Trust Protection Platform server configuration
The following settings are available for Trust Protection Platform servers. These settings vary based on global or individual server configuration:
- Global server settings are available on the Platforms Engine tab.
- Individual server settings are available on the Platforms [serverName] page.
Tab |
Sub-tab |
Feature or section |
Appears on |
Option and Description |
---|---|---|---|---|
ACME Server tab |
|
Root Platforms object |
The settings in this tab are available from the root Platforms object. |
|
|
|
Settings |
|
The check boxes allow the ACME server to be enabled and folders to be automatically created if they don't exist. See ACME integration with TLS Protect. |
Authentication |
Settings |
|
Root Platforms object |
The settings in this tab are available from the root Platforms object. |
|
Authentication |
|
Certificate Authentication: The check box to allow certificate authentication. Additional configuration is required. For more information, see Setting up certificate authentication for web console. Also Require User Password: The check box to allow a user password for authentication. |
|
Certificate Manager |
Settings |
|
Root Platforms object |
The settings in this tab are available from the root Platforms object. |
|
Trust Store Management |
|
Disabled: The setting for Trust Store Management. The default is No (continue Trust Store Management of the certificate). |
|
Certificate Revocation |
Settings |
Settings |
Root Platforms object |
Check-in interval (times daily): The number of times each day that you want Trust Protection Platform to check the CRL endpoints to update the CRLs and check revocation of certificates in the inventory. |
Network Device Enrollment |
Settings |
|
Root Platforms object OR child object |
The settings in this tab are available from the root Platforms object or child object. |
|
|
General |
|
The Network Device Enrollment tab is available only in Policy Tree.The Network Device Enrollment tab enables Simple Certificate Enrollment Protocol (SCEP) certificate enrollment on the Trust Protection Platform server. When Network Device Enrollment is configured, Venafi TLS Protect can receive a CSR from a SCEP-enabled device, renew the certificate with the appropriate CA, then allow the device to download the renewed certificate from the Trust Protection Platform server. As a non-CA-based certificate enrollment solution for SCEP systems, Trust Protection PlatformTLS Protect can manage certificate enrollment with multiple CAs using multiple CA templates. Additionally, Trust Protection PlatformTLS Protect provides a robust system of hierarchical, policy-based rules that allow administrators to manage where Certificate are created in the Policy tree. For details on network device enrollment, see Certificate enrollment via SCEP protocol. For specific information on the fields available in this section, see Network device enrollment settings—Platforms and Server object |
Platforms |
|
|
Root Platforms object |
|
|
Settings |
Global Options (Impacts all users) |
|
Automatically apply filter parameters on certificate inventory: By default, the certificate inventory does not automatically load until you click the Apply Filters button. This applies both on loading the certificate inventory page, as well as when you add individual filters to the page. This is especially helpful for large certificate inventories that take longer to load. If you prefer the previous behavior, which is to load the inventory on page load, you can enable this option. You must reset IIS after changing this option. Support large object trees: Control the view of the Policy tree for all users. When enabled, hide all objects and show only search results via Query mode. When disabled, show all Policy tree objects. If you want this search feature for certain users, set the values on the User Preferences Appearance tab. Enable team creation by everyone: When checked, any user can create a team. Enable Management Type verification: When checked, certificates set with "Provisioning" management type are checked to see if there is an installation/application association. When this feature is enabled, you can filter the certificate inventory on a risk called "No Provisioning Targets" to see certificates set for provisioning but that don't have an application. If you try to save a certificate set for provisioning, but without an application, Venafi Platform will warn you, and suggest you change the type to "Monitoring". For more information, see Certificate status and risks explained. |
|
Allowed Outbound SSL/TLS Versions |
One or more protocols to control outbound communications with other servers.
Whenever you modify these settings, you must reset IIS. CAUTION By default, only TLS 1.2 is selected, which is the recommended best practice from a security perspective. However, if you have applications that cannot connect using TLS 1.2, you will need to assess your best options. Using the Venafi-recommended options may reduce compatibility, especially with older applications. For additional information, we recommend the following documentation from Microsoft: TLS, DTLS, and SSL protocol version settings. IMPORTANT Syslog channel drivers can't recognize changes you make to either the Allowed Outbound SSL/TLS Versions settings or Certificate Versions settings. Therefore, following any changes to those settings, please restart the Venafi Log Server Windows service. For details, see Manually stopping and starting the log server service. |
||
|
Engine |
Global Options |
|
Run daily tasks at The time that the Trust Protection Platform server runs daily tasks. Daily tasks include the Certificate, SSH Key, and Symmetric Key monitoring scans and Validation scans. NOTE If Trust Protection Platform does not have enough resources to process the daily tasks, an event generates. The event indicates that the engine failed to complete daily tasks in a 24-hour period. The event generates in extenuating circumstances when there are too many Work To Do items in the queue. To monitor these kinds of events, you can create a Notification Rule. NOTE Normally, Trust Protection Platform runs daily validation scans. However, if a user clicks the Validate Now option in a Certificate or Application object, the validation scan queues the Validation module for an immediate scan. For more information, see Running validation scans in the Venafi Trust Protection Platform Certificate Management Guide. |
|
|
Certificate Verification Settings |
|
Verification Mode: The level of certification verification to use to establish the HTTPS connection with a server that has a certificate:
Check CRL: The setting to determine whether the server certificate appears on a Certificate Revocation List (CRL). CRL checking occurs prior to making the HTTPS connection. Use this setting in conjunction with Verification Mode:
For more information, see Setting up Certificate Verification for securing outbound HTTPS connections. IMPORTANT Syslog channel drivers can't recognize changes you make to either the Allowed Outbound SSL/TLS Versions settings or Certificate Versions settings. Therefore, following any changes to those settings, please restart the Venafi Log Server Windows service. For details, see Manually stopping and starting the log server service. |
|
Trust Protection Platform URL HostNames |
|
|
|
|
Proxy |
Proxy Settings |
|
Use Configured Proxy: Configures Trust Protection Platform to use the Windows default proxy server as it is configured on the Trust Protection Platform server. If you select this option, you do not have to configure the Proxy Host, Port, or Credential fields. Host: The Hostname or IP address of the proxy server Trust Protection Platform uses to connect to the Internet. Trust Protection Platform supports both IPv4 or IPv6 connections. Port: Port the proxy server uses for client connections. Credential: Username Credential required to connect to the proxy server. NOTE If your proxy server uses domain authentication, make sure the Username Credential object is defined using Domain Name or User Principal Name syntax. Bypass For Local: Configures Trust Protection Platform to bypass the proxy server for connections to local CAs. Trust Protection Platform uses the following criteria to identify local and external addresses:
|
Venafi Trust Protection Platform |
|
|
Child objects |
|
|
Settings |
Settings |
|
Run daily tasks at The time that the Trust Protection Platform server runs daily tasks. Daily tasks include the Certificate, SSH Key, and Symmetric Key monitoring scans and Validation scans. NOTE If Trust Protection Platform does not have enough resources to process the daily tasks, an event generates. The event indicates that the engine failed to complete daily tasks in a 24-hour period. The event generates in extenuating circumstances when there are too many Work To Do items in the queue. To monitor these kinds of events, you can create a Notification Rule. NOTE Normally, Trust Protection Platform runs daily validation scans. However, if a user clicks the Validate Now option in a Certificate or Application object, the validation scan queues the Validation module for an immediate scan. For more information, see Running validation scans in the Venafi Trust Protection Platform Certificate Management Guide. |
|
|
Certificate Verification |
|
Verification Mode: The level of certification verification to use to establish the HTTPS connection with a server that has a certificate:
Check CRL: The setting to determine whether the server certificate appears on a Certificate Revocation List (CRL). CRL checking occurs prior to making the HTTPS connection. Use this setting in conjunction with Verification Mode:
For more information, see Setting up Certificate Verification for securing outbound HTTPS connections. |
|
|
Operations |
|
Certificate: The DN for the Venafi Operational Certificate. The default value is \VED\Policy\Venafi Operational Certificates\[Engine Name]. |
|
|
Logging |
|
Log Debug: The check box to allow the Log server to store debug information. For more information about Log servers, seeManaging the log server. |
|
|
Discovery Zones |
|
Discovery Zones: The range of Class C or smaller IPv4 addresses to which the current server has physical access. This option allows you to manage the servers to process discoveries. For example, if you have one Discovery Server inside the firewall to run discoveries on private IP addresses and another Discovery Server outside the firewall to run discoveries on public IP addresses, you can define the zones that you want each server to process. For more information on this configuration, see Managing the discovery server. If the Discovery module is installed on the current server, it runs discoveries only on the designated zones. If you do not define zones, the Discovery module processes all configured discoveries. |
|
|
Trust Protection Platform URL HostNames |
|
|
|
|
Authentication |
|
Disabled Identity Connectors: Use this setting to disable specific identity connectors for a given engine. This allows you to, for example, disable an identity connector on an engine which has no need to resolve identities (like a network discovery only engine). |
|
Proxy |
Proxy Settings |
|
Use Windows Configured Proxy: Configures Trust Protection Platform to use the Windows default proxy server as it is configured on the Trust Protection Platform server. If you select this option, you do not have to configure the Proxy Host, Port, or Credential fields. Host: The Hostname or IP address of the proxy server Trust Protection Platform uses to connect to the Internet. Trust Protection Platform supports both IPv4 or IPv6 connections. Port: Port the proxy server uses for client connections. Credential: Username Credential required to connect to the proxy server. If your proxy server uses domain authentication, make sure the Username Credential object is defined using Domain Name or User Principal Name syntax. Bypass For Local: Configures Trust Protection Platform to bypass the proxy server for connections to local CAs. Trust Protection Platform uses the following criteria to identify local and external addresses:
|