Automatically calling Discovery/Import from Scanafi
You can use the VenafiScanafi command line utility to add network certificates to Trust Protection Platform. In Scanafi Provider mode, Scanafi discovers TLS 1.0, 1.1, 1.2, and 1.3 certificates, and then calls POST Discovery/Import to add them to a policy folder.
To call automatically Discovery/Import from Scanafi
- In
Trust Protection Platform, create a
Scanafi user:
- To allow Scanafi to authenticate to Trust Protection Platform, create a user identity. Use this information in the username and password parameters of the JSON input file.
In API Integrations page, grant the caller access to Scanafi. For more information, see Setting up token authentication.
- In the Policy folder, grant Write permission and Create permission. This folder stores Scanafi-discovered certificates. Use the folder name as the zone parameter.
Recommended but not required. If some of the certificates are in a different policy folder than the one you are scanning, grant View permission with Associate permission to the folders that contain those certificates. The extra permissions prevent errors while associating new devices and applications with them.
If the Scanafi computer cannot access POST Discovery/Import, you can run Scanafi in Standalone mode instead. For more information, see Manually calling Discovery/Import with Scanafi data.
- To prevent SSL/TLS handshake errors, such as error 12045, make sure the Scanafi computer trusts the server certificate that secures the Web SDK URL. For more information, see Customization Support.
- Download the latest executable and documentation from the [Venafi Installation folder]\Utilities\Scanafi\Venafi_Scanafi_Update.
-
Use the latest documentation to customize the sample in this topic.
JSON Keys JSON Key
Description
id
The Application ID. Specify scanafi.
inputs
An array of scan parameters.
log_level
(Optional) Specify one: trace, debug, Info (default), warning, error, fatal.
outputs
The scan source and destination of the Discovery results.
password
The Trust Protection Platform password.
path The directory and endpoint JSON file name. Use valid syntax for your operating system. For example:
- Windows: C:\\Tpp\\Scanafi\\report.json
- Linux, macOS: //home//user//Scanafi//report.json
ports
(Optional) If this parameter is not specified, Scanafi uses default port 443. An array of comma separated or range of ports for scanning. For example "443","80", "8080-8089". The scan priority is from the highest port number to the lowest.
provider
The scan source and destination of the Discovery results.
type
The provider type. Specify tpp.
threads The scan source and destination of the Discovery results.
url
The Trust Protection Platform server that will hold the imported certificates.
username
The Trust Protection Platform user name.
zone
An existing policy folder for certificates.
For example:
{ "zone":"Policy\\CertsfromScanafi", "log_level":"info", "id":"scanafi", "provider":{ "type":"tpp", "config":{ "url":"https://192.168.2.84", "username":"ScanafiUser", "password":"myPassw0rd!" }, "inputs":[ { "type":"CIDR", "subnet":"192.168.0.1/25", "ports":[ "443", "80", "8080-8089" ] } ] } } - Copy the Scanafi executable from the [Venafi Home]\Utilities\Scanafi directory of your Trust Protection Platform server to the Linux, macOS, or Windows computer that will run certificate discovery.
- From a command line, navigate to the Scanafi directory.
-
Command line examples to run
Scanafi in Provider mode
Discover on Windows now: scanafi_win_x64.exe --config [path]\Input.json
For example:
Schedule a Linux Cron job to run at 2AM (host time): sudo crontab -e
Save in Vi: 0 2 * * * /opt/venafi/scanafi_linux_x64 --config Input.jsonSchedule a Windows Task to run at 2AM (host time): SCHTASKS /ru "SYSTEM" /sc daily /st 02:00 /create /tn "Scanafi" /tr "\"C:\Venafi\scanafi_win_x64.exe\" "--config Input.json"
-
(Optional) Use additional flags from scanafi_win_x64 -h.
- To confirm certificate placement, check the Policy folder that you specified in the zone parameter.