Installation preparation worksheet
This topic is a worksheet you can print and use to document the information required to successfully perform the base installation of Venafi Trust Protection Platform. This worksheet should be completed before you start the installation process.
Information that you gather here can be referenced during the installation process.
Venafi Platform Servers
Complete the following tables identifying your Venafi server. It is strongly recommended that a minimum of two Venafi servers be installed. Additional servers may be added at any time to accommodate for specific use-cases. Please refer to the Venafi Platform Architecture webcast at https://ps.venafi.com or speak to Venafi Professional Services for additional information if necessary.
|
Venafi Platform Server #1 |
|
|---|---|
|
FQDN Hostname of VENAFI server |
|
|
Windows Server version |
|
|
Server Specifications (CPU/RAM) |
|
|
Venafi Platform Server #2 |
|
|---|---|
|
FQDN Hostname of VENAFI server |
|
|
Windows Server version |
|
|
Server Specifications (CPU/RAM) |
|
TIP If you're installing more than two servers, make additional copies of the above tables.
Microsoft SQL Server Database
This section captures necessary information about the Microsoft SQL Database (MSSQL) that the Venafi Platform will utilize. It may be necessary to work with your organization’s Database Administrator to complete this section.
|
Venafi Platform Database Preparation Items |
|
|---|---|
|
MSSQL Database version |
|
|
MSSQL Server FQDN Hostname |
|
|
Database Name |
|
|
SQL Server Instance Name (if applicable) |
|
|
MSSQL Listening Port (TCP 1433 Default) |
|
|
Is this an Always On Availability Group Instance? |
|
|
MSSQL Server requires TLS connection? |
|
|
Server Specifications (CPU/RAM) |
|
|
Available Database Disk Space |
|
|
Authentication Method (Windows or SQL Auth) |
|
The database owner account is used only for installation, upgrades, and administrative maintenance.
|
Database Owner Account Authentication |
|
|---|---|
|
Database AD account UPN or SQL account name |
|
|
The database owner account has been granted the "DBO" role for the database. |
|
|
For Windows integrated authentication: Grant both database service accounts "Log On As a Service" permissions on all Venafi servers. For more information, see the Microsoft TechNet article Log on as a service. Grant the operational database account "Log On As a Batch Job" permissions on all Venafi servers. Add the operational database account to the local administrators group on all Venafi servers. For more information, see Windows permissions for database service accounts. |
|
The operational database account is a limited account used for everyday operations. The database grants are managed automatically.
|
Operational Database Authentication |
|
|---|---|
|
Database AD account UPN or SQL account name |
|
| For Windows integrated authentication: Grant both database service accounts "Log On As a Service" permissions on all Venafi servers. For more information, see the Microsoft TechNet article Log on as a service. Grant the operational database account "Log On As a Batch Job" permissions on all Venafi servers. Add the operational database account to the local administrators group on all Venafi servers. For more information, see Windows permissions for database service accounts. |
|
HSM Storage for The Venafi Platform Encryption Key
IMPORTANT HSM connectors are global configurations. As such, the following requirements must be met before your begin:
-
All Trust Protection Platform servers need to have access to the HSM.
-
The HSM client must be installed to the same location on all Trust Protection Platform servers.
-
The HSM client must present the same partition label on all Trust Protection Platform servers.
-
Ideally the serial number presented for the partition is the same on all servers.
Make sure all of these requirements are met before creating an HSM connector.
Once these requirements are met for every Trust Protection Platform server in the cluster, you can then create a connector to the HSM from any server in the cluster.
Since HSM connectors are global configurations, each server in the cluster will load the configuration after it is created on one of them. HSM information is stored in encrypted form in the registry (only when the System Protection Key is stored in the HSM), and in Secret Store. When it is updated in VCC, the updates are stored and VCC passes the information to other servers in the cluster. If the System Protection Key is on the HSM, the individual Venafi servers will update their registries.
The HSM protected database encryption key must be accessible to all Windows servers before and after installing Venafi.
|
HSM Information (If Applicable) |
|
|---|---|
|
HSM Vendor & Software Version |
|
|
HSM Client Software installed version |
|
|
Cryptoki DLL Path |
|
|
Partition label |
|
|
User Type defined |
|
|
PIN – typically not required |
|
MQTT (Message Queuing Telemetry Transport)
The Venafi Message Bus leverages MQTT to provide immediate alerts about significant changes to the database across all servers in the cluster. These alerts are informational and non-confidential, assisting servers to maintain synchronization and promptly update their configurations, permissions, and identities.
You can adjust the settings of the Message Bus and verify its status via the Venafi Configuration Console. Before you configure the firewall rules, you need to make some decisions about your MQTT setup. You have two choices:
-
Self-Hosted (resembling a mesh network): If you opt for a mesh network, you need to designate a port for MQTT communication.
-
Central MQTT Broker (resembling a hub-and-spoke network): If you have an existing MQTT server that you wish to use, collect the credentials and the name of your MQTT server. You will also need to designate a port for MQTT communication.
For more comprehensive information for configuring MQTT, see Venafi Message Bus.
Firewall Rules
Verify your firewall rules, prepare change procedures prior to implementing the Venafi Platform. Listed below are some minimum requirements.
|
From |
To |
Port |
Protocol |
Purpose |
|---|---|---|---|---|
|
Venafi Server(s) |
MS SQL Server |
1433 |
TCP |
Connection to TPP database |
|
Venafi Server(s) |
DNS Server(s) |
53 |
UDP |
DNS Lookups |
|
Venafi Server(s) |
Selected AD Domain Controller(s) |
UDP: 88, TCP: 88, 135, 389, 445, 636, 3268, 3269, 49152-65536 |
TCP/UDP |
Required if using Active Directory Identity Provider or Windows Authentication to Database |
|
Venafi Server(s) |
LDAP Server(s) |
389, 636 |
TCP |
Required if using LDAP Identity Provider |
|
Administrator Workstation(s) |
Venafi Server(s) |
3389 |
TCP/UDP |
Access to Venafi TPP Server for administration tasks |
|
Users |
Venafi TPP UI Server(s) |
443 |
TCP |
HTTPS access to the Venafi TPP Server(s) Web UI(s) and REST API |
|
Venafi Server(s) |
Entrust nShield HSM(s) |
9004 |
TCP |
Required if using Entrust nShield HSM for encryption key |
|
Venafi Server(s) |
LunaSA HSM(s) |
1792, 22 |
TCP |
Required if using LunaSA HSM for encryption key |
|
Venafi Server(s) |
Venafi Server(s) |
Port of your choosing (8883 by default) |
TCP |
MQTT communication (Mesh mode). Open ports of your choosing for every Venafi Server to other Venafi Servers, e.g. incoming and outgoing. |
|
Venafi Server(s) |
MQTT Broker |
Broker's required port |
TCP |
MQTT Communication (Central Mode). Open ports from every Venafi Server outgoing to the port the broker requires. |