Using TppTool from the command line and script files

TppTool is a command-line utility that lets system administrators (and in some cases schema administrators) perform Venafi Platform actions through the command line or script files. It provides administrators with greater flexibility and automation capabilities when managing the platform, especially when dealing with multiple environments or large-scale deployments.

Using the TppTool command, administrators can:

Export and import various components of the Venafi Platform configuration, such as objects, attributes, policies, and permissions. This makes it easier to copy settings between environments, back up and restore specific configurations, and generate reports on the current system setup. Please note that TppTool is available in addition to Schematool.exe, which is still available for backward compatibility.
Manage the recycle bin, including restoring accidentally deleted objects, permanently deleting all objects or specific items from the recycle bin, and scheduling automatic purge and deletion tasks. Please note that these tasks can also be performed by using Venafi Configuration Console. See Venafi Recycle Bin. TppTool replaces the TPPRecycleBin.exe command.
Interact with and manage the Daily Tasks engine, which controls settings across the platform and determines when they will run. TppTool replaces the TPPDailyTasks.exe command.
Users with the Schema Administrator role can export and import Venafi Platform objects using TppTool, as long as they have permissions to the objects.

TppTool syntax

The TppTool program is located at: [InstallDir]\Platform\TppTool.exe.
To perform specific tasks, type a parameter directly after typing the TppTool command. For instance, TppTool -version. Please note that commands and parameters are not case-sensitive, meaning TppTool -version and TPPTOOL -VERSION are interpreted the same.
When running the program with no parameters, you will see the inline help. There, you will see that some characters in parameter names are bolded and some are not. The bolded characters are a short-cut syntax that makes it quicker and easier to type commands. For example, the version parameter is displayed in the inline help as -version. The bolded part, in this case -v, is the short cut.

This short-cut syntax can make it quicker and easier to type commands; however, to ensure compatibility with future versions of TppTool, you should use full parameter names when scripting.

TIP The hyphen (-) is technically optional, but is recommended for forwards compatibility.
Command options are additional modifiers that provide further instructions or information to the TppTool command being executed. For example, -cryptpw=<password> is used to provide the password for encrypting and decrypting XML files, and -username=<name> is used to provide a valid username that is allowed to complete the operation. The tool accepts the following operators: =, :, and (space). Thus the following examples are all treated the same: -u=venafi, -u:venafi, and -u venafi

Combining these principles, the following commands are all interpreted the same:

TppTool -startrotation -platform=Venafi1 -connector=hsm1

TPPTOOL.exe startrotation platform Venafi1 connector hsm1

tpptool startrotation -platform:Venafi1 -conn=hsm1

TppTool parameters and options

Click a header to sort by that column.

Parameter	Type	Description
`-password=<pass>` `-pa=<pass>`	Common options	Provide a password (prompted if omitted). NOTE The quotation mark `"` and backslash `\` characters are special characters, and if included in the password, you need to include a backslash to escape them. So if the password is `pas"sw\ord`, you would enter it as `pas\"sw\\ord`.
`-username=<name>` `-u=<name>`	Common options	Provide a username.
`-daily` `-da`	Daily tasks	Trigger Daily Tasks action.
`-notify` `-n`	Daily tasks	If specified, any applicable notifications will be resent when triggering Daily Tasks action.
`-cryptpw=<password>` `-cr=<password>`	Import & export options	Provide the password for encrypting and decrypting XML files. Export will be in cleartext if not provided.
`-connector=<hsm>` `-conn=<hsm>`	Key Rotation	If specified, the connector the new key should be stored on. If omitted, the connector of the existing system protection key will be used.
`-disablesw` `-di`	Key Rotation	When rotating from software to hardware, disable the software key after rotation is complete.
`-keyname=<name>` `-k=<name>`	Key Rotation	The name of the new key. The key must not exist. It will be created on the specified connector during rotation.
`-platform=<tpp-server>` `-pl=<tpp-server>`	Key Rotation	The name of the Venafi Platform server that should perform the key rotation. If omitted, the first available server is used.
`-startrotation` `-startr`	Key Rotation	Create a request to rotate the system protection key. Requires `-keyname`. You can optionally specify the `-connector` and `-platform`.
`-stoprotation` `-stopr`	Key Rotation	Abort any outstanding key rotation requests.
`-column` `-col`	Recycle Bin options	For `-show`: Display contents in columns.
`-guid=<bin-guid>` `-g=<bin-guid>`	Recycle Bin options	For `-purge`/`-restore`: The GUID of the item to purge or restore.
`-bin` `-b`	Recycle Bin tasks	Perform the recycle bin action.
`-contents` `-cont`	Recycle Bin tasks	Display the contents of the recycle bin.
`-empty` `-em`	Recycle Bin tasks	Empty the recycle bin.
`-purge` `-pu`	Recycle Bin tasks	Purge a deleted item from the recycle bin.
`-restore` `-r`	Recycle Bin tasks	Restore a deleted item from the recycle bin.
`-showtasks` `-showt`	Recycle Bin tasks	Display information about pending or running recycle bin tasks and actions.
`-startdelete` `-startd`	Recycle Bin tasks	Start the nightly recycle bin automatic deletion action.
`-startpurge` `-startp`	Recycle Bin tasks	Start the nightly recycle bin purge action.
`-stopdelete` `-stopd`	Recycle Bin tasks	Stop the nightly recycle bin automatic deletion action.
`-stoppurge` `-stopp`	Recycle Bin tasks	Stop the nightly recycle bin purge action.
`-children` `-ch`	Schema export	Export children of children as well.
`-class=<c1,c2>` `-cl=<c1,c2>`	Schema export	Only export objects of classes in the list (default: all classes).
`-dn=<dn1,dn2>`	Schema export	Only export the DNs in the list (default: \VED\Policy).
`-export=<xmlfile>` `-ex=<xmlfile>`	Schema export	Export schema to file <xmlfile>.
`-subsys=<IOSCAR>` `-su=<IOSCAR>`	Schema export	Only export specified subsystems: `O` - ObjectStore `R` - Rights `I` - Identity `C` - Schema `A` - OAuth `S` - SecretStore (default:OS) Specify one or more subsystems. For example: `-su=ics` or `-su=o` or `-su=oricas`.
`-import=<xmlfile>` `-i=<xmlfile>`	Schema import	Import schema from file <xmlfile>.
`-version` `-v`	Schema information	Display the current schema version.