Managing orchestration gateways

Add a keystore

  • Windows

  • Linux

  • Docker

  1. Open the Windows command line.

  2. Navigate to the orchestration gateway installation directory.

  3. (Optional) To list keystores, run the following command.

    sectigo-og.exe keystore list

  4. Run the following command to add a keystore. Replace <type> with one of the following keystore types:

    • jks — for a JKS keystore

    • p12 — for a PKCS#12 keystore

      sectigo-og.exe keystore add <type> --name <name> --password <password>

  5. Navigate to SCM Integrations  Orchestration Gateways and select your orchestration gateway.

  6. Click Sync Modules and you will see a successful synchronization message.

  7. Click Keystores and the new keystore should be listed.

  1. Navigate to the orchestration gateway installation directory.

    cd /opt/sectigo-orchestration-gateway/bin

  2. (Optional) To list keystores, run the following command.

    ./sectigo-og keystore list

  3. Run the following command to add a keystore. Replace <type> with one of the following keystore types:

    • jks — for a JKS keystore

    • p12 — for a PKCS#12 keystore

      ./sectigo-og keystore add <type> --name <name> --password <password>

  4. Navigate to SCM Integrations  Orchestration Gateways and select your orchestration gateway.

  5. Click Sync Modules and you will see a successful synchronization message.

  6. Click Keystores and the new keystore should be listed.

    The keystore file is stored in /opt/sectigo-orchestration-gateway/config/.

  1. (Optional) To list keystores and add a keystore, run the following command.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og keystore list

  2. Run the following command to add a keystore. Replace <type> with one of the following keystore types:

    • jks — for a JKS keystore

    • p12 — for a PKCS#12 keystore

      docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og keystore add <type> --name <name> --password <password>

  3. Navigate to SCM Integrations  Orchestration Gateways and select your orchestration gateway.

  4. Click Sync Modules and you will see a successful synchronization message.

  5. Click Keystores and the new keystore should be listed.

Delegate an orchestration gateway

  1. Navigate to Integrations  Orchestration Gateways.

  2. Select the orchestration gateway you want to delegate.

  3. Click Delegate.

  4. In the Delegate Orchestration Gateway dialog, choose one of the following delegation modes:

    • General — Makes the orchestration gateway available to all existing organizations.

    • Customized — Allows you to select the organizations and departments that can use the orchestration gateway.

  5. If you selected Customized, select the required organizations or departments from the list.

    Expand an organization to view and select its child departments, if applicable.

  6. Click Save.

Configuring credential stores

Sectigo orchestration gateways can be configured to utilize credential stores when connecting to remote endpoints. Using a credential store enables you to securely store and manage credentials for remote endpoints without ever providing the credentials in SCM directly.

Sectigo orchestration gateways support the following credential stores:

Adding credential stores

Once an orchestration gateway has been installed, you can add a connection between the gateway and a credential store.

Add a local credential store

  • Windows ( CLI )

  • Linux

  • Docker

  1. In a command prompt window, navigate to the orchestration gateway install directory.

  2. Modify the following command to include a name and password for your new local credential store.

    sectigo-og.exe credstore add local --name <name> --encryption_password <password>

  3. Run the modified installation command.

Once you have added a local credential store, you must add credentials before it can be used.

  1. In a terminal, navigate to the orchestration gateway install location.

  2. Modify the following command to include a name and password for your new local credential store.

    ./sectigo-og credstore add local --name <name> --encryption_password <password>

  3. Run the modified installation command.

Once you have added a local credential store, you must add credentials before it can be used.

  1. Modify the following command to include a name and passoword for your new local credential store.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add local --name <name> --encryption_password <password>

  2. Run the modified installation command.

Once you have added a local credential store, you must add credentials before it can be used.

Add a HashiCorp Vault credential store

  • Windows ( CLI )

  • Linux

  • Docker

  1. In a command prompt window, navigate to the orchestration gateway install location.

  2. Modify one of the following commands based on your preferred authentication method.

    • Token authentication:

      sectigo-og.exe credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type token --token <token>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      The subpath to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --token

      The token to authenticate to vault with.

    • AppRoleSecret authentication:

      sectigo-og.exe credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type app_role_secret --role_secret <role-secret>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      The subpath to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_secret

      Vault Role Secret.

    • AppRoleFile authentication:

      sectigo-og.exe credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type app_role_file --role_file <role-file-path>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      The subpath to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_file

      The path to a file containing the Secret ID for the HashiCorp Vault AppRole used by the orchestration gateway.

  3. Run the modified installation command.

To view details for each option, you can use sectigo-og.exe credstore add hashicorp --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

  1. In a terminal, navigate to the orchestration gateway install location.

  2. Modify one of the following commands based on your preferred authentication method.

    • Token authentication:

      ./sectigo-og credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type token --token <token>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      The subpath to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_secret

      Vault Role Secret.

    • AppRoleSecret authentication:

      ./sectigo-og credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type app_role_secret --role_secret <role-secret>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      The subpath to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_secret

      Vault Role Secret.

    • AppRoleFile authentication:

      ./sectigo-og credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type app_role_file --role_file <role-file-path>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      The subpath to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_file

      Path to Vault Role Secret file.

  3. Run the modified installation command.

To view details for each option, you can use ./sectigo-og credstore add hashicorp --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

  1. Modify one of the following commands based on your preferred authentication method.

    • Token authentication:

      docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type token --token <token>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      Sub path to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_secret

      Vault Role Secret.

    • AppRoleSecret authentication:

      docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type app_role_secret --role_secret <role-secret>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      Sub path to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_secret

      Vault Role Secret.

    • AppRoleFile authentication:

      docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add hashicorp --name <name> --vault_address <address> --secret_engine_path <path> --vault_auth_type app_role_file --role_file <role-file-path>
      Option Description

      --name

      The name of your HashiCorp Vault credential store.

      --vault_address

      The URL of your HashiCorp Vault.

      --secret_engine_path

      Sub path to KVP secrets engine.

      --vault_auth_type

      The authentication type to use.

      --role_file

      Path to Vault Role Secret file.

  2. Run the modified installation command.

To view details for each option, you can use docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add hashicorp --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

Add a CyberArk Vault credential store

  • Windows ( CLI )

  • Linux

  • Docker

  1. In a command prompt window, navigate to the orchestration gateway install location.

  2. Modify one of the following commands based on your preferred authentication method.

    sectigo-og.exe credstore add cyberark --name <name> --ccp_url <url> --app_id <app-id> --p12_file <file-path>
    Option Description

    --name

    The name of the credential storage provider.

    --app_id

    CyberArk App ID.

    --ccp_url

    CyberArk CCP URL.

    --p12_file

    Path to a p12 file with client auth certificate and key.

  3. Run the modified installation command.

To view details for each option, you can use sectigo-og.exe credstore add cyberark --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

  1. In a terminal, navigate to the orchestration gateway install location.

  2. Modify one of the following commands based on your preferred authentication method.

    ./sectigo-og credstore add cyberark --name <name> --ccp_url <url> --app_id <app-id> --p12_file <file-path>
    Option Description

    --name

    The name of the credential storage provider.

    --app_id

    CyberArk App ID.

    --ccp_url

    CyberArk CCP URL.

    --p12_file

    Path to a p12 file with client auth certificate and key.

  3. Run the modified installation command.

To view details for each option, you can use sectigo-og.exe credstore add cyberark --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

  1. Modify one of the following commands based on your preferred authentication method.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add cyberark --name <name> --ccp_url <url> --app_id <app-id> --p12_file <file-path>
    Option Description

    --name

    The name of the credential storage provider.

    --app_id

    CyberArk App ID.

    --ccp_url

    CyberArk CCP URL.

    --p12_file

    Path to a p12 file with client auth certificate and key.

  2. Run the modified installation command.

To view details for each option, you can use docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add cyberark --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

Add a Delinea Secret Server credential store

  • Windows ( CLI )

  • Linux

  • Docker

  1. In a command prompt window, navigate to the orchestration gateway install location.

  2. Modify the add command as needed.

    sectigo-og.exe credstore add delinea --username <username> --domain <domain> --password <password> --server_url <server-url>
    Option Description

    --username

    The username for the user account used by the orchestration gateway to authenticate to the Secret Server.

    --domain

    The domain associated with the user account.

    --password

    The password for the user account used by the orchestration gateway to authenticate to the Secret Server.

    --server_url

    The URL of the Delinea Secret Server. Either this parameter or --api_tenant is required.

    --api_tenant

    The Delinea API tenant identifier. Either this parameter or --server_url is required.

  3. Run the modified installation command.

To view details for each option, you can use sectigo-og.exe credstore add delinea --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

  1. In a terminal, navigate to the orchestration gateway install location.

  2. Modify the add command as needed.

    ./sectigo-og credstore add delinea --username <username> --domain <domain> --password <password> --server_url <server-url>
    Option Description

    --username

    The username for the user account used by the orchestration gateway to authenticate to the Secret Server.

    --domain

    The domain associated with the user account.

    --password

    The password for the user account used by the orchestration gateway to authenticate to the Secret Server.

    --server_url

    The URL of the Delinea Secret Server. Either this parameter or --api_tenant is required.

    --api_tenant

    The Delinea API tenant identifier. Either this parameter or --server_url is required.

  3. Run the modified installation command.

To view details for each option, you can use ./sectigo-og credstore add delinea --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

  1. Modify the add command as needed.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add delinea --username <username> --domain <domain> --password <password> --server_url <server-url>
    Option Description

    --username

    The username for the user account used by the orchestration gateway to authenticate to the Secret Server.

    --domain

    The domain associated with the user account.

    --password

    The password for the user account used by the orchestration gateway to authenticate to the Secret Server.

    --server_url

    The URL of the Delinea Secret Server. Either this parameter or --api_tenant is required.

    --api_tenant

    The Delinea API tenant identifier. Either this parameter or --server_url is required.

  2. Run the modified installation command.

To view details for each option, you can use docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore add delinea --help.
Once you have added the credential store, you must add endpoints to the orchestration gateway and configure them to use the credential store. For more information, see Add an endpoint.

Viewing credential stores and credentials

View credential stores

  • Windows ( CLI )

  • Linux

  • Docker

  1. In a command prompt window, navigate to the orchestration gateway install location.

  2. View all credential stores associated with the orchestration gateway.

    sectigo-og.exe credstore list

  1. In a terminal, navigate to the orchestration gateway install location.

  2. View all credential stores associated with the orchestration gateway.

    ./sectigo-og credstore list

  1. View all credential stores associated with the orchestration gateway.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore list

View credentials

  • Windows ( CLI )

  • Linux

  • Docker

  1. In a terminal, navigate to the orchestration gateway install location.

  2. View credentials in a specific credential store.

    sectigo-og.exe credstore get --id <credential-store-id>

  1. In a terminal, navigate to the orchestration gateway install location.

  2. View credentials in a specific credential store.

    ./sectigo-og credstore get --id <credential-store-id>

  1. View credentials in a specific credential store.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore get --id <credential-store-id>

Remove a credential store

  • Windows ( CLI )

  • Linux

  • Docker

  1. In SCM, verify that the credential store you want to remove is not in use by an added endpoint.

  2. In a command prompt window, navigate to the orchestration gateway install location.

  3. Modify the following command to include the mandatory --storename of the credential store you want to remove.

    sectigo-og.exe credstore remove --id <credential-store-id>

  4. Run the modified command.

  1. In SCM, verify that the credential store you want to remove is not in use by an added endpoint.

  2. In a terminal, navigate to the orchestration gateway install location.

  3. Modify the following command to include the mandatory --id of the credential store you want to remove.

    ./sectigo-og credstore remove --id <credential-store-id>

  4. Run the modified command.

  1. In SCM, verify that the credential store you want to remove is not in use by an added endpoint.

  2. Modify the following command to include the mandatory --id of the credential store you want to remove.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og credstore remove --id <credential-store-id>

  3. Run the modified command.

Update proxy server details

The following proxy authentication schemes are supported:

  • Digest

  • NTLM (requires a domain to be provided)

  • Basic

  • Windows ( CLI )

  • Linux

  • Docker

To update the proxy server information for your existing orchestration gateway, do the following:

  1. In a command prompt, navigate to the orchestration gateway install location.

  2. (Optional) View the current orchestration gateway configuration.

    sectigo-og.exe proxy get

  3. Update the orchestration gateway proxy configuration.

    Action Command

    Clear proxy settings

    		 
    sectigo-og.exe proxy reset

    Set proxy schema

    The valid schema options are:

    • http: Plain HTTP proxy

    • socks5: SOCKS5 proxy (no TLS)

    • spnego: HTTP Negotiate (Kerberos) with fallback to NTLM

    The command is:

    sectigo-og proxy set --schema <schema>

    Set proxy host and port without access credentials

    		 
    sectigo-og.exe proxy set --url <url:port>

    Set proxy host and port with access credentials

    		 
    sectigo-og.exe proxy set --url <url:port> --user <username> --password <password>
    User can set the proxy schema and URL with username and password at the same time using the combination of command sectigo-og.exe proxy set --schema <schema> --url <url:port> --user <username> --password <password>.

  4. Restart the orchestration gateway service.

    sc stop SectigoOG
    sc start SectigoOG

  5. Confirm the updated orchestration gateway configuration.

    sectigo-og.exe proxy get

To update the proxy server information for your existing orchestration gateway, do the following:

  1. In a terminal, navigate to the orchestration gateway install location.

  2. (Optional) View the current orchestration gateway configuration.

    ./sectigo-og proxy get

  3. Update the orchestration gateway configuration.

    Action Command

    Clear proxy settings

    		 
    ./sectigo-og proxy reset

    Set proxy schema

    The valid schema options are:

    • http: Plain HTTP proxy

    • socks5: SOCKS5 proxy (no TLS)

    • spnego: HTTP Negotiate (Kerberos) with fallback to NTLM

    The command is:

    ./sectigo-og proxy set --schema <schema>

    Set proxy host and port without access credentials

    		 
    ./sectigo-og proxy set --url <url:port>

    Set proxy host and port with access credentials

    		 
    ./sectigo-og proxy set --url <url:port> --user <username> --password <password>
    User can set the proxy schema and url with username and password at the same time using the combination of command ./sectigo-og proxy set --schema <schema> --url <url:port> --user <username> --password <password>.

  4. Restart the orchestration gateway service.

    sudo systemctl restart sectigo-orchestration-gateway

  5. Confirm the updated orchestration gateway configuration.

    ./sectigo-og proxy get

To update the proxy server information for your existing orchestration gateway, do the following:

  1. (Optional) View the current orchestration gateway configuration.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy get

  2. Update the orchestration gateway configuration.

    Action Command

    Clear proxy settings

    		 
    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy reset

    Set proxy schema

    The valid schema options are:

    • http: Plain HTTP proxy

    • socks5: SOCKS5 proxy (no TLS)

    • spnego: HTTP Negotiate (Kerberos) with fallback to NTLM

    The command is:

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy set --schema <schema>

    Set proxy host and port without access credentials

    		 
    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy set --url <url:port>

    Set proxy host and port with access credentials

    		 
    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy set --url <url:port> --user <username> --password <password>
    User can set the proxy schema and url with username and password at the same time using the combination of command docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy set --schema <schema> --url <url:port> --user <username> --password <password>.

  3. Restart the docker container.

    docker exec service sectigo-orchestration-gateway restart

  4. Confirm the updated orchestration gateway configuration.

    docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og proxy get

Add a trusted CA certificate

To download a CA certificate, see Download a CA certificate.

  • Windows

  • Linux

  1. Run Manage Computer Certificates.

    In the Windows search bar, search for Manage Computer Certificates.

  2. In the left-hand list, select Trusted Root Certification Authorities.

  3. Right-click Certificates and select Certificates  All Tasks  Import.

    In the Certificate Import Wizard, ensure Store Location is set to Local Machine.

  4. Click Next.

  5. Click Browse and add your certificate file.

  6. Click Next, Next, Finish.

  7. Repeat the above steps to add the certificate to Intermediate Certification Authorities.

  1. Navigate to the orchestration gateway installation directory.

  2. Add your CA certificate to the trusted CA list.

    ./sectigo-og truststore add --path <your-path-of-ca-cert>

Uninstall an orchestration gateway

  • Windows

  • Linux APT ( DEB )

  • Linux DNF ( RPM )

  1. Navigate to Settings  Apps & features.

  2. Search for Sectigo Orchestration Gateway.

  3. Select the Sectigo Orchestration Gateway and click Uninstall.

  4. (Optional) Delete the files and logs associated with the orchestration gateway.

    1. Navigate to C:\ProgramData\Sectigo.

    2. Delete the Sectigo Orchestration Gateway folder.

      This action cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the orchestration gateway.

  5. In SCM, navigate to Integrations  Orchestration Gateways.

  6. Select the gateway you want to delete.

  7. Click the Delete icon.

  8. Click Delete to confirm deletion.

  1. Remove the orchestration gateway.

    sudo apt remove sectigo-orchestration-gateway

  2. (Optional) Delete the files and logs associated with the orchestration gateway.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-orchestration-gateway directory.

      This action cannot be undone. Delete this directory if you want to completely remove all files and logs related to the orchestration gateway.

  3. In SCM, navigate to Integrations  Orchestration Gateways.

  4. Select the orchestration gateway you want to delete.

  5. Click Delete.

  6. Click Delete to confirm deletion.

  1. Remove the orchestration gateway.

    sudo dnf remove sectigo-orchestration-gateway

  2. (Optional) Delete the files and logs associated with the orchestration gateway.

    1. Navigate to the /var/opt directory.

    2. Delete the sectigo-orchestration-gateway directory.

      This action cannot be undone. Delete this directory if you want to completely remove all files and logs related to the orchestration gateway.

  3. In SCM, navigate to Integrations  Orchestration Gateways.

  4. Select the orchestration gateway you want to delete.

  5. Click Delete.

  6. Click Delete to confirm deletion.

Orchestration gateway service commands

  • Windows

  • Linux ( systemd )

Command Description

Start

Start an orchestration gateway:

sc start SectigoOG

Stop

Stop an orchestration gateway:

sc stop SectigoOG

Query

Query the status of an orchestration gateway:

sc query SectigoOG
Command Description

Start

Start an orchestration gateway:

sudo systemctl start sectigo-orchestration-gateway

Stop

Stop an orchestration gateway:

sudo systemctl stop sectigo-orchestration-gateway

Restart

Restart an orchestration gateway:

sudo systemctl restart sectigo-orchestration-gateway

Status

Query the status of an orchestration gateway:

sudo systemctl status sectigo-orchestration-gateway