Creating and using answer files

An answer file is an XML file that contains pre-determined configuration settings. You have an option to create an answer file at the end of the Venafi Platform Configuration wizard. Once you have an answer file, you can use it to specify configuration settings, making it much faster to deploy future Venafi Trust Protection Platform installations.

You can create an answer file without deploying the software by checking the appropriate option on the Configure Server tab of the Venafi Platform configuration wizard.

Below is a sample unencrypted answer file. You can use this sample file and modify it for your specific needs, as long as you are willing to use an unencrypted file. If you prefer to use an encrypted answer file, you need to generate it from the Venafi Platform configuration wizard. An unencrypted answer file is a plain text XML file that contains information like your master admin user name and password, your database connection credentials, your software encryption key, and all other configuration settings. You can read more information about creating and encrypting answer files via the configuration wizard.

Answer file sections and settings

You need to include the products that are linked to each of the features enabled in the Features section. To see how features map to products, see Trust Protection Platform components.

For example, If you only specify the WebConsole feature, you only need the CommonProduct product.

You can only install products for which you have a license.

Decide what features you want, using the components page.

Reference the components page to determine what products are necessary for the features you want.

  • TLSProtectProduct is called TLS Protect on the components page.
  • ClientProtectProduct is called Client Protect on the components page.
  • SshProtectProduct is called SSH Protect on the components page.
  • CodeSignProtectProduct is called CodeSign Protect on the components page.
  • PlatformProduct is called Platform on the components page.

For the <Features> section, information on each feature name and what it provides is described in Trust Protection Platform components.

For the <DSN> sections for both <DBO> and <Database> entries, information on how DSNs (Data Source Name) are constructed is found in Microsoft's documentation, Connection Options.

The TrustServerCertificate option, if set to true, means we will encrypt the connection and validate the certificate.

The MultiSubnetFailover option, if set to true, enables always on availability groups.

The Integrated Security option, if included, enables Windows integrated authentication. If this value is missing, the system will use MSSQL database authentication.

The Data Source option is the database address and port

The Initial Catalog option is the name of the database

For new installations: you must choose one of the following options:

  • Hardware encryption
  • Software encryption
  • Both hardware encryption and software encryption

For additional servers, this section needs to match the section on all other Venafi servers. If you are not using an HSM for hardware encryption, then the entire <HardwareEncryption> section will not be present.

If you want the system to generate a new software encryption key, you can leave out this element. If you have a key from another system that you want to use, you can enter it this way: If you want to use software encryption to protect data in the Trust Protection Platform database, you need to configure the software encryption element.

Copy

Using existing software encryption key

<!-- Use the following SoftwareEncryption element to use a previously-generated software key on additional servers. If you want the system to generate a new key, omit this element. -->    
<SoftwareEncryption>
    <Key>-----BEGIN VED ENCRYPTED KEY-----
        <!-- Base64 Encrypted key text -->
    -----END VED ENCRYPTED KEY-----</Key>
    <Password>ExamplePassword</Password>
</SoftwareEncryption>

The AdminAccount section is where you provide the username and password for the local master administrator account for Trust Protection Platform. If you have already created this on another Venafi server, this must match that setting. If this is your first Venafi server, this will establish that account. Password requirement complexity is documented in Changing local user passwords.

The MessageBus section is where you provide configuration information for using the MQTT message broker service we call Message Bus. Additional information about Message Bus can be found in Working with Message Bus.

The StartServices option, if set to yes, will automatically start Venafi services on the Venafi server after the configuration is complete.

On your first Venafi Platform server, you don't want to start services automatically, since there are still configuration steps you want to do first. However, if you are creating an answer file for second (or subsequent) servers, this switch can save some manual steps on each server.

Complete answer file example

The following is a complete answer file with all possible options enabled. You can use this as a starting point for your answer file, or you can generate one from the Venafi Configuration Console. Your final answer file will likely be shorter, as your are unlikely to enable every option on all Venafi servers.

Copy 
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <TppConfiguration CreatedOn="12/31/2021 12:00:00" By="abe.lincoln" On="WIN-Venafi01">
        <Components>
            <Products>
                TLSProtectProduct
                ClientProtectProduct
                SSHProtectProduct
                CodeSignProtectProduct   
                PlatformProduct
            </Products>
            <Features>
                Acme
                BulkProvisioning
                CAImport
                Certificates
                CloudMonitoring
                Scep
                OBDDiscovery
                JSSDiscovery
                Revocation
                Validation
                EstService
                SSH
                SSHCertificates
                HsmBackend
                TimeStampService
                KeyManager
                KeyServer
                ClientDistribution
                AuthServer
                AutoLayout
                Client
                Discovery
                Monitoring
                Reporting
                WebConsole
                WebSDK
            </Features>
        </Components>
    <DBO>
        <DSN>Data Source=mssql.example.com,1433;Initial Catalog=VenafiDB; User ID=DBO_user@example.com;Password=ExamplePassword; TrustServerCertificate=True;MultiSubnetFailover=True;Integrated Security=True</DSN>
    </DBO>
    <Database>
        <DSN>Data Source=mssql.example.com,1433;Initial Catalog=VenafiDB; User ID=Operational_user@example.com;Password=ExamplePassword; TrustServerCertificate=True;MultiSubnetFailover=True; Integrated Security=True</DSN>
    </Database>
    <HardwareEncryption>
        <DllPath>c:\program files\myhsmvendor\pkcs11library.dll</DllPath>
        <Slot>0</Slot>
        <Pin>ExamplePassword</Pin>
        <Key>MyDemoKey</Key>
        <AccountType>CryptoOfficer</AccountType>
    </HardwareEncryption>
    <!-- Use the following SoftwareEncryption element to use a previously-generated software key on additional servers. If you want the system to generate a key, omit this element. -->    
    <SoftwareEncryption>
        <Key>-----BEGIN VED ENCRYPTED KEY-----
        <!-- Base64 Encrypted key text -->
        -----END VED ENCRYPTED KEY-----</Key>
        <Password>ExamplePassword</Password>
    </SoftwareEncryption>
    <AdminAccount>
        <Username>masterAdmin</Username>
        <Password>ExamplePassword</Password>
    </AdminAccount>
    <!-- This Message Bus element is for a mesh connection. Use either this one OR the hub and spoke connection, not both.  -->
    <MessageBus>
        <Port>8883</Port>
        <!-- 8883 is recommended for TLS encrypted. Port 1883 is recommended for unencrypted. -->
        <Tls>yes</Tls>
        <!-- Use 'no' for unencrypted -->
    </MessageBus>
    <!-- This Message Bus element is for hub and spoke connection to a central broker. Use either this one OR the mesh connection, not both. -->
    <MessageBus>
        <Port>8883</Port>
        <!-- 8883 is recommended for TLS encrypted. Port 1883 is recommended for unencrypted. -->
        <Tls>yes</Tls>
        <!-- Use 'no' for unencrypted -->
        <Server>name</Server> <!-- Central server -->
        <Instance>id</Instance> <!-- Central instance id -->
        <Username>name</Username> <!-- Central auth username; if auth required -->
        <Password>password</Password> <!-- Central auth password; if auth required -->
        <Certificate>PFX data</Certificate> <!-- Central auth certificate; in lieu of username/password -->
    </MessageBus>
    <Logging>
        <LogProcessor />
        <LogExpiration Days="90" />
    </Logging>
    <Environment>
        <CompanyName>Example Company, Inc.</CompanyName>
        <DeploymentType>PRODUCTION</DeploymentType>
    </Environment>
    <Server>
        <StartServices>yes</StartServices>
        <LogPath>C:\Program Files\Venafi\Logs\Tpp Configuration Log.txt</LogPath>
    </Server>
</TppConfiguration>