Creating an application

Application objects represent the server platforms or keystores that use certificates to provide TLS connections for secure communications. They also represent installations of certificates.

When you create an application, you provide all of the configuration information Trust Protection Platform needs to manage certificates for your chosen platform or keystore. Depending on the application, this may include certificate paths and filenames, application credentials, private key credentials, and so forth.

NOTE  You must have the Create permission on the device where you want to create the application.

Application objects can only be created under device objects.

Device objects represent the physical host on which certificates and private keys are installed.

To create an application object

TIP  It's a good idea to create the prerequisite object first so that credentials are available to select when you create the application object.

  1. From the TLS Protect menu bar, click Policy tree.

  2. In the Policy tree, select the device object to which you want to add the new application object, and then click Add > Application, and then select an application object template.

  3. When the new application object page appears, then under Status, clear the Processing Disabled checkbox.

    When checked, this option disables provisioning of the certificates installed on the current application. This means that Trust Protection Platform does not attempt to install, renew, process, or validate certificates on the application.

  4. (Optional) In the Device Certificate box, click to select and associate a certificate with the new application.

    NOTE  If you don't have a certificate ready, you can do this later or you can do it on the certificate's Association tab.

    To associate a certificate with the current application, you must have write permissions to the application object and either write or associate permissions to the certificate object.

    For detailed information on associating a certificate with an application, see Associating a certificate with an application object.

  5. Under General, do the following:

    1. In the Application Name field, type a name for the new application.

    2. (Optional) In the Description field, type a description for the purpose of the application.

      A strong description can help to provide context for other administrators who might need to manage the new application.

    3. In the Contacts field, select user or group identities you want assigned to this application object (or choose the Use policy value to configure contacts using a policy).

      Default system notifications are sent to the contact identities. The default contact is the master administrator.

      TIP  If the Identity Selector dialog is not populated when it first opens, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store, then return the list of requested users or groups. If you want to display all user or group entries, enter the wildcard character (*).

      Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

    4. In the Approvers field, select user or group Identities you want to assign to approve workflows (certificate approval or injection command) for the new application.

      The default approver is the master administrator. For more information on defining workflow objects, see Implementing certificate workflow management.

    5. (Conditional) If your application (or certificate) object is affected by a defined workflow and you want users to use a console other than Policy Tree, click Managed By and select which administration console to use as part of the workflow.

      You only need to configure this if you are using workflows and expect users to perform a task using a particular administration console. The default setting is Policy Tree.

      For more information, see Specify folders and certificates to be managed by TLS Protect .

  6. Under Application Information, do the following:

    1. Click next to Application Credential to browse for the credential object that you want to use to authenticate with the application.

      DID YOU KNOW?  Credential objects store the credentials Trust Protection Platform uses to authenticate with devices, applications, and CAs. The stored credential might be a user name or private key credential; some drivers—such as F5, which is not SSH-based—can only use the user name credential for authentication.

      NOTE  The user account you select must have Read and Write access to the Temporary, Private Key, and Certificate directories.

      For more information, see Working with system credentials.

      DID YOU KNOW?  The Connection Method is the protocol that Trust Protection Platform uses to connect to the server and manage the certificates installed on that server. In an application object's settings, this field is typically read-only.

    2. (Conditional) In the SSH Port field, specify the port number that Trust Protection Platform should use to communicate with the appliance via an SSH connection.

      The default SSH port assignment is 22.

    3. In the WinRM Port, specify the port number that Trust Protection Platform should use to communicate with CAPI devices. 

      The default WinRM ports assignments are port 5985 and 5986 for HTTP and HTTPS, respectively.

    4. (Optional) In the Port field, type the port that Trust Protection Platform should use to communicate with the server where the application is installed.

      Trust Protection Platform uses the SSH protocol to communicate with the application server installed on Linux or Windows. The default SSH port assignment is port 22.

    5. From the API Protocol drop-down, select either SSL or TLS.

      This value must match the Secure+ Protocol configured under the Security Options of the Connect:Direct endpoint to which Trust Protection Platform is provisioning.

    6. (Optional) In the Port field, type the TCP port on which the Connect:Direct endpoint is listening for API connections.

      The default API port assignment is 1363.

  1. Click the application you want to create and then complete the new application's settings.

    Application settings vary depending on the associated platform or keystore requirements.

    Refer to the Protecting server platforms and keystores sections of the documentation for your specific platform or keystore.

    Example: Creating an F5 LTM Advanced application object

  2. When you are finished, click Save.