Build automation plugins

Automation plugins are used to discover and manage certificates on network appliances and cloud services. Each automation plugin defines how to access, authenticate, and manage certificates on a particular system type. This article covers the Java classes and development process for building automation plugins.

Before you begin

Follow the steps in the Prepare your development environment topic to:
- Access the example repository for this plugin type.
- Configure the required development tools and settings.
- Run a test build.
Make sure you understand the common project files for custom plugins.
Review the README file for the example plugin repository in detail.

プロジェクトファイル

以下のファイルには、プラグインプロジェクトの重要な設定、依存関係、情報が含まれています。以下のファイルは、自動化プラグインサンプルが格納された最上位ディレクトリに含まれています。

Each plugin should target a particular type of managed system, for example a specific network appliance model, load balancer, or cloud service.
The target system must support remote management through APIs, SSH, or similar mechanisms. Your custom logic specifies how to connect to and authenticate with that system type to discover, install, and validate certificates.
When you add a connector (instance) of the plugin in Trust Lifecycle Manager, the discovery component of the workflow is triggered and must include steps to:
- Connect to and authenticate with the managed system.
- Retrieve current certificate and system configuration data from the managed system and return it to Trust Lifecycle Manager to import into inventory, both on initial setup and when a refresh is requested.
When you manage a certificate endpoint through that connector, the main automation workflow is triggered and must include steps to:
- Generate the certificate signing request (CSR) and return the CSR to Trust Lifecycle Manager to initiate certificate issuance.
- Download the resulting certificate from Trust Lifecycle Manager to the sensor, install it on the target system, and confirm successful installation.

Main Java classes

The example automation plugin provides the following Java source files under src/main/java/com/example/automation and its subdirectories. These classes define the core workflow logic, utility methods, and connector configuration for the plugin. To create your custom plugin, modify or extend the applicable class and method definitions in these files.

ヒント

Review the included Javadocs in the source files for details about expected inputs, outputs, and behavior for each method.

MyAutomationPlugin.java

Description

The primary class that defines the custom logic for each automation plugin. It extends the AbstractAutomationWorkflow class and implements custom integration, discovery, and certificate lifecycle automation tasks for managing a particular system type from Trust Lifecycle Manager.

Customizations

To implement custom integration, discovery, and automation logic, update the code in the following methods, annotated with @Override.

Purpose

Verify connectivity to the target system.

Customizing

By default, this method sets the connection as active.

To customize it, add logic to dynamically test connectivity to the target system and return a different response depending on whether the connection is currently active or not:

For active connections: response.setActive(true);
For connection issues: response.setActive(false);

Response

The response returned to Trust Lifecycle Manager must be a TestConnectionResponse object with the connection active status set.

Purpose

Generate a certificate signing request (CSR) for a certificate to be issued by Trust Lifecycle Manager and installed on the target system.

Customizing

By default, this method generates a CSR and private key pair using the parameters provided in the request and writes them to a temporary directory (organized by plugin name and flow ID under the system temp directory) for use in later workflow steps.

To customize:

Add logic to control how the CSR is generated, for example by updating the request parameters or delegating CSR generation to an external system.
Using the same framework as the default example, assign the resulting CSR to the response object and return it to Trust Lifecycle Manager.

Input

The request received from Trust Lifecycle Manager is deserialized into a GenerateCsrRequest object with the following fields:

Field	Type	Description
`flowId`	String	Unique workflow identifier (UUID) used to correlate this step with later steps in the same automation flow.
`flowStartDate`	String	Timestamp indicating when the automation flow was initiated.
`subjectDn`	String	Subject Distinguished Name for the certificate, for example: `CN=example.com,O=Example Corp,C=US`.
`dnsNames`	String	Comma-separated DNS names for the subject alternative name (SAN) extension.
`signatureAlgorithm`	String	Hash algorithm for signing the CSR, for example: `sha256`, `sha384`, `sha512`.
`keyAlgorithm`	String	Key algorithm for key pair generation, for example: `RSA`, `EC`.
`keySize`	String	Key size in bits, for example: `2048`, `4096`.
`virtualServerName`	String	Name of the virtual server or endpoint on the target system where the certificate will be installed, for example: `partition1/alias1`.

Response

The response returned to Trust Lifecycle Manager must be a GenerateCsrResponse object with the CSR assigned in PEM format, for example: response.setCsr(csrPemString);

Purpose

Download the issued certificate from Trust Lifecycle Manager and install it on the target system.

Customizing

By default, this method downloads the certificate package (ZIP file) from the provided certificate link and saves it to a temporary directory.

To customize:

Add logic to extract the certificate files from the ZIP package and install them to the applicable location on the target system.
Add any required post-installation tasks, such as binding the certificate to a virtual server, restarting a service, or triggering a configuration reload on the target system.

Input

The request received from Trust Lifecycle Manager is deserialized into an InstallCertificateRequest object with the following fields:

Field	Type	Description
`flowId`	String	Unique workflow identifier (UUID) matching the CSR generation step.
`flowStartDate`	String	Timestamp indicating when the automation flow was initiated.
`currentCertificateThumbprint`	String	SHA-256 thumbprint of the certificate currently installed on the endpoint, for reference and logging.
`certificateLink`	String	URL to download the issued certificate package (ZIP file).
`managementIp`	String	Management IP address of the target system, if applicable.
`ipAddress`	String	Data IP address of the endpoint where the certificate will be installed.
`port`	String	Port number of the endpoint where the certificate will be installed.
`appName`	String	Name of the application on the target system, if applicable.
`appVersion`	String	Version of the application on the target system, if applicable.
`virtualServerName`	String	Name of the virtual server or binding on the target system where the certificate will be installed.

Response

The response returned to Trust Lifecycle Manager must be an InstallCertificateResponse object.

Purpose

Confirm that the certificate was installed on the target system and return it to Trust Lifecycle Manager for verification.

Customizing

By default, this method looks for the previously downloaded certificate ZIP in the temporary directory and extracts the end-entity certificate from it.

To customize, add logic to retrieve the currently active certificate directly from the target system, for example by reading the certificate bound to the applicable virtual server.

Input

The request received from Trust Lifecycle Manager is deserialized into a ValidateCertificateRequest object with the following fields:

Field	Type	Description
`flowId`	String	Unique workflow identifier (UUID) matching the CSR generation and installation steps.
`flowStartDate`	String	Timestamp indicating when the automation flow was initiated.
`certificateLink`	String	URL to download the issued certificate for comparison during validation.
`certificateSerialNumber`	String	Serial number of the certificate to validate, for reference and comparison.
`managementIp`	String	Management IP address of the target system, if applicable.
`ipAddress`	String	Data IP address of the endpoint where the certificate was installed.
`port`	String	Port number of the endpoint where the certificate was installed.
`virtualServerName`	String	Name of the virtual server or binding on the target system where the certificate was installed.
`subjectDn`	String	Subject Distinguished Name of the certificate, for reference.

Response

The response returned to Trust Lifecycle Manager must be a ValidateCertificateResponse object with the installed certificate assigned in PEM format, for example: response.setCertificate(certPemString);

Purpose

Retrieve current information about the target system and return it to Trust Lifecycle Manager to update its inventory for that system, including installed certificates, endpoint data, operating system version, and filesystem partitions.

Customizing

By default, this method returns dummy configuration data populated by the helper class.

To customize, replace the dummy data with logic to query the target system for its actual configuration and inventory. Your implementation should populate and return a RefreshConfigurationResponse object with the following data structures:

AutomationInfo: General system information, including management IP, hostname, operating system details, data IP addresses, peer information, and configured partitions.
DataIpInfo: A list of endpoints currently configured on the target system, including IP address, port, SSL state, partition, virtual server alias, and associated certificate binding for each.
Certificate: A list of certificates currently installed on the target system, including the IP address, port, domain name, certificate in PEM format, SNI status, and cipher suite for each.

Input

The request received from Trust Lifecycle Manager is empty by default. Extended request fields can be added to MyRefreshRequest.java and accessed via the RefreshConfigurationRequest wrapper.

Response

The response returned to Trust Lifecycle Manager must be a RefreshConfigurationResponse object populated with current system, endpoint, and certificate data. Extended response fields can be added to MyRefreshResponse.java.

MyAutomationPluginHelper.java

Description

Found in the helper subdirectory, this class provides static utility methods for CSR generation, self-signed certificate generation, configuration refresh response population, and certificate downloads and extraction.

Helper methods

The helper class provides the following public utility methods, which you can use in your custom plugin code.

MyAutomationPluginRunner.java

Description

Acts as the entry point for the plugin, invoking the plugin object defined in MyAutomationPlugin.java, along with the required SDK context object for sharing information across different methods and storing results at different execution points.

Customizations

This class should not typically be modified. If you do customize it, make sure the fully qualified class name matches the one in the pom.xml file.

MyPluginConfiguration.java

Description

Found in the extended/configuration subdirectory, this class defines the main configuration properties for the plugin instance. All properties you define here should have matching fields in the config_settings section of the configuration.json file for the plugin. This ensures that users provide values for these properties when configuring each instance (connector) of the plugin in Trust Lifecycle Manager.

Customizations

By default, this class defines variables to store user credentials (userName and password) and network connection settings (managementIp and managementPort) for accessing the target system.

To customize:

Adjust the default variables if the target system uses an authentication method other than user credentials.
Add or modify variables to store any required network properties for connecting to the target system.
Define additional variables as needed to configure different settings for connecting and using each instance of the custom plugin.

Extended request/response classes

The following Lombok-annotated Java classes define extended fields for the request and response types used in different automation workflow steps. These source files are found in the src/main/java/com/example/automation/extended directory. By default, each class is empty. To extend the request or response for a given workflow step, add the applicable field definitions to these classes.

MyGenerateCertificateRequest.java

Description

Defines extended request parameters for the generateCsr() workflow step. By default, the generateCsr() method uses JsonNode as the generic type parameter of the GenerateCsrRequest wrapper. To deserialize extended request fields, you can use this class as the type parameter instead.

Customizations

Add fields here to capture any additional parameters sent by Trust Lifecycle Manager for the CSR generation step that go beyond the standard GenerateCsrRequest fields. If you add fields here, also update the generateCsr() method in MyAutomationPlugin.java to use MyGenerateCertificateRequest as the generic type parameter of GenerateCsrRequest, following the same pattern used by MyRefreshRequest in refreshConfiguration().

MyInstallCertificateRequest.java

Description

Defines extended request parameters for the installCertificate() workflow step. By default, the installCertificate() method uses JsonNode as the generic type parameter of the InstallCertificateRequest wrapper. To deserialize extended request fields, you can use this class as the type parameter instead.

Customizations

Add fields here to capture any additional parameters sent by Trust Lifecycle Manager for the certificate installation step that go beyond the standard InstallCertificateRequest fields. If you add fields here, also update the installCertificate() method in MyAutomationPlugin.java to use MyInstallCertificateRequest as the generic type parameter of InstallCertificateRequest, following the same pattern used by MyRefreshRequest in refreshConfiguration().

MyValidateRequest.java

Description

Defines extended request parameters for the validateCertificate() workflow step. By default, the validateCertificate() method uses JsonNode as the generic type parameter of the ValidateCertificateRequest wrapper. To deserialize extended request fields, you can use this class as the type parameter instead.

Customizations

Add fields here to capture any additional parameters sent by Trust Lifecycle Manager for the certificate validation step that go beyond the standard ValidateCertificateRequest fields. If you add fields here, also update the validateCertificate() method in MyAutomationPlugin.java to use MyValidateRequest as the generic type parameter of ValidateCertificateRequest, following the same pattern used by MyRefreshRequest in refreshConfiguration().

MyRefreshRequest.java

Description

Defines extended request parameters for the refreshConfiguration() workflow step. It is used as the generic type parameter of the RefreshConfigurationRequest wrapper when deserializing the incoming request.

Customizations

Add fields here to capture any additional parameters sent by Trust Lifecycle Manager for the configuration refresh step that go beyond the standard RefreshConfigurationRequest fields.

MyRefreshResponse.java

Description

Defines extended response fields for the refreshConfiguration() workflow step. It is used as the generic type parameter of the RefreshConfigurationResponse wrapper.

Customizations

Add fields here to include any additional data in the refresh configuration response returned to Trust Lifecycle Manager that goes beyond the standard RefreshConfigurationResponse fields. Any fields defined here can be set and retrieved using the corresponding Lombok-generated getter and setter methods.

Build the plugin ZIP file

重要

Before building the plugin, make sure your development environment includes the required software and settings. For details, see Prepare your development environment.

After adding your custom logic, build the plugin ZIP file on the development system as follows:

From the top-level project directory, run the build script by making the ./build.sh command.
The script prints status messages to the console as it executes. At the end, it generates and prints the SHA-256 checksum for the ZIP file, confirming a successful build.
Find the final ZIP file for the plugin in the plugin-dist subdirectory. The ZIP file contains the plugin JAR file and metadata JSON file required by Trust Lifecycle Manager.

What's next

To add the plugin to Trust Lifecycle Manager, you must upload both the plugin ZIP file and corresponding JSON configuration file.

For details about the required JSON configuration format, see Create the plugin configuration.

このセクションの内容: