API default settings for remote access configuration

Applications that need to connect to Venafi Platform are configured on the API Integrations inventory The API Default Settings page allows you to configure the default remote access settings that apply to all API integrations, unless they are overridden for a specific application.

To configure these settings, go to the Platform product menu bar, and click APIDefault Settings.

If you have access to the Venafi server you can also complete these tasks in Venafi Configuration Console. For information, see Access Management

If you have access to a Venafi MMC snap-in, you can also complete these tasks there. The instructions are the same as for the Venafi Configuration Console, above.

If you have access to the Web SDK, you can modify these settings via the API Authorize and OAUTH endpoints. For example, to configure certificate authentication via API, see POST Authorize/Certificate

Authentication Methods

API applications need to authenticate to the Venafi Platform database. The Authentication section allows you to specify which authentication method(s) you want to support for remote access by APIs.

Allowed Authentication Methods

Authentication

Trust Protection Platform Authentication Server setting
Username & Password The client passes a user name and password to the VEDAuth server. Recommended for POST Authorize/OAuth.
Integrated MS Windows Authentication Default. The client passes Windows credentials to the VEDAuth server.

Browser-based authentication

Default. Required for POST Authorize/Device. Recommended for multi-factor SAML authentication:

  • Enabled: Default. Allow multi-factor authentication for devices. A successful response, includes a web link to complete the authentication.

  • Disabled: Block browser-based authentication.

JSON web token

A token in JSON format that is used to communicate between a trusted identity provider and Venafi Platform.

Certificate

The caller passes a client certificate to the VEDAuth server. When selected, the Use AD Security Identifier (SID) value if available option appears.

AD Security Identifier (SID)

If you select Certificate, the Use AD Security Identifier (SID) value if available option appears. In this scenario, AuthServer follows a specific process. First, it looks for the SID Extension value in the certificate. If the SID Extension is found, AuthServer tries to find the matching AD user. However, if the SID Extension is not in the certificate or doesn't match an AD account, AuthServer will then use the "Location" setting as a backup.

If you select the Certificate authentication method, you might need to configure the following settings:

Certificate Authentication Settings

Field

Parameter
X.509 Identity Field

The field for Trust Protection Platform Authentication Server to use as the user identity:

  • SubjectAltName: UPN: The identity that also has access to the Web SDK.
  • SubjectAltEmail: The email address (es).
  • CN: The certificate name (CN). For local identities, always specify CN.
Trusted Certificate Authorities The CA(s) that are approved to issue client certificates for authentication. Select a Trusted Certificate Authority certificate from the Roots tree.
AD Security Identifier (SID) The certificate is mapped to the Active Directory User’s SID (objectSid).

Token settings

There are two validity periods for API authentication access to Venafi Platform API endpoints: access grants and tokens.

  • Access grants. This is the duration of time that the application will be able to access Venafi Platform. After the application access expires, an administrator will need to create a new application.

    Access grants have a minimum validity period of fifteen minutes.

  • Tokens. This is the duration of time between authentication prompts. Tokens automatically expire when the access grant expires. This setting allows you to have increased security by requiring periodic authentication to the system. When a token expires, if the access grant is still valid, a user can obtain a new token.

    Tokens have a minimum validity period of one minute.

To use different expiration times for tokens and access grants, enable the Token refresh option, then set a value for both token expiration and access expiration. When you disable the Token refresh option, then the same value is used for both token expiration and access expiration. In this case, the minimum validity period is one minute.

The token validity cannot be shorter than the access grant.

Session Caching

The session caching settings control how API session credentials are cached in Venafi Platform.

There are three settings:

  • Expiration mode. Using normal mode, credentials are cached for up to five minutes. This saves the significant time it takes to check the status of the credential on every single API call. If stringent security is more important than performance, you can enable strict mode which forces Venafi Platform to validate the credential on every API call.

    IMPORTANT  In internal testing, Venafi noted that the time to execute and return an API response can be over 40% higher when using strict mode.

  • Session pool size. The number of concurrent sessions for API calls. If the number of simultaneous API calls exceeds the pool size, the oldest unused session is removed from the pool.

  • Session expiration. The number of minutes each token remains in memory.