Update idnomic.md

bhillkeyfactor · web-flow · commit 2016ac660937 · 2025-11-11T13:41:18.000-05:00
diff --git a/docsource/idnomic.md b/docsource/idnomic.md
@@ -1 +1,388 @@
+## Requirements
+
+### Idnomic PKI System Prerequisites
+
+Before configuring the AnyCA Gateway plugin, ensure the following prerequisites are met on your Idnomic PKI system:
+
+1. **Idnomic PKI Installation**:
+   - Idnomic PKI server must be installed and operational.  Only tested with 4.9.2 version of IDNOMIC.  Other version may or may not work.
+   - RA (Registration Authority) connector must be enabled and accessible
+   - SOAP interface must be configured and reachable
+
+2. **Client Certificate Authentication**:
+   - A client certificate must be issued for the AnyCA Gateway service to authenticate to Idnomic
+   - The certificate must be trusted by the Idnomic PKI system
+   - Certificate must be exported in PFX/PKCS#12 format with private key
+
+3. **Network Connectivity**:
+   - Gateway server must have network access to the Idnomic RA connector endpoint
+   - Default endpoint format: `https://<server>:<port>/RA/connector.cgi`
+   - TLS/SSL must be properly configured
+
+### Obtaining Required Configuration Information
+
+#### 1. RA Connector Endpoint Address
+
+The RA Connector endpoint is the SOAP service URL for the Registration Authority connector.
+
+**To find the endpoint address:**
+
+1. Contact your Idnomic PKI administrator
+2. The standard format is: `https://<hostname>:<port>/RA/connector.cgi`
+3. Verify the endpoint is accessible from the Gateway server
+4. Confirm SOAP services are enabled on this endpoint
+
+**Example endpoint**: `https://idnomic-pki.example.com:8443/RA/connector.cgi`
+
+#### 2. Client Certificate for Authentication
+
+The Gateway authenticates to Idnomic using mutual TLS with a client certificate.
+
+**Steps to obtain and prepare the client certificate:**
+
+1. **Request a Client Certificate**:
+   - Contact your Idnomic PKI administrator
+   - Request a certificate suitable for SOAP client authentication
+   - Ensure the certificate includes the "Client Authentication" Extended Key Usage
+
+2. **Export the Certificate**:
+   - Export the certificate with its private key in PFX (PKCS#12) format
+   - Set a strong password for the PFX file
+   - Example filename: `gateway-client-cert.pfx`
+
+3. **Deploy the Certificate**:
+   - Copy the PFX file to a secure location on the Gateway server
+   - Recommended location: `C:\Program Files\Keyfactor\AnyGateway\Certificates\` (Windows)
+   - Or: `/opt/keyfactor/anygateway/certificates/` (Linux)
+   - Set appropriate file permissions to restrict access
+   - Record the full path and password for Gateway configuration
+
+#### 3. Certificate Profiles (Templates)
+
+Certificate profiles define the types of certificates that can be issued. The plugin automatically discovers available profiles from the Idnomic system.
+
+**To view available profiles:**
+
+1. The profiles are retrieved automatically when the CA is configured
+2. Profiles appear in Keyfactor Command as "Product IDs" after CA registration
+3. Each profile represents a certificate template configured in Idnomic PKI
+
+**Note**: Profile discovery uses the `list_profiles` SOAP operation. Ensure the client certificate has permissions to call this operation.
+
+#### 4. Zones
+
+Zones in Idnomic PKI represent organizational or security boundaries within the PKI hierarchy. Each certificate enrollment request must specify a zone.
+
+**Common zone examples**:
+- `Default`
+- `Production`
+- `Test`
+- `DMZ`
+- Custom zones as configured in your Idnomic PKI
+
+**To identify available zones:**
+
+1. Contact your Idnomic PKI administrator for the list of configured zones
+2. Zones may be visible through the `certificate_search_properties` operation
+3. Document the zone names exactly as they appear in the system (case-sensitive)
+
+### Supported Revocation Reasons
+
+The plugin supports the following standard CRL revocation reasons:
+
+| Reason Code | Reason Name | Description |
+|-------------|-------------|-------------|
+| 0 | Unspecified | No specific reason provided |
+| 1 | Key Compromise | Private key has been compromised |
+| 2 | CA Compromise | Certificate Authority has been compromised |
+| 3 | Affiliation Changed | Subject's affiliation has changed |
+| 4 | Superseded | Certificate has been superseded by a new certificate |
+
+**Note**: Not all Idnomic PKI configurations support all revocation reasons. Consult your Idnomic administrator for supported reasons in your environment.
+
+## Gateway Registration
+
+### CA Connection Configuration
+
+When registering the Idnomic CA in the AnyCA Gateway, you'll need to provide the following configuration parameters:
+
+| Parameter | Description | Required | Example |
+|-----------|-------------|----------|---------|
+| **EndpointAddress** | Full URL to the Idnomic RA connector SOAP endpoint | Yes | `https://idnomic.example.com:8443/RA/connector.cgi` |
+| **ClientCertLocation** | Full file path to the client certificate PFX file on the Gateway server | Yes | `C:\Certificates\gateway-client.pfx` |
+| **ClientCertPassword** | Password for the client certificate PFX file | Yes | `SecureP@ssw0rd` |
+| **Enabled** | Whether the CA connection is enabled | No (default: true) | `true` or `false` |
+
+### Template (Product) Configuration
+
+Each certificate template discovered from Idnomic requires configuration when used for enrollment:
+
+| Parameter | Description | Required | Example |
+|-----------|-------------|----------|---------|
+| **Zone** | The Idnomic PKI zone where certificates will be issued | Yes | `Production` |
+
+**Important Notes**:
+- Template names (Product IDs) are automatically discovered from Idnomic using the `list_profiles` operation
+- The Zone parameter must exactly match a zone configured in your Idnomic PKI system
+- Zone names are case-sensitive
+- Each template can be configured with a different zone if needed
+
+### Gateway Registration Notes
+
+- Each defined Certificate Authority in the AnyCA Gateway REST can support one Idnomic CA endpoint
+- If you have multiple Idnomic PKI instances or need to issue from different zones with different permissions, you must define multiple Certificate Authorities in the AnyCA Gateway
+- Each CA configuration will manifest in Command as a separate CA entry
+- The plugin uses SOAP-based communication exclusively; ensure the RA connector endpoint is properly configured for SOAP access
+- Client certificate authentication is mandatory and cannot be disabled
+- The "Enabled" flag allows you to temporarily disable a CA connection without removing the configuration
+
+### Security Considerations
+
+1. **Certificate Storage**: Store client certificates in a secure location with restricted file system permissions
+2. **Password Management**: Use strong passwords for client certificate PFX files and consider using a secrets management system
+3. **Network Security**: Ensure TLS/SSL is properly configured for the RA connector endpoint
+4. **Least Privilege**: Request client certificates with minimal required permissions in the Idnomic PKI system
+5. **Audit Logging**: Enable comprehensive logging in both the Gateway and Idnomic PKI for security monitoring
+
+## Troubleshooting
+
+### Connection Issues
+- Verify the RA connector endpoint URL is correct and accessible
+- Check that the client certificate is valid and not expired
+- Confirm the client certificate is trusted by the Idnomic PKI system
+- Review Gateway logs for SOAP communication errors
+
+### Profile Discovery Issues
+- Ensure the client certificate has permissions to call `list_profiles`
+- Verify the RA connector is properly configured in Idnomic
+- Check that profiles are published and available in the Idnomic system
+
+### Enrollment Failures
+- Verify the Zone parameter exactly matches a configured zone in Idnomic
+- Confirm the selected profile supports the requested certificate attributes
+- Check that the client certificate has enrollment permissions for the specified zone
+- Review Idnomic PKI logs for detailed error messages
+
+### Synchronization Issues
+- Confirm the client certificate has permissions to call `search_for_certificates`
+- Verify network connectivity and timeout settings
+- For large certificate databases, consider adjusting synchronization schedules
+
+## Test Cases
+
+### Test Case 1: CA Connection Validation
+
+**Objective**: Verify that the Gateway can successfully connect to the Idnomic RA connector using client certificate authentication.
+
+**Prerequisites**:
+- Idnomic PKI system is operational
+- Valid client certificate (PFX) is available
+- RA connector endpoint is accessible
+
+**Test Steps**:
+1. Configure the CA in AnyCA Gateway with valid connection parameters
+2. Click "Test Connection" or trigger the Ping operation
+3. Observe the connection result
+
+**Expected Results**:
+- Connection succeeds without errors
+- Gateway logs show successful SOAP authentication
+- No certificate validation errors occur
+
+**Verification**:
+- Review Gateway logs for successful connection message
+- Check Idnomic PKI logs for incoming authenticated connection
+- Verify no SSL/TLS errors in either system
+
+---
+
+### Test Case 2: Profile Discovery
+
+**Objective**: Verify that the Gateway can retrieve the list of available certificate profiles from Idnomic PKI.
+
+**Prerequisites**:
+- CA connection is successfully configured
+- At least one certificate profile is configured in Idnomic PKI
+- Client certificate has permissions to call `list_profiles`
+
+**Test Steps**:
+1. Save the CA configuration in AnyCA Gateway
+2. Navigate to the template/product configuration section
+3. Observe the list of available Product IDs
+
+**Expected Results**:
+- List of profiles is populated automatically
+- Profile names match those configured in Idnomic PKI
+- No empty or null profile names appear
+
+**Verification**:
+- Compare the list of profiles in Gateway with Idnomic PKI configuration
+- Verify profile names are correctly displayed
+- Check Gateway logs for successful `list_profiles` SOAP call
+
+---
+
+### Test Case 3: Certificate Enrollment - Valid Request
+
+**Objective**: Verify successful certificate enrollment through the plugin.
+
+**Prerequisites**:
+- CA and template are properly configured
+- Valid Zone parameter is configured for the template
+- Test CSR is available
+
+**Test Steps**:
+1. Submit an enrollment request via Keyfactor Command
+2. Specify the Idnomic CA and a valid template
+3. Provide a valid PKCS#10 CSR
+4. Wait for enrollment to complete
+
+**Expected Results**:
+- Enrollment completes successfully
+- Certificate is issued by Idnomic PKI
+- Certificate is returned to Keyfactor Command
+- Certificate appears in Command inventory
+
+**Verification**:
+- Verify certificate details match the CSR
+- Confirm certificate is present in Idnomic PKI database
+- Check that certificate chain is properly constructed
+- Validate certificate can be used for its intended purpose
+
+---
+
+### Test Case 4: Certificate Enrollment - Invalid Zone
+
+**Objective**: Verify proper error handling when an invalid zone is specified.
+
+**Prerequisites**:
+- CA and template are configured
+- Zone parameter is set to a non-existent zone name
+
+**Test Steps**:
+1. Submit an enrollment request with invalid Zone parameter
+2. Observe the enrollment result
+
+**Expected Results**:
+- Enrollment fails with clear error message
+- Error message indicates invalid zone
+- No certificate is issued
+- System remains stable
+
+**Verification**:
+- Check error message clarity and accuracy
+- Verify Gateway logs contain detailed error information
+- Confirm no partial enrollment occurred in Idnomic PKI
+
+---
+
+### Test Case 5: Certificate Synchronization - Full Sync
+
+**Objective**: Verify full certificate synchronization from Idnomic PKI to Keyfactor Command.
+
+**Prerequisites**:
+- CA is properly configured
+- Multiple certificates exist in Idnomic PKI
+- Synchronization is configured in Command
+
+**Test Steps**:
+1. Trigger a full synchronization job
+2. Wait for synchronization to complete
+3. Verify synchronized certificate count
+
+**Expected Results**:
+- All certificates from Idnomic PKI are synchronized
+- Certificate details are accurate (subject, serial number, dates, etc.)
+- No duplicate certificates appear
+- Synchronization completes without errors
+
+**Verification**:
+- Compare certificate count in Command vs. Idnomic PKI
+- Spot-check several certificates for data accuracy
+- Review synchronization logs for any warnings or errors
+- Verify certificate chains are properly synchronized
+
+---
+
+### Test Case 6: Certificate Synchronization - Incremental Sync
+
+**Objective**: Verify incremental synchronization only retrieves new certificates since last sync.
+
+**Prerequisites**:
+- Initial full synchronization has been completed
+- Timestamp of last sync is recorded
+- New certificates have been issued since last sync
+
+**Test Steps**:
+1. Note the timestamp of the last successful sync
+2. Issue one or more new certificates in Idnomic PKI
+3. Trigger an incremental synchronization
+4. Observe synchronized certificates
+
+**Expected Results**:
+- Only certificates issued after last sync are retrieved
+- Sync completes faster than full sync
+- All new certificates are properly synchronized
+- Previously synchronized certificates are not duplicated
+
+**Verification**:
+- Verify only recent certificates were processed
+- Check sync duration is appropriate for certificate count
+- Review Gateway logs to confirm incremental sync parameters
+- Validate certificate data integrity
+
+---
+
+### Test Case 7: Certificate Revocation - Key Compromise
+
+**Objective**: Verify certificate revocation with reason code 1 (Key Compromise).
+
+**Prerequisites**:
+- A valid certificate issued through the Gateway exists
+- Certificate is not already revoked
+
+**Test Steps**:
+1. Identify a test certificate to revoke
+2. Submit revocation request with reason "Key Compromise" (code 1)
+3. Wait for revocation to complete
+
+**Expected Results**:
+- Revocation succeeds
+- Certificate status changes to "Revoked" in Command
+- Certificate appears on CRL in Idnomic PKI
+- Revocation reason is correctly recorded
+
+**Verification**:
+- Check certificate status in Keyfactor Command
+- Verify certificate appears on Idnomic CRL with correct reason code
+- Confirm revocation timestamp is accurate
+- Validate certificate can no longer be used for authentication
+
+---
+
+### Test Case 8: Profile Properties Validation
+
+**Objective**: Verify that profile-specific properties are correctly enforced during enrollment.
+
+**Prerequisites**:
+- Profiles with different configurations exist (key sizes, validity periods, etc.)
+- Zone parameter is correctly configured
+
+**Test Steps**:
+1. Attempt enrollment with CSR matching profile requirements
+2. Attempt enrollment with CSR not matching profile requirements (e.g., wrong key size)
+3. Observe results
+
+**Expected Results**:
+- Valid enrollments succeed
+- Invalid enrollments fail with descriptive error messages
+- Profile constraints are properly enforced by Idnomic PKI
+
+**Verification**:
+- Review error messages for clarity
+- Verify Idnomic PKI rejects non-compliant requests
+- Check that valid certificates meet profile specifications
+- Confirm Gateway properly communicates validation errors
+
+---
 
