Installing using the Venafi Configuration Console wizard

The Venafi Configuration Console wizard walks you through the installation of Venafi Trust Protection Platform on your server. Installation refers to both:

• Installing and connecting to a clean database
• Installing and connecting to an existing database

To Install Venafi Trust Protection Platform using the Windows installer

1. Log in to the Windows server where you want to install Trust Protection Platform.

2. Locate and extract the Trust Protection Platform zip file(s) to a staging directory.

3. From an elevated command prompt, change your directory to the extracted zip folder and enter the following command:

   VenafiTPPInstall-24.1.x.msi

   How to open an elevated command prompt

   1. From the Start menu, search for CMD.
   2. In the search results, right-click on Command Prompt, and choose Run as administrator.
   Why do I need an elevated command prompt?

   Running VenafiTPPInstall-24.1.x.msi from an elevated command prompt ensures that:

   • The Venafi Configuration Console launches properly after the installation is complete.
   • You can uninstall Trust Protection Platform from Windows' Programs and Features tool without needing to run a special command in an elevated command prompt.

4. When the Welcome window appears, click Next.

5. Read the terms stated in the License Agreement window. If you agree, select I accept the terms in the license agreement, and then click Next.

6. In the Destination Location window, click Next to accept the default location or click Change to change the destination folder or drive letter.

   The default destination folder is:

   C:\Program Files\Venafi\

7. In the Ready to Install the Venafi Trust Protection Platform window, click Install to start the installation.

   The installation may take a few minutes.

   NOTE  Because Venafi Platform 24.1 was developed on Visual Studio 2019, it includes updated Visual Studio runtime libraries. If you have other applications running on the Windows server that also rely on the same libraries (for example, VMWare Services), you may be prompted to either 1) close those applications during installation, upgrade, or uninstallation of Venafi Platform; or 2) be prompted to restart windows at the completion of the Venafi installation process. This is expected.

   If you prefer to avoid this step, you can upgrade your Visual Studio runtime libraries before you run the Venafi installer. The vc_redist.x64.exe libraries can be found here: https://support.microsoft.com/en-gb/help/2977003/the-latest-supported-visual-c-downloads.

8. Click Finish.

   The Windows installer completes the installation and then launches the Venafi Configuration Console wizard.

Configure Venafi platform from the Venafi Configuration Console

1. On the Venafi Configuration Console Welcome screen, determine which option applies:

   • Install a new Venafi Platform Server for the first time (connect to an empty database)

   • Add a Venafi Platform Server to an existing installation (connect to an existing database)

     If you select this option, you will need the extracted software key from the existing installation. For information, see Backing up the software encryption key.

   Depending on the option you choose in this step, the availability of options and the requirements for entering data will change in the following steps.

2. (Optional) If you have run this wizard previously, and you have an answer file that you want to use to pre-populate fields, select the checkbox.

   For more information about working with answer files, see Creating and using answer files.

3. Click Next.

   IMPORTANT  On the next screen, the tabs available in the left menu depend on what options you selected on the Welcome Screen. As you continue through these steps, each of the possible tabs will be listed. If the tab doesn't appear in the Wizard, you can skip that step below. The order of the sections will also vary, depending on what you selected.

4. On the Before You Begin tab, read the instructions on this screen, then click Next.

5. [Optional] If you are using an answer file, on the Answer File tab click the Browse button to locate the answer file. If the answer file is encrypted with a password, enter the password, then click Next.

6. On the Component Selection tab, use the tree to select which components and features you want to enable for the installation.

   For a list of available components, see Trust Protection Platform components.

   IMPORTANT  The installation will not work properly unless you select at least one product (TLS Protect, Client Protect, CodeSign Protect, or SSH Protect). If you are trying to install a UI-only server (WebConsole) you need to select one top-level product, in addition to the UI components in the Common Components list. However, in that case, you can deselect the child components of the top-level product. For example, this is a valid configuration:

   

   Select the components you want to install, then click Next.

7. On the Hardware Encryption tab, determine if you want to use hardware encryption.

   Venafi Trust Protection Platform can encrypt data using one or more keys stored in an HSM. For code signing, Venafi Trust Protection Platform can use private keys stored on an HSM to sign code. To enable hardware encryption, check the box, and fill out the requested information.

   Hardware encryption field descriptions

   Field	Description
   Name	Name of the HSM connector. This name will be how Master Admins identify this HSM connector when they are creating environment templates. In this example, we'll name it Default HSM.
   Cryptoki DLL Path	Trust Protection Platform requires access to the 64-bit version of Cryptoki DLL. For SafeNet Luna SA devices, this is the path to the cryptoki.dll file. For Entrust nShield Connect HSM devices, this is the path to the cknfast.dll file. After selecting the DLL, click Load Slots. Trust Protection Platform will query the HSM and return the available slots. IMPORTANT  Trust Protection Platform requires the path to the DLL file to initialize the connection to the HSM device. This path will be used for all Trust Protection Platform servers in the cluster (connected to the same database). All servers in the cluster must have their DLL file in the same location.
   Slot	Slot ID for the HSM partition where you want Trust Protection Platform to access the encryption keys. NOTE  While slot numbers are listed in the drop-down list, Trust Protection Platform does not depend on slot numbers. Trust Protection Platform identifies HSM partitions by label first, and in the case that there are duplicate labels, it falls back to the serial number.
   User Type	User type required to access the HSM keys on the designated partition (Slot ID). The designated User Type must have sufficient permissions to use the keys in the Encryption Driver’s Permitted Keys list.
   Pin	Pin, if one is required to access the HSM. If you use Entrust nShield token protection, leave the field empty. If you are setting up AWS CloudHSM, the pin must be in the following format: <CU_user_name>:<password> .
   Default key	The default encryption key used by the system. If you are adding a server to an existing database, you cannot change this selection. This is also the key used to protect the database connection string stored in the registry.
   Create (button)	If you want to generate a new AES 256-bit symmetric key on the HSM, click this button. A new key will be generated.

   TIP  If you are installing to an existing database, if hardware encryption is enabled, you will need to enter the PIN to continue, even though no other information appears on the screen.

   NOTE  You must select either one or both encryption types (hardware and/or software encryption). To help you decide, see Database Encryption.

   IMPORTANT  The keys used to encrypt Trust Protection Platform are critical to the system's functionality. Without the encryption keys, you cannot access the database or stored secrets.

8. On the Software Encryption tab, determine if you want to use software encryption.

   Venafi Platform can encrypt data using a software encryption key.

   If you are connecting to a new database, you can either provide a key, or have one generated for you.

   If you are connecting to an existing database, you must use the software key used to encrypt that database.

   Software encryption field descriptions

   Field	Description
   Generate a New Key	Choose this option if this is a new installation and you want the system to generate a new, unique key for this database. A random password will be generated.
   Use Shared Key	Choose this option if you are connecting to an existing database secured by a software encryption key, or if you have an existing key you want to use.
   Key Password	(Only if using Shared Key option) If the key is encrypted with a password, enter the key's password.
   Encoded Key	(Only if using Shared Key option) Enter or paste the entire encryption key (including the --- Begin --- and ---End--- lines).

   If you are connecting to an existing database with software encryption enabled, before you can move to the next tab, the system will verify that the software key matches the existing database's software encryption key.

   TIP  If you are installing with an existing database, if software encryption has not been configured for that database, the options on this screen will be disabled.

   NOTE  You must select either one or both encryption types (hardware and/or software encryption). To help you decide, see Database Encryption.

   IMPORTANT  The keys used to encrypt Trust Protection Platform are critical to the system's functionality. Without the encryption keys you cannot access the database or stored secrets. Consequently, if you use a software encryption key, it is highly recommended that you back up the key to a secure location. In the event of a system failure, you can restore the key so Trust Protection Platform can access your system data. For information, see Backing up the software encryption key.

9. On the Database Settings tab, choose either the Settings tab or the Expert tab, and fill out the connection information for your database. If you enter different data into both tabs, the tab you are on when you click Next will determine which settings are applied.

   Before you configure a new database connection, you must have previously created the Trust Protection Platform database and configured both database service accounts. For more information, see Preparing the database server.

   For information about the types of database service accounts and permissions they need, see Setting up your Microsoft SQL database server.

   Field descriptions - Settings tab

   Field	Description
   Hostname	Enter the hostname, FQDN, or IP address for the database connection. NOTE  If you enable the TLS encrypted connection, you will need to enter the FQDN that matches the certificate presented by the MSSQL server.
   Port	Enter the database port number. The default port is 1433.
   Database	Enter the name for the VenafiTrust Protection Platform database.
   Server supports TLS encrypted connections	Enabling this option encrypts all communications between the Venafi Platform server and the back end database. If this option is not selected, the credentials are still protected but all other communications between the server and the database might not be protected. Recommendation: Enable Learn how to enable SSL encryption for an instance of SQL server using Microsoft Management Console.
   Enable AlwaysOn Availability Groups	The Always On Availability Groups feature is a high-availability and disaster-recovery solution that provides an enterprise-level alternative to database mirroring. When using this setting, use the virtual server name of the availability group listener in the hostname field. See AlwaysOn high-availability disaster recovery solution. For more information, see Always On Availability Groups (SQL Server). CAUTION  Using AWS Multi-AZ (Availability Zone) requires special configuration including creating a virtual private cloud (VPC) with both private and public subnets. Please contact Venafi Customer Support for additional configuration instructions.
   Database Owner Account (Also DBO account) This is a service account that Trust Protection Platform uses for installations, upgrades, and administrative maintenance of the database. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions on all Venafi servers. See also operational database account. fields	Field Description Type Trust Protection Platform allows you to use either Windows integrated authentication or Microsoft SQL native authentication to authenticate to the database. Select your connection option from the list. Windows integrated authentication is the preferred method for security purposes as it allows for central management of accounts and passwords in Active Directory. If you use gMSAs, you don't even need to worry about passwords and rotation of passwords. Login Enter the account name that has the required permissions. If using Windows Authentication, enter the user name, in UPN format, of the service account user that will access the database, so that services and web applications can be configured to run under the selected account. If using a gMSA, use the format <DOMAIN>\<ACCOUNT>$. For example, if your domain is jupiter and your gMSA name is ganymede, you would use jupiter\ganymede$. Don't forget the trailing $. Password Enter the password for the user account connecting to the database. If you are using a gMSA, this field will be disabled.
   Operational Account (Also limited database account) This is a service account that Trust Protection Platform uses for everyday operations. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions, and also needs to be part of the Local Administrators group, on all Venafi servers. Database grants for this account are automatically managed by the system. See also database owner account. fields	Field Description Type Trust Protection Platform allows you to use either Windows integrated authentication or Microsoft SQL native authentication to authenticate to the database. Select your connection option from the list. Windows integrated authentication is the preferred method for security purposes as it allows for central management of accounts and passwords in Active Directory. If you use gMSAs, you don't even need to worry about passwords and rotation of passwords. Login Enter the account name that has the required permissions. If using Windows Authentication, enter the user name, in UPN format, of the service account user that will access the database, so that services and web applications can be configured to run under the selected account. If using a gMSA, use the format <DOMAIN>\<ACCOUNT>$. For example, if your domain is jupiter and your gMSA name is ganymede, you would use jupiter\ganymede$. Don't forget the trailing $. Password Enter the password for the user account connecting to the database. If you are using a gMSA, this field will be disabled. NOTE  The lowest level of database grants that the operational account requires is automatically provided by Trust Protection Platform through the database owner account. If you encounter errors during this stage, the following topics might be helpful: Setting up your Microsoft SQL database server, which contains information about the separate database accounts and their required roles. Windows permissions for database service accounts, specifically the bullet that talks about Windows integrated authentication.

   Field descriptions - Expert tab

   Field	Description
   Database Owner Account (Also DBO account) This is a service account that Trust Protection Platform uses for installations, upgrades, and administrative maintenance of the database. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions on all Venafi servers. See also operational database account.	Field Description Connection String The connection string is a combination of the database settings selected above. This option is most commonly used if your database administrator instructs you to use a connection string with additional parameters that aren't available in the Venafi Configuration Console user interface. Password The password to connect to the database. If there is a password provided in the connection string, that password will be used for the connection, regardless of what is set in the Password field.
   Operational Account (Also limited database account) This is a service account that Trust Protection Platform uses for everyday operations. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions, and also needs to be part of the Local Administrators group, on all Venafi servers. Database grants for this account are automatically managed by the system. See also database owner account.	Field Description Connection String The connection string is a combination of the database settings selected above. This option is most commonly used if your database administrator instructs you to use a connection string with additional parameters that aren't available in the Venafi Configuration Console user interface. Password The password to connect to the database. If there is a password provided in the connection string, that password will be used for the connection, regardless of what is set in the Password field.

   If you are connecting to an existing database, before you can move to the next tab, the system will verify that the database connection information is correct.

10. On the Administrative Account tab, enter information for the local master admin account for Venafi Trust Protection Platform.

    You need to create a local master admin account for Trust Protection Platform. You will use this account to log in to Trust Protection Platform and to perform maintenance and upgrade tasks in the system. The local master admin account has all permissions to every object in Trust Protection Platform.

    Enter the user name and password. Password requirements are show on the screen. The password will be validated locally to verify it meets complexity requirements.

    Verify the password, then click Next.

11. On the Message Bus tab, select whether or not you want to use a TLS-encrypted connection for the Message Bus (the MQTT broker used to communicate between servers in the cluster). The default is to use TLS.

    We recommend using the IANA registered ports for MQTT: port 8883 for TLS, or port 1883 for unencrypted.

    If you plan to use an external MQTT broker, click Central MQTT broker, then provide the URL to the service, and authentication information.

    For more details on Message Bus and its configuration, see Working with Message Bus.

    If you don't know what to enter here, you can likely accept the default values.

    Continue to the next tab by clicking Next.

12. On the Event Logging tab, determine if you want this server to process log events.

    At least two Venafi servers needs to have event logging enabled. If event logging is configured on two different servers, you can leave this check box cleared.

    Venafi recommends you define a retention period to control growth of the database. Trust Protection Platform will periodically automatically delete logs older than the specified number of days.

    Click Next.

13. On the Environment tab enter the required information.

    Enter your organization name, and select the deployment type for this server, then click Next.

    Your organization name and deployment type are used in Venafi reports, and may be used in the future in other ways to enhance your product experience.

14. On the Customer Experience tab, review the information on how data is collected.

    NOTE  Participation in the Customer Experience Improvement Project is required for all customers, enabling Venafi to gather license utilization and product usage telemetry. This does not include any personally-identifiable data. Read more about our data collection policy in the Venafi Data Privacy Policy for Venafi Trust Protection Platform™.

    Click Next.

15. On the Save Configuration tab, do the following:

    • Determine the location where the configuration progress and errors will be logged. If there is a problem with the configuration of the Venafi database, this file will show you where the error occurred, which will help Venafi Customer Support troubleshoot your issue more quickly and efficiently.
    • Specify whether Venafi Platform services should be started immediately upon completion of configuration.

    • We recommend you save your configuration as an answer file if this configuration is different than an answer file you have previously created. An answer file simplifies the process of upgrading Trust Protection Platform, reinstalling Trust Protection Platform, or installing more than one Trust Protection Platform server, connecting to the same database.

      • If you create an answer file, it is recommended that you encrypt your answer file with a password. An unencrypted answer file is a plain text XML file that contains information like your master admin user name and password, your database connection credentials, your software encryption key, and all other configuration settings.
      • If you are just completing the wizard to create an answer file, select the appropriate option. The wizard will save the answer file and will close when you click the Finish button.

16. Click Finish.

    Venafi Platform will configure the server using the settings you have configured. When the configuration is complete, click Close.

Once you have completed the configuration wizard, the Venafi Configuration Console window automatically opens. For more information, see Venafi Configuration Console in the Administration guide.