Trust Protection Platform server configuration

The following settings are available for Trust Protection Platform servers. These settings vary based on global or individual server configuration:

  • Global server settings are available on the Platforms Engine tab.
  • Individual server settings are available on the Platforms [serverName] page.

Tab

Sub-tab

Feature or section

Appears on

Option and Description

ACME Server tab

Settings

 

Root Platforms object

The settings in this tab are available from the root Platforms object.

 

 

Settings

 

The check boxes allow the ACME server to be enabled and folders to be automatically created if they don't exist. See ACME integration with TLS Protect.

Authentication

Settings

 

Root Platforms object

The settings in this tab are available from the root Platforms object.

 

 

Authentication

 

Certificate Authentication: The check box to allow certificate authentication. Additional configuration is required. For more information, see Setting up certificate authentication for web console.

Also Require User Password: The check box to allow a user password for authentication.

Certificate Manager

Settings

 

Root Platforms object

The settings in this tab are available from the root Platforms object.

 

 

Trust Store Management

 

Disabled: The setting for Trust Store Management. The default is No (continue Trust Store Management of the certificate).

Certificate Revocation

Settings

Settings

Root Platforms object

Check-in interval (times daily): The number of times each day that you want Trust Protection Platform to check the CRL endpoints to update the CRLs and check revocation of certificates in the inventory.

Network Device Enrollment

Settings

 

Root Platforms object OR child object

The settings in this tab are available from the root Platforms object or child object.

 

 

General

 

The Network Device Enrollment tab is available only in Policy Tree.The Network Device Enrollment tab enables Simple Certificate Enrollment Protocol (SCEP) certificate enrollment on the Trust Protection Platform server.

When Network Device Enrollment is configured, Venafi TLS Protect can receive a CSR from a SCEP-enabled device, renew the certificate with the appropriate CA, then allow the device to download the renewed certificate from the Trust Protection Platform server. As a non-CA-based certificate enrollment solution for SCEP systems, Trust Protection PlatformTLS Protect can manage certificate enrollment with multiple CAs using multiple CA templates. Additionally, Trust Protection PlatformTLS Protect provides a robust system of hierarchical, policy-based rules that allow administrators to manage where Certificate are created in the Policy tree.

For details on network device enrollment, see Certificate enrollment via SCEP protocol.

For specific information on the fields available in this section, see Network device enrollment settings—Platforms and Server object

Platforms

 

 

Root Platforms object

 

 

Settings

Global Options

(Impacts all users)

 

Automatically apply filter parameters on certificate inventory: By default, the certificate inventory does not automatically load until you click the Apply Filters button. This applies both on loading the certificate inventory page, as well as when you add individual filters to the page. This is especially helpful for large certificate inventories that take longer to load. If you prefer the previous behavior, which is to load the inventory on page load, you can enable this option. You must reset IIS after changing this option.

Support large object trees: Control the view of the Policy tree for all users. When enabled, hide all objects and show only search results via Query mode. When disabled, show all Policy tree objects. If you want this search feature for certain users, set the values on the User Preferences Appearance tab.

Enable team creation by everyone: When checked, any user can create a team.

Enable Management Type verification: When checked, certificates set with "Provisioning" management type are checked to see if there is an installation/application association. When this feature is enabled, you can filter the certificate inventory on a risk called "No Provisioning Targets" to see certificates set for provisioning but that don't have an application. If you try to save a certificate set for provisioning, but without an application, Venafi Platform will warn you, and suggest you change the type to "Monitoring". For more information, see Certificate status and risks explained.

 

Allowed Outbound SSL/TLS Versions

One or more protocols to control outbound communications with other servers.

  • SSL 3.0: Allow or block Secure Socket Layer (SSL) 3.0 communications. Recommendation: Unchecked (block).
  • TLS 1.0: Allow or block (TLS) 1.0 communications. Recommendation: Unchecked (block).
  • TLS 1.1: Allow or block (TLS) 1.1 communications. Recommendation: Unchecked (block).
  • TLS 1.2: Allow or block (TLS) 1.2 communications. Recommendation: Checked (allow).
  • TLS 1.3: Allow or block (TLS) 1.3 communications. Recommendation: Checked (allow).

Whenever you modify these settings, you must reset IIS.

CAUTION  By default, only TLS 1.2 is selected, which is the recommended best practice from a security perspective. However, if you have applications that cannot connect using TLS 1.2, you will need to assess your best options. Using the Venafi-recommended options may reduce compatibility, especially with older applications.

For additional information, we recommend the following documentation from Microsoft: TLS, DTLS, and SSL protocol version settings.

IMPORTANT  Syslog channel drivers can't recognize changes you make to either the Allowed Outbound SSL/TLS Versions settings or Certificate Versions settings. Therefore, following any changes to those settings, please restart the Venafi Log Server Windows service. For details, see Manually stopping and starting the log server service.

 

Engine

Global Options

 

Run daily tasks at The time that the Trust Protection Platform server runs daily tasks. Daily tasks include the Certificate, SSH Key, and Symmetric Key monitoring scans and Validation scans.

NOTE  If Trust Protection Platform does not have enough resources to process the daily tasks, an event generates. The event indicates that the engine failed to complete daily tasks in a 24-hour period. The event generates in extenuating circumstances when there are too many Work To Do items in the queue. To monitor these kinds of events, you can create a Notification Rule.

NOTE  Normally, Trust Protection Platform runs daily validation scans. However, if a user clicks the Validate Now option in a Certificate or Application object, the validation scan queues the Validation module for an immediate scan. For more information, see Running validation scans in the Venafi Trust Protection Platform Certificate Management Guide.

 

 

Certificate Verification Settings

 

Verification Mode: The level of certification verification to use to establish the HTTPS connection with a server that has a certificate:

  • None (Not Recommended) - No verification: (Default) Allow the connection to the server. If the certificate would have failed the Basic or Strict certificate verification, log a Certificate Verification Warning event message.
  • Basic - Checks expiration, revocation, common name mismatch & root chain: Check for an expired certificate, CN mismatch, invalid chain, inability to chain back to a trusted root, and whether one or more of the certificates in the chain has an invalid CA certificate. If any of these checks are invalid, refuse the connection and log a Certificate Verification Failed event message. If the certificate would have failed the Strict certificate verification, log a Certificate Verification Warning event message.

  • Strict (Recommended)- Basic checks & Server Authentication EKU: Do the same checking as with the Basic certificate verification. Reject a certificate if it failed the Basic certificate verification. Also, if the Server Authentication (EKU) is present on the certificate, verify the value. Reject an otherwise valid server certificate that lacks the Server Authentication Purpose information in the EKU. For rejected certificates, refuse the connection with the server and log a Certificate Verification Failed event message.

Check CRL: The setting to determine whether the server certificate appears on a Certificate Revocation List (CRL). CRL checking occurs prior to making the HTTPS connection. Use this setting in conjunction with Verification Mode:

  • Never: Bypass CRL checking. Establish the HTTPS connection based on certificate values.
  • When Possible: (Default) If the certificate is valid, determine whether it is currently on the CRL. If the certificate is revoked, refuse the connection and log a Certificate Verification Error event message. However, if the CRL cannot be retrieved, allow the connection.
  • Always: If the certificate is valid, always determine whether it is currently on the CRL. If the certificate is revoked or cannot be verified on the CRL, refuse the connection. Log a Certificate Verification Failed event message.

For more information, see Setting up Certificate Verification for securing outbound HTTPS connections.

IMPORTANT  Syslog channel drivers can't recognize changes you make to either the Allowed Outbound SSL/TLS Versions settings or Certificate Versions settings. Therefore, following any changes to those settings, please restart the Venafi Log Server Windows service. For details, see Manually stopping and starting the log server service.

 

Trust Protection Platform URL HostNames

 

  • Aperture: The setting for the $ApertureFQDN$ macro. Type the fully Qualified Domain Name for an Aperture host, for example aperture.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.

    NOTE  Do NOT include the protocol (https://), or the /Aperture directory. Just enter the FQDN itself. So, if your Aperture URL is https://platform.venafi.com/Aperture, you would enter:

    platform.venafi.com

    This setting is critical for configuring SAML SSO (single sign-on), because since most organizations use some type of load balancing software, the system can't determine its own FQDN, yet the FQDN used by the cluster must match the FQDN found in the common name or DNS Subject Alternative Name of your CA-issued Venafi Operational Certificate (VOC) so users don't encounter a certificate error when logging in via SAML.

  • Client Subsystem for Agents: The setting for the $VEDClientFQDN$ macro. Type the fully Qualified Domain Name for the Client Subsystem for agents, for example client.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.
  • Network Device Enrollment: The setting for the $SCEPFQDN$ macro. Type the fully Qualified Domain Name for the SCEP host, for example scep.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.
  • REST API:The setting for the $WebSDKFQDN$ macro. Type the fully Qualified Domain Name for the Web SDK host, for example websdk.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead
  • Policy TreeThe setting for the $WebAdminFQDN$ macro. Type the fully Qualified Domain Name for the Web Admin host, for example webadmin.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.

 

Proxy

Proxy Settings

 

Use Configured Proxy: Configures Trust Protection Platform to use the Windows default proxy server as it is configured on the Trust Protection Platform server.

If you select this option, you do not have to configure the Proxy Host, Port, or Credential fields.

Host: The Hostname or IP address of the proxy server Trust Protection Platform uses to connect to the Internet. Trust Protection Platform supports both IPv4 or IPv6 connections.

Port: Port the proxy server uses for client connections.

Credential: Username Credential required to connect to the proxy server.

NOTE  If your proxy server uses domain authentication, make sure the Username Credential object is defined using Domain Name or User Principal Name syntax.

Bypass For Local: Configures Trust Protection Platform to bypass the proxy server for connections to local CAs. Trust Protection Platform uses the following criteria to identify local and external addresses:

  • Hostname is considered as a local address. Everything else is an external address.
  • URL with a hostname is considered as a local address. For example, http://intranet is a local address.
  • URL with a domain name is considered as a Fully Qualified Domain Name and is passed through the proxy server, even if it is a local address. For example, http://intranet.mynetwork.local still passes through the proxy server, even if Bypass for Local is selected.
  • URL with an IP address is considered as an external resource, even if it is in the local subnet, and is passed through the proxy server, even if Bypass for Local is selected. For example. http://192.168.0.100 (which is the same as http://intranet) is considered as an external resource and is passed through the proxy server.

Venafi Trust Protection Platform

 

 

Child objects

 

 

Settings

Settings

 

Run daily tasks at The time that the Trust Protection Platform server runs daily tasks. Daily tasks include the Certificate, SSH Key, and Symmetric Key monitoring scans and Validation scans.

NOTE  If Trust Protection Platform does not have enough resources to process the daily tasks, an event generates. The event indicates that the engine failed to complete daily tasks in a 24-hour period. The event generates in extenuating circumstances when there are too many Work To Do items in the queue. To monitor these kinds of events, you can create a Notification Rule.

NOTE  Normally, Trust Protection Platform runs daily validation scans. However, if a user clicks the Validate Now option in a Certificate or Application object, the validation scan queues the Validation module for an immediate scan. For more information, see Running validation scans in the Venafi Trust Protection Platform Certificate Management Guide.

 

 

Certificate Verification

 

Verification Mode: The level of certification verification to use to establish the HTTPS connection with a server that has a certificate:

  • None (Not Recommended) - No verification: (Default) Allow the connection to the server. If the certificate would have failed the Basic or Strict certificate verification, log a Certificate Verification Warning event message.
  • Basic - Checks expiration, revocation, common name mismatch & root chain: Check for an expired certificate, CN mismatch, invalid chain, inability to chain back to a trusted root, and whether one or more of the certificates in the chain has an invalid CA certificate. If any of these checks are invalid, refuse the connection and log a Certificate Verification Failed event message. If the certificate would have failed the Strict certificate verification, log a Certificate Verification Warning event message.

  • Strict (Recommended)- Basic checks & Server Authentication EKU: Do the same checking as with the Basic certificate verification. Reject a certificate if it failed the Basic certificate verification. Also, if the Server Authentication (EKU) is present on the certificate, verify the value. Reject an otherwise valid server certificate that lacks the Server Authentication Purpose information in the EKU. For rejected certificates, refuse the connection with the server and log a Certificate Verification Failed event message.

Check CRL: The setting to determine whether the server certificate appears on a Certificate Revocation List (CRL). CRL checking occurs prior to making the HTTPS connection. Use this setting in conjunction with Verification Mode:

  • Never: Bypass CRL checking. Establish the HTTPS connection based on certificate values.
  • When Possible: (Default) If the certificate is valid, determine whether it is currently on the CRL. If the certificate is revoked, refuse the connection and log a Certificate Verification Error event message. However, if the CRL cannot be retrieved, allow the connection.
  • Always: If the certificate is valid, always determine whether it is currently on the CRL. If the certificate is revoked or cannot be verified on the CRL, refuse the connection. Log a Certificate Verification Failed event message.

For more information, see Setting up Certificate Verification for securing outbound HTTPS connections.

 

 

Operations

 

Certificate: The DN for the Venafi Operational Certificate. The default value is \VED\Policy\Venafi Operational Certificates\[Engine Name].

 

 

Logging

 

Log Debug: The check box to allow the Log server to store debug information. For more information about Log servers, seeManaging the log server.

 

 

Discovery Zones

 

Discovery Zones: The range of Class C or smaller IPv4 addresses to which the current server has physical access. This option allows you to manage the servers to process discoveries. For example, if you have one Discovery Server inside the firewall to run discoveries on private IP addresses and another Discovery Server outside the firewall to run discoveries on public IP addresses, you can define the zones that you want each server to process. For more information on this configuration, see Managing the discovery server.

If the Discovery module is installed on the current server, it runs discoveries only on the designated zones. If you do not define zones, the Discovery module processes all configured discoveries.

 

 

Trust Protection Platform URL HostNames

 

  • Aperture: The setting for the $ApertureFQDN$ macro. Type the fully Qualified Domain Name for an Aperture host, for example aperture.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.
  • Client Subsystem for Agents: The setting for the $VEDClientFQDN$ macro. Type the fully Qualified Domain Name for the Client Subsystem for agents, for example client.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.
  • Network Device Enrollment: The setting for the $SCEPFQDN$ macro. Type the fully Qualified Domain Name for the SCEP host, for example scep.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.
  • REST API:The setting for the $WebSDKFQDN$ macro. Type the fully Qualified Domain Name for the Web SDK host, for example websdk.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead
  • Policy TreeThe setting for the $WebAdminFQDN$ macro. Type the fully Qualified Domain Name for the Web Admin host, for example webadmin.venafi.com. If the attribute value is not set, the macro returns the $HostName$ value instead.

 

 

Authentication

 

Disabled Identity Connectors: Use this setting to disable specific identity connectors for a given engine. This allows you to, for example, disable an identity connector on an engine which has no need to resolve identities (like a network discovery only engine).

 

Proxy

Proxy Settings

 

Use Windows Configured Proxy: Configures Trust Protection Platform to use the Windows default proxy server as it is configured on the Trust Protection Platform server.

If you select this option, you do not have to configure the Proxy Host, Port, or Credential fields.

Host: The Hostname or IP address of the proxy server Trust Protection Platform uses to connect to the Internet. Trust Protection Platform supports both IPv4 or IPv6 connections.

Port: Port the proxy server uses for client connections.

Credential: Username Credential required to connect to the proxy server.

If your proxy server uses domain authentication, make sure the Username Credential object is defined using Domain Name or User Principal Name syntax.

Bypass For Local: Configures Trust Protection Platform to bypass the proxy server for connections to local CAs. Trust Protection Platform uses the following criteria to identify local and external addresses:

  • Hostname is considered as a local address. Everything else is an external address.
  • URL with a hostname is considered as a local address. For example, http://intranet is a local address.
  • URL with a domain name is considered as a Fully Qualified Domain Name and is passed through the proxy server, even if it is a local address. For example, http://intranet.mynetwork.local still passes through the proxy server, even if Bypass for Local is selected.
  • URL with an IP address is considered as an external resource, even if it is in the local subnet, and is passed through the proxy server, even if Bypass for Local is selected. For example. http://192.168.0.100 (which is the same as http://intranet) is considered as an external resource and is passed through the proxy server.