Creating and using answer files
An answer file is an XML file that contains pre-determined configuration settings. You have an option to create an answer file at the end of the Venafi Platform Configuration wizard. Once you have an answer file, you can use it to specify configuration settings, making it much faster to deploy future Venafi Trust Protection Platform installations.
You can create an answer file without deploying the software by checking the appropriate option on the
Below is a sample unencrypted answer file. You can use this sample file and modify it for your specific needs, as long as you are willing to use an unencrypted file. If you prefer to use an encrypted answer file, you need to generate it from the Venafi Platform configuration wizard. An unencrypted answer file is a plain text XML file that contains information like your master admin user name and password, your database connection credentials, your software encryption key, and all other configuration settings. You can read more information about creating and encrypting answer files via the configuration wizard.
Answer file sections and settings
You need to include the products that are linked to each of the features enabled in the Features section. To see how features map to products, see Trust Protection Platform components.
For example, If you only specify the WebConsole
feature, you only need the CommonProduct
product.
You can only install products for which you have a license.
Decide what features you want, using the components page.
Reference the components page to determine what products are necessary for the features you want.
TLSProtectProduct
is called TLS Protect on the components page.ClientProtectProduct
is called Client Protect on the components page.SshProtectProduct
is called SSH Protect on the components page.CodeSignProtectProduct
is called CodeSign Protect on the components page.PlatformProduct
is called Platform on the components page.
For the <Features>
section, information on each feature name and what it provides is described in Trust Protection Platform components.
For the <DSN>
sections for both <DBO>
and <Database>
entries, information on how DSNs (Data Source Name) are constructed is found in Microsoft's documentation, Connection Options.
The TrustServerCertificate
option, if set to true, means we will encrypt the connection and validate the certificate.
The MultiSubnetFailover
option, if set to true, enables always on availability groups.
The Integrated Security
option, if included, enables Windows integrated authentication. If this value is missing, the system will use MSSQL database authentication.
The Data Source
option is the database address and port
The Initial Catalog
option is the name of the database
For new installations: you must choose one of the following options:
- Hardware encryption
- Software encryption
- Both hardware encryption and software encryption
For additional servers, this section needs to match the section on all other Venafi servers. If you are not using an HSM for hardware encryption, then the entire <HardwareEncryption>
section will not be present.
If you want the system to generate a new software encryption key, you can leave out this element. If you have a key from another system that you want to use, you can enter it this way: If you want to use software encryption to protect data in the Trust Protection Platform database, you need to configure the software encryption element.
Using existing software encryption key
<!-- Use the following SoftwareEncryption element to use a previously-generated software key on additional servers. If you want the system to generate a new key, omit this element. -->
<SoftwareEncryption>
<Key>-----BEGIN VED ENCRYPTED KEY-----
<!-- Base64 Encrypted key text -->
-----END VED ENCRYPTED KEY-----</Key>
<Password>ExamplePassword</Password>
</SoftwareEncryption>
The AdminAccount section is where you provide the username and password for the local master administrator account for Trust Protection Platform. If you have already created this on another Venafi server, this must match that setting. If this is your first Venafi server, this will establish that account. Password requirement complexity is documented in Changing local user passwords.
The MessageBus section is where you provide configuration information for using the MQTT message broker service we call Message Bus. Additional information about Message Bus can be found in Working with Message Bus.
The StartServices
option, if set to yes, will automatically start Venafi services on the Venafi server after the configuration is complete.
On your first Venafi Platform server, you don't want to start services automatically, since there are still configuration steps you want to do first. However, if you are creating an answer file for second (or subsequent) servers, this switch can save some manual steps on each server.
Complete answer file example
The following is a complete answer file with all possible options enabled. You can use this as a starting point for your answer file, or you can generate one from the Venafi Configuration Console. Your final answer file will likely be shorter, as your are unlikely to enable every option on all Venafi servers.
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<TppConfiguration CreatedOn="12/31/2021 12:00:00" By="abe.lincoln" On="WIN-Venafi01">
<Components>
<Products>
TLSProtectProduct
ClientProtectProduct
SSHProtectProduct
CodeSignProtectProduct
PlatformProduct
</Products>
<Features>
Acme
BulkProvisioning
CAImport
Certificates
CloudMonitoring
Scep
OBDDiscovery
JSSDiscovery
Revocation
Validation
EstService
SSH
SSHCertificates
HsmBackend
TimeStampService
KeyManager
KeyServer
ClientDistribution
AuthServer
AutoLayout
Client
Discovery
Monitoring
Reporting
WebConsole
WebSDK
</Features>
</Components>
<DBO>
<DSN>Data Source=mssql.example.com,1433;Initial Catalog=VenafiDB; User ID=DBO_user@example.com;Password=ExamplePassword; TrustServerCertificate=True;MultiSubnetFailover=True;Integrated Security=True</DSN>
</DBO>
<Database>
<DSN>Data Source=mssql.example.com,1433;Initial Catalog=VenafiDB; User ID=Operational_user@example.com;Password=ExamplePassword; TrustServerCertificate=True;MultiSubnetFailover=True; Integrated Security=True</DSN>
</Database>
<HardwareEncryption>
<DllPath>c:\program files\myhsmvendor\pkcs11library.dll</DllPath>
<Slot>0</Slot>
<Pin>ExamplePassword</Pin>
<Key>MyDemoKey</Key>
<AccountType>CryptoOfficer</AccountType>
</HardwareEncryption>
<!-- Use the following SoftwareEncryption element to use a previously-generated software key on additional servers. If you want the system to generate a key, omit this element. -->
<SoftwareEncryption>
<Key>-----BEGIN VED ENCRYPTED KEY-----
<!-- Base64 Encrypted key text -->
-----END VED ENCRYPTED KEY-----</Key>
<Password>ExamplePassword</Password>
</SoftwareEncryption>
<AdminAccount>
<Username>masterAdmin</Username>
<Password>ExamplePassword</Password>
</AdminAccount>
<!-- This Message Bus element is for a mesh connection. Use either this one OR the hub and spoke connection, not both. -->
<MessageBus>
<Port>8883</Port>
<!-- 8883 is recommended for TLS encrypted. Port 1883 is recommended for unencrypted. -->
<Tls>yes</Tls>
<!-- Use 'no' for unencrypted -->
</MessageBus>
<!-- This Message Bus element is for hub and spoke connection to a central broker. Use either this one OR the mesh connection, not both. -->
<MessageBus>
<Port>8883</Port>
<!-- 8883 is recommended for TLS encrypted. Port 1883 is recommended for unencrypted. -->
<Tls>yes</Tls>
<!-- Use 'no' for unencrypted -->
<Server>name</Server> <!-- Central server -->
<Instance>id</Instance> <!-- Central instance id -->
<Username>name</Username> <!-- Central auth username; if auth required -->
<Password>password</Password> <!-- Central auth password; if auth required -->
<Certificate>PFX data</Certificate> <!-- Central auth certificate; in lieu of username/password -->
</MessageBus>
<Logging>
<LogProcessor />
<LogExpiration Days="90" />
</Logging>
<Environment>
<CompanyName>Example Company, Inc.</CompanyName>
<DeploymentType>PRODUCTION</DeploymentType>
</Environment>
<Server>
<StartServices>yes</StartServices>
<LogPath>C:\Program Files\Venafi\Logs\Tpp Configuration Log.txt</LogPath>
</Server>
</TppConfiguration>