Trust Protection Platform configuration overview

This section outlines the general configuration requirements that are common to all Venafi Trust Protection Platform™ products.

Use this section to configure your base system.

To complete general Configuration requirements

  1. Define your user data stores and identities.

    To manage keys and certificates throughout your environment, Trust Protection Platform allows you to delegate certificate administration to user and group identities. You can use existing users and groups from Active Directory, or you can create users and groups in the local Trust Protection Platform database.

    1. Define users.

      For more information, see Working with identities, permissions, and teams.

    2. (Conditional) If you are using the Local Directory, define the local user and group identities.

      For more information, see Managing local identities directly in Trust Protection Platform.

    3. (Conditional) If you are using large AD directories, define search expressions on the AD Connection object’s Search Expression tab to narrow the object attributes and classes that are searched during a query.

      For more information, see Filtering identities.

      For more information on user administration, see Working with identities, permissions, and teams.

  2. Manage administrative permissions for your system objects.

    For information on assigning permissions to objects in Trust Protection Platform, see Assigning object permissions in the Policy Tree.

    For more information on how permissions assignments work in Trust Protection Platform, see Permissions overview.

    For information on viewing an administrator's effective permissions, see Viewing user entitlements.

  3. Configure your system folders.

    For more information on creating and deploying folders, see Using policies to manage encryption assets.

  4. (Optional)Configure your system encryption keys.

    If you want to use AES encryption keys on a supported HSM device to secure encryption assets stored in the Trust Protection Platform database, see Managing system encryption keys.

  5. Set up your logging system.

    For more information, see Logging overview.

  6. Configure the Default SQL Channel object.

    For more information, see SQL Server channel.

  7. Configure the Log View Server setting in the Policy object.

  8. Configure your system Channel objects

    For information on defining Channel objects, see Creating Channel objects.

  9. Configure your system Notification Rules.

    For information on defining Notification Rules, see Setting up notification channels.

    For more information on system notifications and logging, see Understanding system logging and notifications.

  10. Configure your system reporting.

    For information on configuring the Reporting module, see Configuring the Reporting module.

  11. Create the Report objects.

    The individual Report objects determine report format, how often the report is generated, and report delivery options. For information on configuring Report objects, see Managing system reports.

  12. Implement the Network Discovery components on the Trust Protection Platform server.

    For more information, see Discovering certificates and keys.

  13. (Conditional) If you are scanning large systems, you can deploy multiple Discovery Servers to load balance or, if you are scanning public and private IPv4 addresses, you can configure one Discovery Server inside the firewall and another outside the firewall.

  14. (Conditional) If you have multiple Discovery Servers, you can define the zones you want each Discovery Server to service in the Trust Protection Platform Server object. The Discovery Zones allow you to manage which servers process which discoveries.

  15. Configure the Discovery Module in the Platforms tree. The Discovery Module is the component that runs the configured discoveries. The Discovery Module object allows you to define discovery processing times and scan settings.

    For more information, see Configuring the Discovery module.

  16. (Conditional)If you want to discover SSH keys or certificates in local file systems or keystores, install and configure the agent.
  17. Install the agent on any machine where you want to discover SSH keys (either server or user keys) or certificates in the local file system or keystores.