PowerShell script reference for Adaptable Flow
Similar to other Venafi Adaptable solutions, the Adaptable Flow for SSH Certificates utilizes a PowerShell script that contains functions you can use to integrate with third-party products, like an ITSM CMDB.
TIP When creating new PowerShell scripts for use with the Adaptable Flow (or other Venafi Adaptable solutions), keep in mind that the file name is used to identify your script from within the associated object in Trust Protection Platform. Using logical names can help you and other administrators recognize the purpose and intent of each script.
This section documents all available PowerShell functions for use with the Adaptable Flow driver. PowerShell scripts are stored in the \Venafi\Scripts\Adaptable
The input parameters and response format for each function is predefined. All functions receive a set of general parameters, whereas those parameters that are specific to the function are only passed to it.
DID YOU KNOW? To prevent vulnerabilities, the PowerShell scripts are stored on the Trust Protection Platform server. While it might have been more convenient to allow downloading the script, storing the scripts on the Trust Protection Platform server prevents potentially harmful scripts from affecting the server. Only privileged users on your Trust Protection Platform server can access scripts.
You must ensure the same version of all your Adaptable Flow scripts are on all servers in the cluster that have the WebConsole component installed. For this reason, it is wise to include a script version number in the file name, so you can easily check to see that the same version of the script is installed on all servers in the cluster.
NOTE To work effectively with any Venafi adaptable solution, you must have some working knowledge of PowerShell scripting, or you must have equivalent experience with a scripting language similar to PowerShell.
A sample script is provided in the \Venafi\Scripts\AdaptableSSHCertificateIssuanceFlow\Samples
folder. Only files that are in the main \Venafi\Scripts\AdaptableSSHCertificateIssuanceFlow\
folder can be selected in an Adaptable Flow object in Policy Tree. Files in all sub-folders are ignored.
Data is passed to the functions using hash tables (key-value pairs). Using hash tables enables the addition of new functions in future releases.
BEST PRACTICE When customizing (or creating a new) PowerShell script, keep the following security best practices in mind:
- Avoid hard-coding credentials into your PowerShell scripts.
- Only include code in functions that relate to the task they are designated to perform.
- Scripts should not do anything that could alter the integrity or availability of the local Windows system (the system hosting Trust Protection Platform).
About debug logging
When a user has requested debug logging by checking Enable Debug Logging for Adaptable Flow, the driver sets a global variable called $DEBUG_FILE whenever it executes a PowerShell function. So your PowerShell script should reference the value of the $DEBUG_FILE variable to decide whether or not to log information for troubleshooting purposes. The value the driver assigns to the $DEBUG_FILE variable is a recommended file path name on the Trust Protection Platform server for use when logging events to a file. The file name is designed to be unique to the instance of the Adaptable component so as to avoid conflicts when multiple scripts are running at the same time and writing to the log file. If the recommended file name is used, the resulting log file appears in the <Venafi Home>\Logs
directory by default (e.g. C:\Program Files\Venafi\Logs
).
For information about where Enable Debug Logging is configured for Adaptable Flow, see
What's Next?
With this general information on creating a PowerShell script for Adaptable Flow, now you should review the information about hashing for Adaptable Flow. See About hash tables for Adaptable Flow.