All custom applications, remote clients, and scripts, which integrate with Venafi SDKs, require set up. Setup for OAuth token authentication has a few steps.
First, you verify Remote Access tree defaults. The settings allow Trust Protection Platform Authentication Server to manage tokens. This server is also known as the VEDAuth server.
Next, you register and specify scopes for each application. The settings match all of the scopes that your application uses. Later, in an Authorize call, your application uses this same information to get tokens.
Last, you give the caller access to make API calls. Then, your calling application can get a token and operate.
Instead of third-party single sign-on software, the VEDAuth server uses the OAuth 2.0 principles to manage tokens and grants. During installation, the VEDAuth server automatically enables as an IIS service. However, depending on authentication methods, the configuration varies.
To set up for token authentication
- (Optional) Configure IIS Manager to accept certificate authentication for Remote Web SDK clients. Recommended for POST Authorize/Certificate.
- In WebAdmin, navigate to the Remote Access tree.
On the Token Auth Configuration Settings tab, confirm and update the following values as appropriate.
Token Auth Configuration Settings
Token Validity (days)
The period of time that the bearer access token is valid before rotation is required. The default is 90.
Grant Validity (days)
The maximum time that an authorization grant for the Token Auth scope is valid. If the Refresh Token is enabled, you can continue to get new tokens until the token and grant expire. The default is 365.
Enabled: Default. Receive a refresh token with the request for a bearer access token. Prior to the Token Validity date, you can send the refresh token to the VEDAuth server to get a new bear access token.
Disabled: At the time when the VEDAuth server issues a bearer access token, no refresh token is supplied.
Session Pool Size (sessions)
The number of concurrent sessions for API calls. The default is 500. If the number of simultaneous API calls exceed the pool size, the oldest unused session is removed from the pool.
Session Expiration (minutes)
The number of minutes each token remains in memory. The default is 1440.
Under Allowed Authentication Methods, select one or more of the following:
Allowed Authentication Methods
Trust Protection Platform Authentication Server setting
Username & Password The client passes a user name and password to the VEDAuth server. Recommended for POST Authorize/OAuth. Integrated Windows Authentication The client passes Windows credentials to the VEDAuth server.
The caller passes a client certificate to the VEDAuth server. Next, you register and specify scopes for each application. The settings match all of the sco. The certificate resides on the caller's computer. The certificate must be valid for the purposes of Client Authentication. Recommended for POST Authorize/Certificate.
For additional configuration settings, see the next step.
(Optional) Complete the Certificate Authentication section:
Certificate Authentication Settings
X.509 Identity Field
The field for Trust Protection Platform Authentication Server to use as the user identity:
- SubjectAltName: UPN: The identity that also has access to the
- SubjectAltEmail: The email address (es).
- CN: The certificate name (CN). For local identities, always specify CN.
Trusted Certificate Authorities The CA(s) that are approved to issue client certificates for authentication. Select a Trusted Certificate Authority certificate from the Roots tree.
- SubjectAltName: UPN: The identity that also has access to the Web SDK.
- Click Save and either wait 10 minutes or in IIS, recycle the VEDAuth application pool.
- For Venafi applications, such as the MMC, skip this step. Use Aperture to register and set scopes for your application. For more information, see Creating API application integrations.
TIP Always select the same scopes that your application requires. For example, if the application uses three scopes, the configuration reflects those same scopes.
Grant the API caller access to your application. For more information, see
Editing an existing integration's API access list.
- To get a token, call an Authorize method with the values you just defined. For more information, see Getting a token.