Support · Requirements · Installation · License · Related Integrations
The Clearpass AnyCA Gateway REST plugin extends the capabilities of Aruba Clearpass Onboard to Keyfactor Command via the Keyfactor AnyCA Gateway REST. The plugin represents a fully featured AnyCA REST Plugin with the following capabilies :
- CA Sync:
- Download all certificates issued to the customer by the Clearpass CA.
- Certificate enrollment for the Clearpass products listed in the manifest file:
- Support certificate enrollment (new keys/certificate)
- Support certificate re-issuance/renewal (new public/private keys with the same or different domain names).
- Support certificate enrollment (new keys/certificate)
- Certificate revocation:
- Request revocation of a previously issued certificate.
The Aruba Clearpass Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 24.2.0 and later.
The Aruba Clearpass Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
- Login to the ClearPass Admin console using your administrator credentials.
- Navigate to Administration > API Services > API Clients.
- Click on the Add API Client button to create a new API client.
-
Client ID:
- Enter some value such as
Client1in the Client ID field. - This is the value you will use in Keyfactor for the API Client ID when setting up the CA.
- Enter some value such as
-
Description:
- You can provide a description for this API client, such as "Sample API client for testing purposes," in the Description field.
-
Enabled:
- Ensure the Enabled checkbox is selected. This means the API client will be active and able to make API calls.
-
Operating Mode:
- Select ClearPass REST API - Client will be used for API calls to ClearPass from the Operating Mode dropdown.
-
Operator Profile:
-
Select Super Administrator from the Operator Profile dropdown.
-
This profile will provide the API client with the necessary permissions to interact with ClearPass.
-
-
Grant Type:
- Select Client credentials (
grant_type=client_credentials) from the Grant Type dropdown. - This means the API client will authenticate using its client credentials.
- Select Client credentials (
-
Client Secret:
- Since this is a non-public client, ensure the Generate a new client secret checkbox is selected.
- The system will generate a new client secret. For example,
FFFDDDCCCRRR4444DDDDDDDDDDD. - Note: The client secret is used in the OAuth2
client_secretparameter and will be encrypted once stored, so be sure to copy it securely.
- Access Token Lifetime:
- Enter
8in the Access Token Lifetime field. - Select hours from the dropdown. This means the access token will be valid for 8 hours.
- Enter
- Once all fields are configured, click the Create API Client button to save the new API client.
- If you need to cancel, click the Cancel button.
- Use the Client ID (
Client1) and Client Secret (FFFDDDCCCRRR4444DDDDDDDDDDD) in your Gateway Configuration Settings.
-
Log in to ClearPass Policy Manager:
- Open your web browser and navigate to the ClearPass Policy Manager login page.
- Enter your credentials and log in.
-
Navigate to the Certificate Authorities Page:
- Go to Onboard > Certificate Authorities.
-
Select the Certificate Authority:
- Find the Certificate Authority you are interested in.
- Click the Edit button next to the Certificate Authority.
-
Locate the ID in the URL:
- Once the edit page opens, look at the URL in your browser's address bar.
- The ID of the Certificate Authority will be part of the URL. It usually appears as a numeric value after
id=.
-
Command Gateway Translation:
- This will be used when setting up the Gateway as the CaId as explained in the Configuration section.
At the time of writing, there was no API call available to get a list of Certificate Authorities in ClearPass Onboard. Therefore, this method of extracting the ID from the URL was the only known way to obtain it.
-
Log in to ClearPass Policy Manager:
- Open your web browser and navigate to the ClearPass Policy Manager login page.
- Enter your credentials and log in.
-
Navigate to the Certificate Authority Trust Chain Page:
- Go to Onboard > Certificate Authorities.
- Click on the appropriate Certificate Authority.
- Click the Trust Chain link.
-
Download the Trust Chain Bundle:
- Click the Download Bundle link on the Certificate Authority Trust Chain page.
- The Export Certificate form will open.
- In the Format row, choose the certificate format.
- Follow the prompts to download the trust chain bundle.
-
Save the Bundle:
- Save the downloaded bundle to a secure location on your computer.
-
Using The Intermediate Certificate:
- Extract the Intermediate Certificate from the Bundle. This will be the certificate used when setting up the CA on the Gateway.
-
Install the AnyCA Gateway REST per the official Keyfactor documentation.
-
On the server hosting the AnyCA Gateway REST, download and unzip the latest Aruba Clearpass Gateway AnyCA Gateway REST plugin from GitHub.
-
Copy the unzipped directory (usually called
net6.0ornet8.0) to the Extensions directory:Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations: Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions
The directory containing the Aruba Clearpass Gateway AnyCA Gateway REST plugin DLLs (
net6.0ornet8.0) can be named anything, as long as it is unique within theExtensionsdirectory. -
Restart the AnyCA Gateway REST service.
-
Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the Aruba Clearpass Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.
-
Follow the official AnyCA Gateway REST documentation to define a new Certificate Authority, and use the notes below to configure the Gateway Registration and CA Connection tabs:
-
Gateway Registration
Each defined Certificate Authority in the AnyCA Gateway REST can support one issuing certificate authority. Since Aruba ClearPass Onboard has multiple available Certificate Authorities, if you require certificate enrollment from multiple Aruba ClearPass Certificate Authorities, you must define multiple Certificate Authorities in the AnyCA Gateway REST. This will manifest in Command as one Aruba ClearPass CA per defined Certificate Authority.
-
CA Connection
Populate using the configuration fields collected in the requirements section.
- ClientSecret - Client Secret for Generating Bearer Token
- BaseUrl - Base Url for ClearPass API such as https://url:8443
- ClearPassApiClient - ClearPass API Client Name
- ClearPassCaId - ClearPass Ca Id. Example would be 2. In ClearPass Onboard UI, click edit on the Ca and look at the id in the Url.
- Enabled - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available.
-
-
Define Certificate Profiles and Certificate Templates for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The Aruba Clearpass Gateway plugin supports the following product IDs:
- ca
- code-signing
- https
- tls-client
- trusted
-
Follow the official Keyfactor documentation to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.
Apache License 2.0, see LICENSE.
See all Keyfactor Any CA Gateways (REST).