SetBindings {LogHandler.FlattenException(e)}"); throw; } + } + + private List<(X509Certificate2 certificate, string type)> GetCertificateChain(string jobCertificate, string password) + { + // Decode the base64-encoded chain to get the bytes + byte[] certificateChainBytes = Convert.FromBase64String(jobCertificate); + + // Create a collection to hold the certificates + X509Certificate2Collection certificateCollection = new X509Certificate2Collection(); + + // Load the certificates from the byte array + certificateCollection.Import(certificateChainBytes, password, X509KeyStorageFlags.Exportable); + + // Identify the root certificate + X509Certificate2 rootCertificate = FindRootCertificate(certificateCollection); + + // Create a list to hold the ordered certificates + List<(X509Certificate2 certificate, string certType)> orderedCertificates = new List<(X509Certificate2, string)>(); + + // Add the root certificate to the ordered list + if (rootCertificate != null) + orderedCertificates.Add((rootCertificate, "root")); + + // Add intermediate certificates to the ordered list and mark them as intermediate + foreach (X509Certificate2 certificate in certificateCollection) + { + // Exclude root certificate + if (!certificate.Equals(rootCertificate)) + { + // Check if the certificate is not the leaf certificate + bool isLeaf = true; + foreach (X509Certificate2 potentialIssuer in certificateCollection) + { + if (certificate.Subject == potentialIssuer.Issuer && !potentialIssuer.Equals(certificate)) + { + isLeaf = false; + break; + } + } + + // If the certificate is not the leaf certificate, add it as an intermediate certificate + if (!isLeaf) + { + orderedCertificates.Add((certificate, "intermediate")); + } + } + } + + // Add leaf certificates to the ordered list + foreach (X509Certificate2 certificate in certificateCollection) + { + if (!orderedCertificates.Exists(c => c.certificate != null && c.certificate.Equals(certificate))) + { + orderedCertificates.Add((certificate, "leaf")); + } + } + + return orderedCertificates; + } + + + private X509Certificate2 FindRootCertificate(X509Certificate2Collection certificates) + { + foreach (X509Certificate2 certificate in certificates) + { + if (IsRootCertificate(certificate, certificates)) + { + return certificate; + } + } + + // Return null if no root certificate is found + return null; + } + + private bool IsRootCertificate(X509Certificate2 certificate, X509Certificate2Collection certificates) + { + // Check if the certificate is self-signed + if (certificate.Subject == certificate.Issuer) + { + // Check if there is no issuer in the collection with a matching subject + foreach (X509Certificate2 issuerCertificate in certificates) + { + if (issuerCertificate.Subject == certificate.Subject && !issuerCertificate.Equals(certificate)) + { + return false; + } + } + + return true; + } + + return false; + } + + static string[] ExtractCertificateData(string text) + { + List certDataList = new List(); + int startIndex = 0; + + while (startIndex != -1) + { + startIndex = text.IndexOf("-----BEGIN CERTIFICATE-----", startIndex, StringComparison.Ordinal); + if (startIndex != -1) + { + int endIndex = text.IndexOf("-----END CERTIFICATE-----", startIndex, StringComparison.Ordinal); + if (endIndex != -1) + { + int length = endIndex - startIndex - "-----BEGIN CERTIFICATE-----".Length; + if (length >= 0) + { + certDataList.Add(text.Substring(startIndex + "-----BEGIN CERTIFICATE-----".Length, length)); + startIndex = endIndex + "-----END CERTIFICATE-----".Length; + } + else + { + break; + } + } + else + { + break; + } + } + } + + return certDataList.ToArray(); + } + + public static string ExportToPem(X509Certificate2 certificate) + { + StringBuilder builder = new StringBuilder(); + builder.AppendLine("-----BEGIN CERTIFICATE-----"); + builder.AppendLine(Convert.ToBase64String(certificate.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks)); + builder.AppendLine("-----END CERTIFICATE-----"); + return builder.ToString(); + } + + static string RemoveWhitespace(string input) + { + StringBuilder sb = new StringBuilder(); + foreach (char c in input) + { + if (!char.IsWhiteSpace(c)) + { + sb.Append(c); + } + } + return sb.ToString(); + } + + private bool ThumbprintFound(string thumbprintToSearch, List certificates, CertificateListResponse rawCertificatesResult) + { + foreach (var responseItem in rawCertificatesResult.CertificateResult.Entry) + { + string[] certDataArray = ExtractCertificateData(responseItem.PublicKey); + + // Remove whitespace characters and parse each certificate + foreach (string certData in certDataArray) + { + byte[] rawData = Convert.FromBase64String(RemoveWhitespace(certData)); + X509Certificate2 cert = new X509Certificate2(rawData); + certificates.Add(cert); + } + } + + X509Certificate2 foundCertificate = certificates.FirstOrDefault(cert => cert.Thumbprint != null && cert.Thumbprint.Equals(thumbprintToSearch, StringComparison.OrdinalIgnoreCase)); + if (foundCertificate != null) + return true; + + return false; } - private ErrorSuccessResponse SetTrustedRoot(bool trustedRoot, string jobCertificateAlias, PaloAltoClient client, + private ErrorSuccessResponse SetTrustedRoot(string jobCertificateAlias, PaloAltoClient client, string templateName) { _logger.MethodEntry(LogLevel.Debug); try { - if (trustedRoot) - { - var result = client.SubmitSetTrustedRoot(jobCertificateAlias, templateName); - _logger.LogTrace(result.Result.LineMsg.Line.Count > 0 - ? $"Set Trusted Root Response {string.Join(" ,", result.Result.LineMsg.Line)}" - : $"Set Trusted Root Response {result.Result.LineMsg.StringMsg}"); - return result.Result; - } - _logger.MethodExit(LogLevel.Debug); - return null; + var result = client.SubmitSetTrustedRoot(jobCertificateAlias, templateName); + _logger.LogTrace(result.Result.LineMsg.Line.Count > 0 + ? $"Set Trusted Root Response {string.Join(" ,", result.Result.LineMsg.Line)}" + : $"Set Trusted Root Response {result.Result.LineMsg.StringMsg}"); + return result.Result; } catch (Exception e) { diff --git a/PaloAlto/Validators.cs b/PaloAlto/Validators.cs index e1d57a2..3fb7602 100644 --- a/PaloAlto/Validators.cs +++ b/PaloAlto/Validators.cs @@ -13,6 +13,7 @@ // limitations under the License. using System.Linq; +using System.Text.RegularExpressions; using Keyfactor.Extensions.Orchestrator.PaloAlto.Client; using Keyfactor.Extensions.Orchestrator.PaloAlto.Models.Responses; using Keyfactor.Orchestrators.Common.Enums; @@ -44,6 +45,28 @@ public static string BuildPaloError(ErrorSuccessResponse bindingsResponseResult) if (!string.IsNullOrEmpty(errorResponse)) return errorResponse.Substring(0, errorResponse.Length - 2); return errorResponse; + } + + private static string GetTemplateName(string storePath) + { + string pattern = @"\/template\/entry\[@name='([^']+)'\]"; + Regex regex = new Regex(pattern); + Match match = regex.Match(storePath); + + string templateName = string.Empty; + if (match.Success) + { + templateName = match.Groups[1].Value; + } + + return templateName; + } + + static bool IsValidPanoramaFormat(string input) + { + string pattern = @"^/config/devices/entry\[@name='[^\]]+'\]/template/entry\[@name='[^']+'\]/config/shared$"; + Regex regex = new Regex(pattern); + return regex.IsMatch(input); } public static (bool valid, JobResult result) ValidateStoreProperties(JobProperties storeProperties, @@ -51,8 +74,15 @@ public static (bool valid, JobResult result) ValidateStoreProperties(JobProperti { var errors = string.Empty; + //Check path Validity for either panorama shared location or firewall shared location or panorama level certificates + if (storePath != "/config/panorama" && storePath != "/config/shared" && !IsValidPanoramaFormat(storePath)) + { + errors += + "Path is invalid needs to be /config/panorama, /config/shared or in format of /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TemplateName']/config/shared."; + } + // If it is a firewall (store path of /) then you don't need the Group Name - if (storePath== "/") + if (!storePath.Contains("template",System.StringComparison.CurrentCultureIgnoreCase)) if (!string.IsNullOrEmpty(storeProperties?.DeviceGroup)) { errors += @@ -60,7 +90,7 @@ public static (bool valid, JobResult result) ValidateStoreProperties(JobProperti } // Considered Panorama device if store path is not "/" and there is a valid value for store path - if (storePath != "/") + if (storePath.Contains("template", System.StringComparison.CurrentCultureIgnoreCase)) { var client = new PaloAltoClient(clientMachine, @@ -84,7 +114,7 @@ public static (bool valid, JobResult result) ValidateStoreProperties(JobProperti //Validate Template Exists in Panorama, required for Panorama var templateList = client.GetTemplateList(); - var templates = templateList.Result.Result.Entry.Where(d => d.Name == storePath); + var templates = templateList.Result.Result.Entry.Where(d => d.Name == GetTemplateName(storePath)); if (!templates.Any()) { errors += diff --git a/PaloAltoTestConsole/KeyfactorClient.cs b/PaloAltoTestConsole/KeyfactorClient.cs index 087f6e6..ea705d6 100644 --- a/PaloAltoTestConsole/KeyfactorClient.cs +++ b/PaloAltoTestConsole/KeyfactorClient.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2023 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Collections.Generic; using System.Text; using System.Threading.Tasks; @@ -11,16 +25,15 @@ public class KeyfactorClient { public async Task EnrollCertificate(string commonName) { - var options = new RestClientOptions("https://URLToKeyfactor"); + var options = new RestClientOptions("https://kfcommandurl.com"); var client = new RestClient(options); var request = new RestRequest("/KeyfactorAPI/Enrollment/PFX", Method.Post); request.AddHeader("X-Keyfactor-Requested-With", "APIClient"); request.AddHeader("x-certificateformat", "PFX"); - request.AddHeader("Authorization", "Basic BasicAuthKey"); + request.AddHeader("Authorization", "Basic fsadfsdafds="); request.AddHeader("Content-Type", "application/json"); var enrollRequest = new KeyfactorEnrollmentRequest { - CustomFriendlyName = "2 Year Web Server", Password = "sldfklsdfsldjfk", PopulateMissingValuesFromAD = false, Subject = $"CN={commonName}", @@ -35,7 +48,7 @@ public async Task EnrollCertificate(string commonName sans.DNS = dnsList; enrollRequest.SANs = sans; request.AddBody(enrollRequest); - var response = await client.ExecuteAsync(request); + var response = await client.ExecutePostAsync(request); return response.Data; } diff --git a/PaloAltoTestConsole/KeyfactorEnrollmentRequest.cs b/PaloAltoTestConsole/KeyfactorEnrollmentRequest.cs index 32cc1ea..28c3623 100644 --- a/PaloAltoTestConsole/KeyfactorEnrollmentRequest.cs +++ b/PaloAltoTestConsole/KeyfactorEnrollmentRequest.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2023 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; using System.Collections.Generic; using System.Text; diff --git a/PaloAltoTestConsole/KeyfactorEnrollmentResult.cs b/PaloAltoTestConsole/KeyfactorEnrollmentResult.cs index 363b023..1224392 100644 --- a/PaloAltoTestConsole/KeyfactorEnrollmentResult.cs +++ b/PaloAltoTestConsole/KeyfactorEnrollmentResult.cs @@ -1,4 +1,18 @@ -using System; +// Copyright 2023 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License + +using System; using System.Collections.Generic; using System.Text; @@ -13,6 +27,9 @@ public class CertificateInformation public int KeyfactorId { get; set; } public string Pkcs12Blob { get; set; } public object Password { get; set; } + public string WorkflowInstanceId { get; set; } + public int WorkflowReferenceId { get; set; } + public List StoreIdsInvalidForRenewal { get; set; } public int KeyfactorRequestId { get; set; } public string RequestDisposition { get; set; } public string DispositionMessage { get; set; } @@ -21,6 +38,7 @@ public class CertificateInformation public class Metadata { + public string OID { get; set; } } public class KeyfactorEnrollmentResult @@ -28,4 +46,6 @@ public class KeyfactorEnrollmentResult public CertificateInformation CertificateInformation { get; set; } public Metadata Metadata { get; set; } } + + } diff --git a/PaloAltoTestConsole/PanoramaMgmt.json b/PaloAltoTestConsole/PanoramaMgmt.json index 53c7483..a4bafa9 100644 --- a/PaloAltoTestConsole/PanoramaMgmt.json +++ b/PaloAltoTestConsole/PanoramaMgmt.json @@ -23,7 +23,6 @@ "ServerPassword": "PasswordGoesHere", "UseSSL": true, "JobProperties": { - "Trusted Root": false, "TlsMinVersion": "TlsMinVersionGoesHere", "TLSMaxVersion": "TlsMaxVersionGoesHere", "TlsProfileName": "TlsProfileNameGoesHere" diff --git a/PaloAltoTestConsole/Program.cs b/PaloAltoTestConsole/Program.cs index aa1e992..c4c5f52 100644 --- a/PaloAltoTestConsole/Program.cs +++ b/PaloAltoTestConsole/Program.cs @@ -34,7 +34,6 @@ internal class Program public static string ClientMachine { get; set; } public static string DeviceGroup { get; set; } public static string StorePath { get; set; } - public static string TrustedRoot { get; set; } public static string BindingName { get; set; } public static string TlsMinVersion { get; set; } public static string TlsMaxVersion { get; set; } @@ -49,10 +48,10 @@ private static async Task Main(string[] args) var arguments = new Dictionary(); - Thread.Sleep(10000); + Thread.Sleep(20000); foreach (var argument in args) { - var splitted = argument.Split('='); + var splitted = argument.Split('=',2); if (splitted.Length == 2) arguments[splitted[0]] = splitted[1]; } @@ -122,7 +121,6 @@ private static async Task Main(string[] args) CertAlias = arguments["-certalias"]; TlsMinVersion = arguments["-tlsminversion"]; TlsMaxVersion= arguments["-tlsmaxversion"]; - TrustedRoot= arguments["-trustedroot"]; Overwrite = arguments["-overwrite"]; } else @@ -135,8 +133,6 @@ private static async Task Main(string[] args) TlsMaxVersion = Console.ReadLine(); Console.WriteLine("Enter Cert Alias"); CertAlias = Console.ReadLine(); - Console.WriteLine("Trusted Root (True or False)?"); - TrustedRoot = Console.ReadLine(); Console.WriteLine("Overwrite (True or False)?"); Overwrite = Console.ReadLine(); } @@ -219,11 +215,6 @@ public static InventoryJobConfiguration GetPanoramaInventoryJobConfiguration() public static ManagementJobConfiguration GetManagementJobConfiguration() { - var trustedRootReplaceString = "\"Trusted Root\": false"; - if (TrustedRoot.ToUpper() == "TRUE") - { - trustedRootReplaceString = "\"Trusted Root\": true"; - } var overWriteReplaceString = "\"Overwrite\": false"; if (Overwrite.ToUpper() == "TRUE") @@ -236,7 +227,7 @@ public static ManagementJobConfiguration GetManagementJobConfiguration() .Replace("DeviceGroupGoesHere", DeviceGroup).Replace("AliasGoesHere", CertAlias) .Replace("ClientMachineGoesHere", ClientMachine).Replace("TlsProfileNameGoesHere", BindingName) .Replace("TlsMaxVersionGoesHere", TlsMaxVersion).Replace("TlsMinVersionGoesHere", TlsMinVersion) - .Replace("\"Trusted Root\": false",trustedRootReplaceString).Replace("\"Overwrite\": false",overWriteReplaceString) + .Replace("\"Overwrite\": false",overWriteReplaceString) .Replace("CertificateContentGoesHere", CertificateContent); var result = JsonConvert.DeserializeObject(fileContent); diff --git a/PaloAltoTestConsole/RunTest.bat b/PaloAltoTestConsole/RunTest.bat index deeeec3..7bdd29b 100644 --- a/PaloAltoTestConsole/RunTest.bat +++ b/PaloAltoTestConsole/RunTest.bat @@ -1,14 +1,16 @@ @echo off -cd C:\WhereeverTestConsoleExeIs -set FWMachine=SomeServer -set FWApiUser=SomeUser -set FWApiPassword=SomePassword -set PAMachine=SomeServer -set PAApiUser=SomeUser -set PAApiPassword=SomePassword +cd C:\Users\bhill\source\repos\paloalto-firewall-orchestrator\PaloAltoTestConsole\bin\Debug\netcoreapp3.1 +set FWMachine=urlToFW +set FWApiUser=someuser +set FWApiPassword=PWToFirewall +set PAMachine=urlToPan +set PAApiUser=PanUser +set PAApiPassword=PanPassword +goto :PAN + echo *********************************** echo Starting Single Firewall Test Cases echo *********************************** @@ -16,7 +18,7 @@ echo *********************************** set clientmachine=%FWMachine% set password=%FWApiPassword% set user=%FWApiUser% -set storepath=/ +set storepath=/config/shared echo *********************************** echo Starting Management Test Cases @@ -27,17 +29,15 @@ set casename=Management set cert=%random% set casename=Management set mgt=add -set trusted=false set overwrite=false echo ************************************************************************************************************************ -echo TC1 %mgt% with no biding information. Should do the %mgt% but give you a warning about missing bindings *not* trusted root +echo TC1 %mgt% with no biding information. Should do the %mgt% and add anything in the chain echo ************************************************************************************************************************ echo overwrite: %overwrite% -echo trusted: %trusted% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% set mgt=remove @@ -46,89 +46,72 @@ set overwrite=false echo: echo ******************************************************************************************************* -echo TC2 %mgt% missing bindings *not* trusted root. Should %mgt% the cert since there are no dependencies +echo TC2 %mgt% missing bindings. Should %mgt% the cert since there are no dependencies echo ******************************************************************************************************* echo overwrite: %overwrite% echo trusted: %trusted% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% -set trustedRoot=%random% +set cert=%random% set mgt=add -set trusted=true set overwrite=false +set tlsmin=tls1-2 +set tlsmax=max +set bindingname=FirewallOnlyBinding echo: -echo *********************************************************************************************************************** -echo TC3 %mgt% with no biding information. Should do the %mgt% but give you a warning about missing bindings *is* trusted root -echo *********************************************************************************************************************** +echo ***************************************************************************************************************** +echo TC3 %mgt% with biding information. Should do the %mgt% and bind to the tls profile, no overwrite is trusted root +echo ***************************************************************************************************************** echo overwrite: %overwrite% -echo trusted: %trusted% -echo cert name: %trustedRoot% +echo tlsmin: %tlsmin% +echo tlsmax: %tlsmax% +echo binding name: %bindingname% +echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%trustedRoot% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% set mgt=remove -set trusted=true -set overwrite=false - -echo: -echo ********************************************************************************************************** -echo TC4 %mgt% with no biding information. Should %mgt% the trusted root certificate and trusted root setting -echo ********************************************************************************************************** -echo overwrite: %overwrite% -echo trusted: %trusted% -echo cert name: %trustedRoot% - -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%trustedRoot% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% - - -set cert=%random% -set mgt=add -set trusted=true -set overwrite=false +set overwrite=true set tlsmin=tls1-2 set tlsmax=max set bindingname=FirewallOnlyBinding echo: -echo ***************************************************************************************************************** -echo TC5 %mgt% with biding information. Should do the %mgt% and bind to the tls profile, no overwrite is trusted root -echo ***************************************************************************************************************** +echo ************************************************************************************************************** +echo TC4 Case Try to remove a bound cert, should not be allowed unless you want to delete the binding too not good +echo ************************************************************************************************************** echo overwrite: %overwrite% -echo trusted: %trusted% echo tlsmin: %tlsmin% echo tlsmax: %tlsmax% echo binding name: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% set mgt=add -set trusted=true set overwrite=true set tlsmin=tls1-2 set tlsmax=max set bindingname=FirewallOnlyBinding echo: -echo ******************************************************************************************************************* -echo TC6 %mgt% with biding information. Should do the %mgt% and bind to the tls profile, with overwrite is trusted root -echo ******************************************************************************************************************* +echo *************************************************************************************************************** +echo TC5 %mgt% with biding information. Should do the %mgt% and bind to the tls profile, with overwrite,rename cert +echo *************************************************************************************************************** echo overwrite: %overwrite% -echo trusted: %trusted% echo tlsmin: %tlsmin% echo tlsmax: %tlsmax% echo binding name: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% set mgt=add -set trusted=true set overwrite=false set tlsmin=tls1-2 set tlsmax=max @@ -136,49 +119,46 @@ set bindingname=FirewallOnlyBinding echo: echo ************************************************************************************************************* -echo TC7 Case No Overwrite with biding information. Should warn the user that the need the overwrite flag checked +echo TC6 Case No Overwrite with biding information. Should warn the user that the need the overwrite flag checked echo ************************************************************************************************************* echo overwrite: %overwrite% -echo trusted: %trusted% echo tlsmin: %tlsmin% echo tlsmax: %tlsmax% echo binding name: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% - +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% -set mgt=remove -set trusted=true -set overwrite=true +set storepath=/config +set mgt=add +set overwrite=false set tlsmin=tls1-2 set tlsmax=max set bindingname=FirewallOnlyBinding echo: -echo ************************************************************************************************************** -echo TC8 Case Try to remove a bound cert, should not be allowed unless you want to delete the binding too not good -echo ************************************************************************************************************** +echo *************************************************** +echo TC7 Invalid Store Path - Job should fail with error +echo **************************************************** echo overwrite: %overwrite% -echo trusted: %trusted% echo tlsmin: %tlsmin% echo tlsmax: %tlsmax% echo binding name: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% echo: echo: echo *********************************** echo Starting Inventory Test Cases echo *********************************** - +set storepath=/config/shared set casename=Inventory echo: echo *************************************************************************************** -echo TC9 Firewall Inventory against firewall should return job status of "2" with no errors +echo TC8 Firewall Inventory against firewall should return job status of "2" with no errors echo *************************************************************************************** echo overwrite: %overwrite% echo trusted: %trusted% @@ -190,9 +170,9 @@ echo cert name: %cert% PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% echo: -echo *********************************** -echo Starting Single Panorama Test Cases -echo *********************************** +echo ********************************************* +echo Starting Panorama Shared Template Test Cases +echo ********************************************* set clientmachine=%PAMachine% set password=%PAApiPassword% @@ -209,7 +189,6 @@ set cert=%random% set storepath=CertificatesTemplate1 set casename=Management set mgt=add -set trusted=false set overwrite=false set devicegroup=Group1 echo: @@ -217,122 +196,59 @@ echo *************************************************************************** echo TC10 Invalid store path Test, should return a list of valid templates panorama templates to use and error out echo ************************************************************************************************************* echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% set casename=Management set mgt=add -set trusted=false set overwrite=false -set storepath=CertificatesTemplate +set storepath="/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='CertificatesTemplate']/config/shared" set devicegroup=Broup2 echo: echo ********************************************************************************************** echo TC11 Invalid Group Name, should return a list of valid Groups in panorama to use and error out echo ********************************************************************************************** echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% set cert=%random% set devicegroup=Group1 set mgt=add -set trusted=false set overwrite=false echo: -echo ***************************************************************************************************** -echo TC12 %mgt% certificate not trusted root, no overwrite, should %mgt% to Panorama and push to firewalls -echo ***************************************************************************************************** +echo ************************************************************************************ +echo TC12 %mgt% certificate no overwrite, should %mgt% to Panorama and push to firewalls +echo ************************************************************************************ echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% set mgt=remove -set trusted=false set overwrite=false echo: -echo ******************************************************************************************************* -echo TC13 %mgt% certificate not trusted root, no overwrite, should %mgt% from Panorama and push to firewalls -echo ******************************************************************************************************* -echo overwrite: %overwrite% -echo trusted: %trusted% -echo store path: %storepath% -echo group name: %devicegroup% -echo cert name: %cert% - -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% - -set cert=%random% -set mgt=add -set trusted=true -set overwrite=false - -echo: -echo *********************************************************************************************** -echo TC14 %mgt% certificate trusted root, no overwrite, should %mgt% Panorama and push to firewalls -echo *********************************************************************************************** -echo overwrite: %overwrite% -echo trusted: %trusted% -echo store path: %storepath% -echo group name: %devicegroup% -echo cert name: %cert% - -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% - -set mgt=remove -set trusted=true -set overwrite=false -echo: -echo ******************************************************************************************************* -echo TC15 %mgt% certificate not trusted root, no overwrite, should %mgt% from Panorama and push to firewalls -echo ******************************************************************************************************* -echo overwrite: %overwrite% -echo trusted: %trusted% -echo store path: %storepath% -echo group name: %devicegroup% -echo cert name: %cert% - -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -trustedroot=%trusted% -overwrite=%overwrite% - - -set cert=%random% -set mgt=add -set trusted=true -set overwrite=false -set tlsmin=tls1-2 -set tlsmax=max -set bindingname=TestBindings -echo: -echo ********************************************************************************************************* -echo TC16 %mgt% with Bindings trusted root, no overwrite, should %mgt% to Panorama, Bind and push to firewalls -echo ********************************************************************************************************* +echo ************************************************************************************* +echo TC13 %mgt% certificate no overwrite, should %mgt% from Panorama and push to firewalls +echo ************************************************************************************* echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% -echo tlsmin: %tlsmin% -echo tlsmax: %tlsmax% -echo bindingname: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% set cert=%random% set mgt=add -set trusted=false set overwrite=false set tlsmin=tls1-2 set tlsmax=max @@ -342,7 +258,6 @@ echo *************************************************************************** echo TC17 %mgt% with Bindings not trusted, no overwrite, should %mgt% to Panorama, Bind and push to firewalls echo ********************************************************************************************************* echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo tlsmin: %tlsmin% @@ -350,11 +265,10 @@ echo tlsmax: %tlsmax% echo bindingname: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% set cert=OverwriteCertPA set mgt=add -set trusted=false set overwrite=false set tlsmin=tls1-2 set tlsmax=max @@ -364,7 +278,6 @@ echo *************************************************************************** echo TC18 %mgt% with Bindings not trusted, no overwrite, should %mgt% to Panorama, Bind and push to firewalls echo ********************************************************************************************************* echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo tlsmin: %tlsmin% @@ -372,10 +285,9 @@ echo tlsmax: %tlsmax% echo bindingname: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% set mgt=add -set trusted=false set overwrite=false set tlsmin=tls1-2 set tlsmax=max @@ -386,7 +298,6 @@ echo TC19 %mgt% with Bindings not trusted, no overwrite, should warn user that t echo ************************************************************************************************** echo this is prep for TC20 and TC21 echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo tlsmin: %tlsmin% @@ -394,10 +305,9 @@ echo tlsmax: %tlsmax% echo bindingname: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% set mgt=remove -set trusted=false set overwrite=false set tlsmin=tls1-2 set tlsmax=max @@ -407,7 +317,6 @@ echo *************************************************************************** echo TC20 %mgt% with Bindings not allow should error out, can't delete cert without deleting binding echo *********************************************************************************************** echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo tlsmin: %tlsmin% @@ -415,11 +324,10 @@ echo tlsmax: %tlsmax% echo bindingname: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% set mgt=add -set trusted=false set overwrite=true set tlsmin=tls1-2 set tlsmax=max @@ -429,7 +337,6 @@ echo *************************************************************************** echo TC21 %mgt%, Overwrite with Bindings not trusted, no overwrite, should overwrite cert and binding echo ************************************************************************************************ echo overwrite: %overwrite% -echo trusted: %trusted% echo store path: %storepath% echo group name: %devicegroup% echo tlsmin: %tlsmin% @@ -437,7 +344,7 @@ echo tlsmax: %tlsmax% echo bindingname: %bindingname% echo cert name: %cert% -PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -trustedroot=%trusted% -overwrite=%overwrite% +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% echo: echo: echo *********************************** @@ -458,4 +365,120 @@ echo cert name: %cert% PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup=%devicegroup% -managementtype=%mgt% +:PAN + +echo: +echo ********************************************* +echo Starting Panorama Level certs Test Cases +echo ********************************************* + +set clientmachine=%PAMachine% +set password=%PAApiPassword% +set user=%PAApiUser% +echo: +echo *********************************** +echo Starting Management Test Cases +echo *********************************** +set casename=Management + +set cert=%random% +set storepath=/config/panorama +set casename=Management +set mgt=add +set overwrite=false +echo: +echo **************************************************** +echo TC22 Install Certificate Pan Level with No Bindings +echo **************************************************** +echo overwrite: %overwrite% +echo store path: %storepath% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% + +echo: +echo ************************************************************* +echo TC23 Duplicate Certificate No overwrite flag should warn user +echo ************************************************************* +echo overwrite: %overwrite% +echo store path: %storepath% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% + +set overwrite=true + +echo: +echo ************************************************************* +echo TC24 Duplicate Certificate overwrite flag renames certificate +echo ************************************************************* +echo overwrite: %overwrite% +echo store path: %storepath% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% + +set mgt=remove + +echo: +echo ************************************************************* +echo TC25 Delete unbound certificate should delete this. +echo ************************************************************* +echo overwrite: %overwrite% +echo store path: %storepath% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% + +set cert=%random% +set mgt=add +set overwrite=true +set tlsmin=tls1-2 +set tlsmax=max +set bindingname=PanLevelBindings + +echo: +echo ************************************************************* +echo TC26 Create Certificate and Bind To TLS Profile +echo ************************************************************* +echo overwrite: %overwrite% +echo store path: %storepath% +echo tlsmin: %tlsmin% +echo tlsmax: %tlsmax% +echo bindingname: %bindingname% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% + +set mgt=remove + +echo: +echo ************************************************************* +echo TC27 Delete bound certificate should warn user can't do this +echo ************************************************************* +echo overwrite: %overwrite% +echo store path: %storepath% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion= -tlsmaxversion= -bindingname= -overwrite=%overwrite% + + +set mgt=add +set overwrite=true +set tlsmin=tls1-2 +set tlsmax=max +set bindingname=PanLevelBindings + +echo: +echo ************************************************************* +echo TC28 Replace bound certificate, should rename and rebind +echo ************************************************************* +echo overwrite: %overwrite% +echo store path: %storepath% +echo tlsmin: %tlsmin% +echo tlsmax: %tlsmax% +echo bindingname: %bindingname% +echo cert name: %cert% + +PaloAltoTestConsole.exe -clientmachine=%clientmachine% -casename=%casename% -user=%user% -password=%password% -storepath=%storepath% -devicegroup= -managementtype=%mgt% -certalias=%cert% -tlsminversion=%tlsmin% -tlsmaxversion=%tlsmax% -bindingname=%bindingname% -overwrite=%overwrite% @pause diff --git a/README.md b/README.md index 82a7f8b..dd5c1e2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Palo Alto Orchestrator -Palo Alto Panorama/Firewall Orchestrator for Add, Remove and Inventory. +The Palo Alto Orchestrator remotely manages certificates on either the Palo Alto PA-VM Firewall Device or the Panorama. If using Panorama, it will push changes to all the devices from Panorama. It supports adding certificates with or without private keys. Palo Alto does not support incremental certificate inventory. If you have large numbers of certificates in your environment it is recommended to limit the frequency of inventory jobs to 30 minutes or more. #### Integration status: Production - Ready for use in production environments. @@ -39,7 +39,7 @@ The Keyfactor Universal Orchestrator may be installed on either Windows or Linux |Supports Management Remove|✓ | | |Supports Create Store| | | |Supports Discovery| | | -|Supports Renrollment|✓ | | +|Supports Renrollment| | | |Supports Inventory|✓ | | @@ -98,18 +98,10 @@ This text would be entered in as the value for the __Server Password__, instead --- -**Palo Alto Orchestrator Device Configuration** - -**Overview** - -The Palo Alto Orchestrator remotely manages certificates on either the Palo Alto PA-VM Firewall Device or the Panorama. If using Panorama, it will push changes to all the devices from Panorama. - -This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this Orchestrator. It supports adding certificates with or without private keys. - -NOTE: Palo Alto does not support incremental certificate inventory. If you have large numbers of certificates in your environment it is recommended to limit the frequency of inventory jobs to 30 minutes or more. - -**1. Create the New Certificate Store Type for either the PA-VM Firewall Device or Panorama** - +## CERT STORE SETUP AND GENERAL PERMISSIONS +
+ Cert Store Type Configuration + In Keyfactor Command create a new Certificate Store Type similar to the one below: #### STORE TYPE CONFIGURATION @@ -139,66 +131,74 @@ DeviceGroup |Device Group |String | |Unchecked |No #### ENTRY PARAMETERS FOR STORE TYPE NAME | DISPLAY NAME | TYPE | DEFAULT VALUE | DEPENDS ON | REQUIRED WHEN |DESCRIPTION --------------|-----------------|----------------|-------------- |-------------|---------------|-------------- -Trusted Root |Trusted Root |Bool |False |Unchecked |Adding an Entry|Will set the certificate as Trusted Root in Panorama or on the Firewall TlsMinVersion |TLS Min Version |Multiple Choice | |Unchecked |No |Min TLS Version for the Binding (,tls1-0,tls1-1,tls1-2) note first multiple choice item is empty TlsMaxVersion |TLS Max Version |Multiple Choice | |Unchecked |No |Max TLS Version for the Binding (,tls1-0,tls1-1,tls1-2,max) note first multiple choice item is empty TlsProfileName|TLS Profile Name |String | |Unchecked |No |Name of the binding to deploy certificate to ServerUseSsl |Use SSL |Bool |True |Unchecked |Yes |Requires SSL Connection +
-**2. Register the PaloAlto Orchestrator with Keyfactor** -See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative. - -**3. Create a Palo Alto Certificate Store within Keyfactor Command** - -In Keyfactor Command create a new Certificate Store similar to the one below +
+PaloAlto Certificate Store +In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION ----------------|--------------- Category |The type of certificate store to be configured. Select category based on the display name configured above "PaloAlto". Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. -Client Machine |The hostname of the Panorama or Firewall. Sample is "keyfactorpa.eastus2.cloudapp.azure.com". -Store Path |If Panorama it is the name of the Template in Panorama if Firewall then "/" +Client Machine |The hostname of the Panorama or Firewall. Sample is "palourl.cloudapp.azure.com". +Store Path | **Panorama Level Certs:**
/config/panorama
**Firewall Certs:**
/config/shared
**Panorama Template Certs:**
/config
/devices
/entry[@name='localhost.localdomain']
/template
/entry[@name='CertificatesTemplate']
/config
/shared
if using Panorama Templates where 'CertificateTemplate' is the actual name of the template Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. Use SSL |This should be checked. User |ApiUser Setup for either Panorama or the Firewall Device Password |Api Password Setup for the user above +
+ +
+API User Setup Permissions in Panorama or Firewall Required -#### API User Setup Permissions in Panorama or Firewall Required Tab | Security Items --------------|-------------------------- Xml Api |Report,Log,Configuration,Operational Requests,Commit,Export,Import Rest Api |Objects/Devices,Panorama/Scheduled Config Push,Panorama/Templates,Panorama/Template Stacks,Panorama/Device Groups,System/Configuration,Plugins/Plugins *** -#### TEST CASES -Case Number|Store Path|Screenshot/Description ------------|----------|---------------------- -TC1|/|![](images/TC1.png) -TC2|/|![](images/TC2.png) -TC3|/|![](images/TC3.png) -TC4|/|![](images/TC4.png) -TC5|/|![](images/TC5.png) -TC6|/|![](images/TC6.png) -TC7|/|![](images/TC7.png) -TC8|/|![](images/TC8.png) -TC9|/|![](images/TC9.png) -TC10|/|![](images/TC10.png) -TC11|/|![](images/TC11.png) -TC12|CertificatesTemplate|![](images/TC12-F.png) ![](images/TC12-P.png) -TC13|CertificatesTemplate|![](images/TC13-F.png) ![](images/TC13-P.png) -TC14|CertificatesTemplate|![](images/TC14-F.png) ![](images/TC14-P.png) -TC15|CertificatesTemplate|![](images/TC15-F.png) ![](images/TC15-P.png) -TC16|CertificatesTemplate|![](images/TC16-F.png) ![](images/TC16-P.png) -TC17|CertificatesTemplate|![](images/TC17-F1.png) ![](images/TC17-F2.png) ![](images/TC17-P1.png) ![](images/TC17-P2.png) -TC18|CertificatesTemplate|![](images/TC18-F1.png) ![](images/TC18-F2.png) ![](images/TC18-P1.png) ![](images/TC18-P2.png) -TC19|CertificatesTemplate|![](images/TC19.png) -TC20|CertificatesTemplate|![](images/TC20.png) -TC21|CertificatesTemplate|![](images/TC21-F.png) ![](images/TC21-P.png) -TC22|CertificatesTemplate|![](images/TC22-P.png) - - +
+ +## Test Cases +
+Firewall, Panorama Template and Panorama Level + +Case Number|Case Name|Store Path|Enrollment Params|Expected Results|Passed|Screenshots +-------|----------|------------------|--------------------|----------------------------|----|-------- +TC1|Firewall Enroll No Bindings|/config/shared|**Alias**:
TC1|Cert and Chain Installed on Firewall|True|![](images/TC1.gif) +TC2|Firewall Remove No Bindings|/config/shared|**Alias**:
TC1|Cert Removed From Firewall|True|![](images/TC2.gif) +TC3|Firewall Enroll Bindings|/config/shared|**Alias**:
TC3
**TLS Min Version**:
tls1-0
**TLS Max Version**:
max
**TLS Profile Name**:
FirewallOnlyBinding|Cert added to Firewall and Bound to TLS Profile|True|![](images/TC3.gif) +TC4|Firewall Remove Bound Certificate|/config/shared|N/A|Will not Remove Bound certificate Error Occurs|True|![](images/TC4.gif) +TC5|Firewall One Click Renew Bound Cert|/config/shared|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC5.gif) +TC6|Firewall Configure Renew Bound Cert|/config/shared|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC6.gif) +TC7|Firewall Invalid Store Path|/config|N/A|Errors out with Invalid path.|True|![](images/TC7.gif) +TC8|Firewall Inventory|/config/shared|N/A|Job Completes with Inventory of certificates from Firewall.|True|![](images/TC8.gif) +TC9|Panorama Template Enroll No Bindings|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config
/shared|**Alias**:
TC9|Cert and Chain Installed on Panorama Template and pushed to the firewall.|True|![](images/TC9.gif) +TC10|Panorama Template Remove No Bindings|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config
/shared|**Alias**:
TC9|Cert Removed From Panorama and pushed to firewalls|True|![](images/TC10.gif) +TC11|Panorama Template Enroll Bindings|/config
/devices
/entry[@name=
'localhost.localdomain']
/template/entry[@name=
'CertificatesTemplate']
/config
/shared|**Alias**:
TC11
**TLS Min Version**:
tls1-0
**TLS Max Version**:
max
**TLS Profile Name**:
TestBindings|Cert added to Pan Template, Bound to TLS Profile and pushed to firewalls|True|![](images/TC11.gif) +TC12|Panorama Template Remove Bound Certificate|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config/
shared|N/A|Will Not Remove Certificate because it is bound. Error will show.|True|![](images/TC12.gif) +TC13|Panorama Template One Click Renew Bound Cert|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config/
shared|N/A|Renews cert create with new name bind. Leave old one around. Push to Firewalls|True|![](images/TC13.gif) +TC14|Panorama Template Configure Renew Bound Cert|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config/
shared|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC14.gif) +TC15|Panorama Template Invalid **Template** in Store Path|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate1']
/config/
shared|N/A|Errors out saying template does not exist|True|![](images/TC15.gif) +TC16|Panorama Template Invalid Store Path|/config
/devices[@name=
'CertificatesTemplate1']
/config
/shared|N/A|Errors out saying invalid path|True|![](images/TC16.gif) +TC17|Panorama Template Inventory|/config
/devices
/entry
[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config
/
shared|N/A|Job Completes with Inventory of certificates from Panorama Template.|True|![](images/TC17.gif) +TC18|Panorama Enroll No Bindings|/config/panorama|**Alias**:
TC18|Cert and Chain Installed on Panorama|True|![](images/TC18.gif) +TC19|Panorama Remove No Bindings|/config/panorama|**Alias**:
TC19|Cert Removed From Panorama|True|![](images/TC19.gif) +TC20|Panorama Add Bindings|/config/panorama|**Alias**:
TC20
**TLS Min Version**:
tls1-0
**TLS Max Version**:
max
**TLS Profile Name**:
PanLevelBindings|Cert added to Panorama and Bound to TLS Profile|True|![](images/TC20.gif) +TC21|Panorama Remove Bound Certificate|/config/panorama|N/A|Will not Remove Bound certificate Error Occurs|True|![](images/TC21.gif) +TC22|Panorama One Click Renew Bound Cert|/config/panorama|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC22.gif) +TC23|Panorama Configure Renew Bound Cert|/config/panorama|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC23.gif) +TC24|Panorama Invalid Store Path|/panorama|N/A|Errors out with Invalid path.|True|![](images/TC24.gif) +TC25|Panorama Inventory|/config/panorama|N/A|Job Completes with Inventory of certificates from Panorama.|True|![](images/TC25.gif) + +
diff --git a/images/InventoryLocation1.gif b/images/InventoryLocation1.gif deleted file mode 100644 index 5a9fb6a..0000000 Binary files a/images/InventoryLocation1.gif and /dev/null differ diff --git a/images/InventoryLocation2.gif b/images/InventoryLocation2.gif deleted file mode 100644 index d7b0945..0000000 Binary files a/images/InventoryLocation2.gif and /dev/null differ diff --git a/images/TC1.gif b/images/TC1.gif new file mode 100644 index 0000000..16c3757 Binary files /dev/null and b/images/TC1.gif differ diff --git a/images/TC1.png b/images/TC1.png deleted file mode 100644 index 98815c8..0000000 Binary files a/images/TC1.png and /dev/null differ diff --git a/images/TC10.gif b/images/TC10.gif new file mode 100644 index 0000000..2759461 Binary files /dev/null and b/images/TC10.gif differ diff --git a/images/TC10.png b/images/TC10.png deleted file mode 100644 index c11ae3b..0000000 Binary files a/images/TC10.png and /dev/null differ diff --git a/images/TC11.gif b/images/TC11.gif new file mode 100644 index 0000000..d5ecc03 Binary files /dev/null and b/images/TC11.gif differ diff --git a/images/TC11.png b/images/TC11.png deleted file mode 100644 index badbac7..0000000 Binary files a/images/TC11.png and /dev/null differ diff --git a/images/TC12-F.png b/images/TC12-F.png deleted file mode 100644 index 23dd705..0000000 Binary files a/images/TC12-F.png and /dev/null differ diff --git a/images/TC12-P.png b/images/TC12-P.png deleted file mode 100644 index 7410c57..0000000 Binary files a/images/TC12-P.png and /dev/null differ diff --git a/images/TC12.gif b/images/TC12.gif new file mode 100644 index 0000000..3a85c23 Binary files /dev/null and b/images/TC12.gif differ diff --git a/images/TC13-F.png b/images/TC13-F.png deleted file mode 100644 index 3ea6dd0..0000000 Binary files a/images/TC13-F.png and /dev/null differ diff --git a/images/TC13-P.png b/images/TC13-P.png deleted file mode 100644 index 35a020f..0000000 Binary files a/images/TC13-P.png and /dev/null differ diff --git a/images/TC13.gif b/images/TC13.gif new file mode 100644 index 0000000..903781a Binary files /dev/null and b/images/TC13.gif differ diff --git a/images/TC14-F.png b/images/TC14-F.png deleted file mode 100644 index 7772ada..0000000 Binary files a/images/TC14-F.png and /dev/null differ diff --git a/images/TC14-P.png b/images/TC14-P.png deleted file mode 100644 index 26caca8..0000000 Binary files a/images/TC14-P.png and /dev/null differ diff --git a/images/TC14.gif b/images/TC14.gif new file mode 100644 index 0000000..233a863 Binary files /dev/null and b/images/TC14.gif differ diff --git a/images/TC15-F.png b/images/TC15-F.png deleted file mode 100644 index 1067e04..0000000 Binary files a/images/TC15-F.png and /dev/null differ diff --git a/images/TC15-P.png b/images/TC15-P.png deleted file mode 100644 index 5aa1833..0000000 Binary files a/images/TC15-P.png and /dev/null differ diff --git a/images/TC15.gif b/images/TC15.gif new file mode 100644 index 0000000..be19fe5 Binary files /dev/null and b/images/TC15.gif differ diff --git a/images/TC16-F.png b/images/TC16-F.png deleted file mode 100644 index b435d8e..0000000 Binary files a/images/TC16-F.png and /dev/null differ diff --git a/images/TC16-P.png b/images/TC16-P.png deleted file mode 100644 index 37da260..0000000 Binary files a/images/TC16-P.png and /dev/null differ diff --git a/images/TC16.gif b/images/TC16.gif new file mode 100644 index 0000000..407577c Binary files /dev/null and b/images/TC16.gif differ diff --git a/images/TC17-F1.png b/images/TC17-F1.png deleted file mode 100644 index ed24a96..0000000 Binary files a/images/TC17-F1.png and /dev/null differ diff --git a/images/TC17-F2.png b/images/TC17-F2.png deleted file mode 100644 index 4a98a72..0000000 Binary files a/images/TC17-F2.png and /dev/null differ diff --git a/images/TC17-P1.png b/images/TC17-P1.png deleted file mode 100644 index 8427cac..0000000 Binary files a/images/TC17-P1.png and /dev/null differ diff --git a/images/TC17-P2.png b/images/TC17-P2.png deleted file mode 100644 index 4b51240..0000000 Binary files a/images/TC17-P2.png and /dev/null differ diff --git a/images/TC17.gif b/images/TC17.gif new file mode 100644 index 0000000..c298f6a Binary files /dev/null and b/images/TC17.gif differ diff --git a/images/TC18-F1.png b/images/TC18-F1.png deleted file mode 100644 index f15315f..0000000 Binary files a/images/TC18-F1.png and /dev/null differ diff --git a/images/TC18-F2.png b/images/TC18-F2.png deleted file mode 100644 index 8337688..0000000 Binary files a/images/TC18-F2.png and /dev/null differ diff --git a/images/TC18-P1.png b/images/TC18-P1.png deleted file mode 100644 index 77916df..0000000 Binary files a/images/TC18-P1.png and /dev/null differ diff --git a/images/TC18-P2.png b/images/TC18-P2.png deleted file mode 100644 index 6e89da3..0000000 Binary files a/images/TC18-P2.png and /dev/null differ diff --git a/images/TC18.gif b/images/TC18.gif new file mode 100644 index 0000000..2cfdadb Binary files /dev/null and b/images/TC18.gif differ diff --git a/images/TC19.gif b/images/TC19.gif new file mode 100644 index 0000000..05d45f8 Binary files /dev/null and b/images/TC19.gif differ diff --git a/images/TC19.png b/images/TC19.png deleted file mode 100644 index 5f1762d..0000000 Binary files a/images/TC19.png and /dev/null differ diff --git a/images/TC2.gif b/images/TC2.gif new file mode 100644 index 0000000..4de64e3 Binary files /dev/null and b/images/TC2.gif differ diff --git a/images/TC2.png b/images/TC2.png deleted file mode 100644 index 1acf5bc..0000000 Binary files a/images/TC2.png and /dev/null differ diff --git a/images/TC20.gif b/images/TC20.gif new file mode 100644 index 0000000..593cd36 Binary files /dev/null and b/images/TC20.gif differ diff --git a/images/TC20.png b/images/TC20.png deleted file mode 100644 index af329df..0000000 Binary files a/images/TC20.png and /dev/null differ diff --git a/images/TC21-F.png b/images/TC21-F.png deleted file mode 100644 index 0546f03..0000000 Binary files a/images/TC21-F.png and /dev/null differ diff --git a/images/TC21-P.png b/images/TC21-P.png deleted file mode 100644 index 4504511..0000000 Binary files a/images/TC21-P.png and /dev/null differ diff --git a/images/TC21.gif b/images/TC21.gif new file mode 100644 index 0000000..047cce2 Binary files /dev/null and b/images/TC21.gif differ diff --git a/images/TC22-P.png b/images/TC22-P.png deleted file mode 100644 index 8747a21..0000000 Binary files a/images/TC22-P.png and /dev/null differ diff --git a/images/TC22.gif b/images/TC22.gif new file mode 100644 index 0000000..5e07538 Binary files /dev/null and b/images/TC22.gif differ diff --git a/images/TC23.gif b/images/TC23.gif new file mode 100644 index 0000000..7695cc5 Binary files /dev/null and b/images/TC23.gif differ diff --git a/images/TC24.gif b/images/TC24.gif new file mode 100644 index 0000000..355d3cc Binary files /dev/null and b/images/TC24.gif differ diff --git a/images/TC25.gif b/images/TC25.gif new file mode 100644 index 0000000..a40a8f0 Binary files /dev/null and b/images/TC25.gif differ diff --git a/images/TC3.gif b/images/TC3.gif new file mode 100644 index 0000000..f47a783 Binary files /dev/null and b/images/TC3.gif differ diff --git a/images/TC3.png b/images/TC3.png deleted file mode 100644 index 1a26aca..0000000 Binary files a/images/TC3.png and /dev/null differ diff --git a/images/TC4.gif b/images/TC4.gif new file mode 100644 index 0000000..ca1e6bc Binary files /dev/null and b/images/TC4.gif differ diff --git a/images/TC4.png b/images/TC4.png deleted file mode 100644 index 8f9292a..0000000 Binary files a/images/TC4.png and /dev/null differ diff --git a/images/TC5-Bind.png b/images/TC5-Bind.png deleted file mode 100644 index ca8646f..0000000 Binary files a/images/TC5-Bind.png and /dev/null differ diff --git a/images/TC5-Cert.png b/images/TC5-Cert.png deleted file mode 100644 index ac7f616..0000000 Binary files a/images/TC5-Cert.png and /dev/null differ diff --git a/images/TC5.gif b/images/TC5.gif new file mode 100644 index 0000000..12239e7 Binary files /dev/null and b/images/TC5.gif differ diff --git a/images/TC6-Bind.png b/images/TC6-Bind.png deleted file mode 100644 index efe6843..0000000 Binary files a/images/TC6-Bind.png and /dev/null differ diff --git a/images/TC6-Cert.png b/images/TC6-Cert.png deleted file mode 100644 index 356dc31..0000000 Binary files a/images/TC6-Cert.png and /dev/null differ diff --git a/images/TC6.gif b/images/TC6.gif new file mode 100644 index 0000000..1718971 Binary files /dev/null and b/images/TC6.gif differ diff --git a/images/TC7.gif b/images/TC7.gif new file mode 100644 index 0000000..dd2f89b Binary files /dev/null and b/images/TC7.gif differ diff --git a/images/TC7.png b/images/TC7.png deleted file mode 100644 index b9c2114..0000000 Binary files a/images/TC7.png and /dev/null differ diff --git a/images/TC8.gif b/images/TC8.gif new file mode 100644 index 0000000..4dbd838 Binary files /dev/null and b/images/TC8.gif differ diff --git a/images/TC8.png b/images/TC8.png deleted file mode 100644 index 503a08a..0000000 Binary files a/images/TC8.png and /dev/null differ diff --git a/images/TC9.gif b/images/TC9.gif new file mode 100644 index 0000000..a60b6a7 Binary files /dev/null and b/images/TC9.gif differ diff --git a/images/TC9.png b/images/TC9.png deleted file mode 100644 index 1ec8a06..0000000 Binary files a/images/TC9.png and /dev/null differ diff --git a/integration-manifest.json b/integration-manifest.json index a7dc9a2..64b7e52 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -6,7 +6,7 @@ "update_catalog": true, "link_github": true, "support_level": "kf-supported", - "description": "Palo Alto Panorama/Firewall Orchestrator for Add, Remove and Inventory.", + "description": "The Palo Alto Orchestrator remotely manages certificates on either the Palo Alto PA-VM Firewall Device or the Panorama. If using Panorama, it will push changes to all the devices from Panorama. It supports adding certificates with or without private keys. Palo Alto does not support incremental certificate inventory. If you have large numbers of certificates in your environment it is recommended to limit the frequency of inventory jobs to 30 minutes or more.", "about": { "orchestrator": { "UOFramework": "10.1", @@ -16,7 +16,7 @@ "supportsDiscovery": false, "supportsManagementAdd": true, "supportsManagementRemove": true, - "supportsReenrollment": true, + "supportsReenrollment": false, "supportsInventory": true, "platformSupport": "Unused" }, @@ -28,7 +28,108 @@ "supportsReenrollment": false, "supportsInventory": false, "platformSupport": "Unused" - } + }, + "store_types": [ + { + "Name": "PaloAlto", + "ShortName": "PaloAlto", + "Capability": "PaloAlto", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": true + }, + { + "Name": "DeviceGroup", + "DisplayName": "Device Group", + "Type": "String", + "DependsOn": null, + "DefaultValue": null, + "Required": false + } + ], + "EntryParameters": [ + { + "Name": "TlsMinVersion", + "DisplayName": "TLS Min Version", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",tls1-0,tls1-1,tls1-2" + }, + { + "Name": "TLSMaxVersion", + "DisplayName": "TLS Max Version", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",tls1-0,tls1-1,tls1-2,max" + }, + { + "Name": "TlsProfileName", + "DisplayName": "TLS Profile Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "JobProperties": [ + "TlsMinVersion", + "TLSMaxVersion", + "TlsProfileName" + ], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + } + ] } } } diff --git a/readme_source.md b/readme_source.md index 0e9c741..ac4e97c 100644 --- a/readme_source.md +++ b/readme_source.md @@ -1,15 +1,7 @@ -**Palo Alto Orchestrator Device Configuration** - -**Overview** - -The Palo Alto Orchestrator remotely manages certificates on either the Palo Alto PA-VM Firewall Device or the Panorama. If using Panorama, it will push changes to all the devices from Panorama. - -This agent implements three job types – Inventory, Management Add, and Management Remove. Below are the steps necessary to configure this Orchestrator. It supports adding certificates with or without private keys. - -NOTE: Palo Alto does not support incremental certificate inventory. If you have large numbers of certificates in your environment it is recommended to limit the frequency of inventory jobs to 30 minutes or more. - -**1. Create the New Certificate Store Type for either the PA-VM Firewall Device or Panorama** - +## CERT STORE SETUP AND GENERAL PERMISSIONS +
+ Cert Store Type Configuration + In Keyfactor Command create a new Certificate Store Type similar to the one below: #### STORE TYPE CONFIGURATION @@ -39,65 +31,73 @@ DeviceGroup |Device Group |String | |Unchecked |No #### ENTRY PARAMETERS FOR STORE TYPE NAME | DISPLAY NAME | TYPE | DEFAULT VALUE | DEPENDS ON | REQUIRED WHEN |DESCRIPTION --------------|-----------------|----------------|-------------- |-------------|---------------|-------------- -Trusted Root |Trusted Root |Bool |False |Unchecked |Adding an Entry|Will set the certificate as Trusted Root in Panorama or on the Firewall TlsMinVersion |TLS Min Version |Multiple Choice | |Unchecked |No |Min TLS Version for the Binding (,tls1-0,tls1-1,tls1-2) note first multiple choice item is empty TlsMaxVersion |TLS Max Version |Multiple Choice | |Unchecked |No |Max TLS Version for the Binding (,tls1-0,tls1-1,tls1-2,max) note first multiple choice item is empty TlsProfileName|TLS Profile Name |String | |Unchecked |No |Name of the binding to deploy certificate to ServerUseSsl |Use SSL |Bool |True |Unchecked |Yes |Requires SSL Connection +
-**2. Register the PaloAlto Orchestrator with Keyfactor** -See Keyfactor InstallingKeyfactorOrchestrators.pdf Documentation. Get from your Keyfactor contact/representative. - -**3. Create a Palo Alto Certificate Store within Keyfactor Command** - -In Keyfactor Command create a new Certificate Store similar to the one below +
+PaloAlto Certificate Store +In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. #### STORE CONFIGURATION CONFIG ELEMENT |DESCRIPTION ----------------|--------------- Category |The type of certificate store to be configured. Select category based on the display name configured above "PaloAlto". Container |This is a logical grouping of like stores. This configuration is optional and does not impact the functionality of the store. -Client Machine |The hostname of the Panorama or Firewall. Sample is "keyfactorpa.eastus2.cloudapp.azure.com". -Store Path |If Panorama it is the name of the Template in Panorama if Firewall then "/" +Client Machine |The hostname of the Panorama or Firewall. Sample is "palourl.cloudapp.azure.com". +Store Path | **Panorama Level Certs:**
/config/panorama
**Firewall Certs:**
/config/shared
**Panorama Template Certs:**
/config
/devices
/entry[@name='localhost.localdomain']
/template
/entry[@name='CertificatesTemplate']
/config
/shared
if using Panorama Templates where 'CertificateTemplate' is the actual name of the template Orchestrator |This is the orchestrator server registered with the appropriate capabilities to manage this certificate store type. Inventory Schedule |The interval that the system will use to report on what certificates are currently in the store. Use SSL |This should be checked. User |ApiUser Setup for either Panorama or the Firewall Device Password |Api Password Setup for the user above +
+ +
+API User Setup Permissions in Panorama or Firewall Required -#### API User Setup Permissions in Panorama or Firewall Required Tab | Security Items --------------|-------------------------- Xml Api |Report,Log,Configuration,Operational Requests,Commit,Export,Import Rest Api |Objects/Devices,Panorama/Scheduled Config Push,Panorama/Templates,Panorama/Template Stacks,Panorama/Device Groups,System/Configuration,Plugins/Plugins *** -#### TEST CASES -Case Number|Store Path|Screenshot/Description ------------|----------|---------------------- -TC1|/|![](images/TC1.png) -TC2|/|![](images/TC2.png) -TC3|/|![](images/TC3.png) -TC4|/|![](images/TC4.png) -TC5|/|![](images/TC5.png) -TC6|/|![](images/TC6.png) -TC7|/|![](images/TC7.png) -TC8|/|![](images/TC8.png) -TC9|/|![](images/TC9.png) -TC10|/|![](images/TC10.png) -TC11|/|![](images/TC11.png) -TC12|CertificatesTemplate|![](images/TC12-F.png) ![](images/TC12-P.png) -TC13|CertificatesTemplate|![](images/TC13-F.png) ![](images/TC13-P.png) -TC14|CertificatesTemplate|![](images/TC14-F.png) ![](images/TC14-P.png) -TC15|CertificatesTemplate|![](images/TC15-F.png) ![](images/TC15-P.png) -TC16|CertificatesTemplate|![](images/TC16-F.png) ![](images/TC16-P.png) -TC17|CertificatesTemplate|![](images/TC17-F1.png) ![](images/TC17-F2.png) ![](images/TC17-P1.png) ![](images/TC17-P2.png) -TC18|CertificatesTemplate|![](images/TC18-F1.png) ![](images/TC18-F2.png) ![](images/TC18-P1.png) ![](images/TC18-P2.png) -TC19|CertificatesTemplate|![](images/TC19.png) -TC20|CertificatesTemplate|![](images/TC20.png) -TC21|CertificatesTemplate|![](images/TC21-F.png) ![](images/TC21-P.png) -TC22|CertificatesTemplate|![](images/TC22-P.png) - - +
+ +## Test Cases +
+Firewall, Panorama Template and Panorama Level + +Case Number|Case Name|Store Path|Enrollment Params|Expected Results|Passed|Screenshots +-------|----------|------------------|--------------------|----------------------------|----|-------- +TC1|Firewall Enroll No Bindings|/config/shared|**Alias**:
TC1|Cert and Chain Installed on Firewall|True|![](images/TC1.gif) +TC2|Firewall Remove No Bindings|/config/shared|**Alias**:
TC1|Cert Removed From Firewall|True|![](images/TC2.gif) +TC3|Firewall Enroll Bindings|/config/shared|**Alias**:
TC3
**TLS Min Version**:
tls1-0
**TLS Max Version**:
max
**TLS Profile Name**:
FirewallOnlyBinding|Cert added to Firewall and Bound to TLS Profile|True|![](images/TC3.gif) +TC4|Firewall Remove Bound Certificate|/config/shared|N/A|Will not Remove Bound certificate Error Occurs|True|![](images/TC4.gif) +TC5|Firewall One Click Renew Bound Cert|/config/shared|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC5.gif) +TC6|Firewall Configure Renew Bound Cert|/config/shared|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC6.gif) +TC7|Firewall Invalid Store Path|/config|N/A|Errors out with Invalid path.|True|![](images/TC7.gif) +TC8|Firewall Inventory|/config/shared|N/A|Job Completes with Inventory of certificates from Firewall.|True|![](images/TC8.gif) +TC9|Panorama Template Enroll No Bindings|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config
/shared|**Alias**:
TC9|Cert and Chain Installed on Panorama Template and pushed to the firewall.|True|![](images/TC9.gif) +TC10|Panorama Template Remove No Bindings|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config
/shared|**Alias**:
TC9|Cert Removed From Panorama and pushed to firewalls|True|![](images/TC10.gif) +TC11|Panorama Template Enroll Bindings|/config
/devices
/entry[@name=
'localhost.localdomain']
/template/entry[@name=
'CertificatesTemplate']
/config
/shared|**Alias**:
TC11
**TLS Min Version**:
tls1-0
**TLS Max Version**:
max
**TLS Profile Name**:
TestBindings|Cert added to Pan Template, Bound to TLS Profile and pushed to firewalls|True|![](images/TC11.gif) +TC12|Panorama Template Remove Bound Certificate|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config/
shared|N/A|Will Not Remove Certificate because it is bound. Error will show.|True|![](images/TC12.gif) +TC13|Panorama Template One Click Renew Bound Cert|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config/
shared|N/A|Renews cert create with new name bind. Leave old one around. Push to Firewalls|True|![](images/TC13.gif) +TC14|Panorama Template Configure Renew Bound Cert|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config/
shared|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC14.gif) +TC15|Panorama Template Invalid **Template** in Store Path|/config
/devices
/entry[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate1']
/config/
shared|N/A|Errors out saying template does not exist|True|![](images/TC15.gif) +TC16|Panorama Template Invalid Store Path|/config
/devices[@name=
'CertificatesTemplate1']
/config
/shared|N/A|Errors out saying invalid path|True|![](images/TC16.gif) +TC17|Panorama Template Inventory|/config
/devices
/entry
[@name=
'localhost.localdomain']
/template
/entry[@name=
'CertificatesTemplate']
/config
/
shared|N/A|Job Completes with Inventory of certificates from Panorama Template.|True|![](images/TC17.gif) +TC18|Panorama Enroll No Bindings|/config/panorama|**Alias**:
TC18|Cert and Chain Installed on Panorama|True|![](images/TC18.gif) +TC19|Panorama Remove No Bindings|/config/panorama|**Alias**:
TC19|Cert Removed From Panorama|True|![](images/TC19.gif) +TC20|Panorama Add Bindings|/config/panorama|**Alias**:
TC20
**TLS Min Version**:
tls1-0
**TLS Max Version**:
max
**TLS Profile Name**:
PanLevelBindings|Cert added to Panorama and Bound to TLS Profile|True|![](images/TC20.gif) +TC21|Panorama Remove Bound Certificate|/config/panorama|N/A|Will not Remove Bound certificate Error Occurs|True|![](images/TC21.gif) +TC22|Panorama One Click Renew Bound Cert|/config/panorama|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC22.gif) +TC23|Panorama Configure Renew Bound Cert|/config/panorama|N/A|Renews cert create with new name bind. Leave old one around.|True|![](images/TC23.gif) +TC24|Panorama Invalid Store Path|/panorama|N/A|Errors out with Invalid path.|True|![](images/TC24.gif) +TC25|Panorama Inventory|/config/panorama|N/A|Job Completes with Inventory of certificates from Panorama.|True|![](images/TC25.gif) + +
\ No newline at end of file