Automatic credential rotation options

Trust Protection Platform provides the ability to rotate important system credentials using user-provided scripts via a command line interface (CLI). This means if you have an external system that rotates these credentials, you can write a script that will automatically change the connection information for Trust Protection Platform automatically.

Credentials you can script for rotation:

To reset the HSM connection pin using the command line

  1. On the Venafi server, open a command prompt and browse to the Venafi\Platform directory.

    If you installed Trust Protection Platform in the default directory, you would browse to the following location:

    c:\Program Files\Venafi\Platform

  2. Run the configuration utility (TppConfiguration.exe) with the -hsmpin switch. For example:

    TppConfiguration.exe -hsmpin:<pin>

    NOTE  If you don't include the PIN, the system will prompt you for the PIN in the next step.

    IMPORTANT  The command line process does not validate the HSM PIN or database connection string. If you provide invalid data, you will not get a warning message. If you want to validate the data, use the Venafi Configuration Console interface, which does validate both the HSM pin and the database connection string.

    NOTE  This utility is not designed to move your Venafi server from one database to another. It is intended only for changing credentials and scripting credential changes.

  3. Restart the Venafi Windows services.
  4. Restart the Venafi IIS Application Pools, or perform an IIS Reset.

For more information on using the command line to perform actions in Trust Protection Platform, see Configure the platform using a script through the command line.

To reset the Trust Protection Platform database owner account connection password using the command line

  1. On the Venafi server, open a command prompt and browse to the Venafi\Platform directory.

    If you installed Trust Protection Platform in the default directory, you would browse to the following location:

    c:\Program Files\Venafi\Platform

  2. Run the configuration utility (TppConfiguration.exe) with the -dboconfig switch. The format is:

    TppConfiguration.exe "-dboconfig:<cfg>"

    For example:

    TppConfiguration.exe -dboconfig:"Data Source=192.168.1.1,1433;Initial Catalog=databasename;User ID=dbOwnerUser;Password=S0m3thing-Compl3x!"

    To obtain your current SQL configuration string, see Obtaining the SQL database connection string.

  3. Restart the Venafi Windows services.
  4. Restart the Venafi IIS Application Pools, or perform an IIS Reset.

IMPORTANT  The quotation mark " and backslash \ characters are special characters, and if included in the password, you need to include a backslash to escape them. So if the password is pas"sw\ord, you would enter it into the connection string as pas\"sw\\ord.

To reset the Trust Protection Platform operational database account connection password using the command line

  1. On the Venafi server, open a command prompt and browse to the Venafi\Platform directory.

    If you installed Trust Protection Platform in the default directory, you would browse to the following location:

    c:\Program Files\Venafi\Platform

  2. Run the configuration utility (TppConfiguration.exe) with the -sqlconfig switch. The format is:

    TppConfiguration.exe "-sqlconfig:<cfg>"

    For example:

    TppConfiguration.exe -sqlconfig:"Data Source=192.168.1.1,1433;Initial Catalog=databasename;User ID=dbOperationUser;Password=S0m3thing-Compl3x!"

    To obtain your current SQL configuration string, see Obtaining the SQL database connection string.

  3. Restart the Venafi Windows services.
  4. Restart the Venafi IIS Application Pools, or perform an IIS Reset.

IMPORTANT  The quotation mark " and backslash \ characters are special characters, and if included in the password, you need to include a backslash to escape them. So if the password is pas"sw\ord, you would enter it into the connection string as pas\"sw\\ord.