Configuring Server Agent registration

Before you can use the Server Agent on systems in your network, each agent must authenticate and register with the Trust Protection Platform server.

After registration, you deploy the agents with either a Server Thumbprint or a trust bundle. If you are using a thumbprint, be sure to update your deployment package every time the Venafi Operational Certificate (VOC) renews.

DID YOU KNOW?  After the agent has successfully registered, the trust anchors for all agents are centrally managed and updated. This enables you to replace the VOC with one from a different CA.

To configure Agent Registration Settings

  1. From the TLS Protect menu bar, click Clients > Agent Registration Settings.

  2. To set permissions at the \VED\Clients root, click Permissions. Assign and save the appropriate identities who can create both work and group objects. For more information, Permissions required for working with Client Group Settings.

  3. To set credentials, click Agent Registration and in the Registration Passwords box, do one of the following:

    • Begin typing the name of the password credential object you have defined previously and then select it from the list when it appears.

    • If you have not yet defined a password credential, click Create New Credential to define a new password credential (credential object).

      IMPORTANT  After creating a new credential, it appears in the Registration Passwords field. However, you must click Save on that Agent Registration page to ensure that the new password credential is used for registration.

      For more information about registration passwords, see Selecting (or creating) Registration Passwords for Agent Registration Settings.

  4. From the Venafi Trust Protection Platform server certificate thumbprints field, copy the contents and paste it into a temporary location (e.g. into a text file or leave it in your system's clipboard).

    Thumbprints are SHA256 hashes of VOCs found on your Trust Protection Platform servers. The Server Agent compares the thumbprints that you specify during agent installation against the actual VOCs found on the Trust Protection Platform server as a mechanism for validating trust between the server and the Server Agent.

    For more information, see About the Trust Protection Platform server certificate thumbprint.

  5. (Optional) Under Data Collection, in the Record Environment Variables field, type the name of a previously defined variable and then press Enter.

    Type additional variables, as needed.

    For more information about environment variables, see Configuring Environment Variables.

  6. (Optional) Do the following:

    1. Click Show Advanced Options.

    2. Under Record Untrusted Agents, click Yes to enable the capturing of untrusted agents.

      For more information about this feature, see Recording untrusted agents.

    3. (Optional) To help ensure the successful registration of Server Agents, add additional issuers to the Agents should trust these additional issuers when reporting home field.

      If you are transitioning from one CA to another and will be issuing certificates from the new CA to your Trust Protection Platform servers, you should add the new issuer’s certificates to this list. Doing so gives installed Server Agents sufficient time to check in and add then add these certificates to their trust stores. When new Trust Protection Platform server certificates are deployed, the agents will trust them.

      IMPORTANT  If you are using a load balancer, make sure that the correct chain is included.

    4. (Optional) To help ensure communication between Server Agents and the Trust Protection Platform server, specify MAC addresses in the Exclude the following MAC addresses for use in client identification field that you know might be reused by more than one agent-enabled device.

      Server Agents use the MAC address of their host machines as unique identifiers when registering (and checking in) with Trust Protection Platform. Therefore, Trust Protection Platform does not allow more than one agent to register using the same MAC address. Many VPN applications, virtual machines, and other similar software typically reuse the same MAC address for two or more users (or instances of virtual machines). In such cases, some agents might submit the same MAC address. To resolve this issue, be sure that you add any MAC addresses that might be reused to this Exclude list. See MAC addresses excluded by default.

    5. (Optional) If you want to view the CA certificates that will be used by Server Agents to validate Trust Protection Platform server certificates, click Download Trust Bundle to download the PEM file.

      If your agents are having issues connecting to Trust Protection Platform, you can download the trust bundle to verify whether or not it contains the correct certificates. This option can be helpful when troubleshooting issues related to certificates, certificate chains, and Agent Registration Settings.

  7. When you are finished, click Save.

Related Topics Link IconRelated Topics