Creating a certificate workflow

Workflow objects define the parameters required to implement a workflow approval or inject a local command at a specific stage of the certificate lifecycle.

You must have the Create permission to the policy where you want to create the workflow.

To create a Workflow object

  1. From the Platform menu bar, click Policy Tree.
  2. Select the policy for which you want to create the workflow.
  3. Click Add > Workflow.

    The Detail View displays the Workflow's associated settings.

  4. In the Name field, enter a friendly name.
  5. In the Conditions box, enter the qualifying conditions.

    Setting

    Description

    If Stage Is

    Enter the condition stage when the workflow event should be triggered. Stages are listed below.

    If Application or Trust Store is

    Will only trigger the approval if the certificate is installed on the Application or Trust Store selected from the list. If selected, this condition is in addition to the Stage Code. (That is to say there is an implied AND operation between the conditions.)

    NOTE  If there are multiple approvals set at the same stage, all approvals will trigger at the same time, and all approvals must be resolved before the workflow can continue. In Aperture, if a user is an approver for multiple workflow tickets at the same stage, approving or rejecting any of the workflow tickets will have the same effect on all workflow tickets assigned to the same object and stage.

  6. In the Actions box, enter the appropriate actions.

    Setting

    Description

    Inject Commands

    Under the designated conditions, Trust Protection Platform executes the defined commands on the certificate’s consumer application.

    Trust Protection Platform is able to run local SSH commands against the following applications:

    • Apache
    • F5 LTM Advanced
    • IBM GSK
    • Imperva MX
    • JKS
    • Layer 7 SSG
    • Oracle iPlanet
    • PEM
    • PKCS#12
    • Tealeaf PCA

    Trust Protection Platform is able to run PowerShell commands over WinRM for the CAPI application.

    After Trust Protection Platform executes the command, the application driver logs an Inject Command Success or Inject Command Failure event so you can determine if the command successfully executed on the target application. The Inject Command Success event returns a value of zero (0) in the event’s Value2 field. An Inject Command Failure event returns a non-zero numeric value in the Value2 field. To provide automatic notification for Inject Command Failure events, you can create a Notification Rule that triggers on a value greater than zero in the event’s Value2 field.

    For more information, see Creating notification rules.

    Request Approval

    Check the box to request approval when this workflow condition is triggered.

    Request Approval From

    Select the source of the approver.

    • Approver assigned to the object. For certificates, this is defined by the certificate settings in the Policy Tree.
    • Specified approver. Hard-code the approvers to be used. Activates the Specified Approver(s) field where you must enter the identities used for the approval.

      If multiple approvers are added, all listed approvers must approve the workflow item before it will be approved. If any of the approvers rejects the workflow, the item will be rejected.

    • Specify approver via macro. Allows you to enter a macro to dynamically select the workflow approver when the workflow is triggered. For more information on the Trust Protection Platform macro language, see the Venafi Trust Protection Platform Macro Guide. Activates the Approver Macro field where you must enter the macro command.

    Approval Reason Code

    Enter the Reason Code you want to include with the notification that is sent to the workflow approver. The maximum Approval Reason Code value is 999.

    IMPORTANT  This option is required if you select Request Approval From.

    Approval Reason Codes also accompany customized explanations or instructions for workflow approvers. The drop-down list displays the Reason Codes defined in the Workflow tree. For more information, see Defining reason codes for certificate approvals.

  7. Click Save.

IMPORTANT  When you define a Workflow object that requires approval, you must also select an Approval Reason Code to provide explanations or instructions for the workflow approvers. To learn more, see Defining reason codes for certificate approvals.

For a detailed description of the object settings, see Workflow object settings.