You can create and manage proxies for your own custom credential stores, allowing you to individually control the safety of your credentials.

Creating a credentials proxy

Once you have installed the Orchestrator Credentials Proxy, you can create a custom proxy, which holds your custom credential stores. To do that, follow the steps below:

1. At the tenant level, click Credentials > Proxies > Add Credentials Proxy.
2. Add a name for your proxy.
3. Add the URL pertaining to the virtual machine included in the Orchestrator Credentials Proxy setup.
4. Add the key. Depending on the installation method, this is either the secret key generated by the .msi installer, or the one held by the Jwt:Keys parameter.
   The information you provide at steps 3 and 4 create the link between Orchestrator and the installation which contains your custom credential store plugins.
5. Klicken Sie auf Erstellen (Create).

You can then add the desired store as follows:

4. At the tenant level, click Credentials > Stores > Add credential store.
5. From the Proxy list, select the proxy that you have just created.
6. From the Type list, select the third party credential store defined by your plugin.

Editing a credentials proxy

To edit a proxy, click More Actions > Edit. The Edit Credentials Proxy page is displayed, allowing you to change the name, URL, or key as needed.

Deleting a credentials proxy

To delete a proxy, click More Actions > Remove. If the selected proxy is in use, a warning dialog is displayed, listing the number of robots and assets that will be affected. Click Yes to confirm the removal or No to abort.

Sicherheitsüberlegungen

• Orchestrator only allows secure (HTTPS) URLs for the proxy. The HTTPS certificate must be valid and signed by a widely recognized certificate authority. Certificates that are self-signed or signed by an internal authority are not supported.
• Orchestrator is validated through a client secret generated by the Orchestrator Credentials Proxy. The client secret is stored in a configuration file on the machine where the Orchestrator Credentials Proxy is installed, and is encrypted and stored in the database by Orchestrator.
• When editing a credential store proxy in Orchestrator and changing its URL, you are also required to enter the client secret.
• Binaries must be signed on the Windows machine.
• The Docker image must be signed.