Adaptable Onboard Discovery sample script

You can configure an Adaptable Onboard Discovery job using a PowerShell script as the installation type, rather than using one of the other third-party applications available with Onboard Discovery. You just need to create your script, save it to the correct directory on your Trust Protection Platform server, and set up and configure the associated device object and policy. For more details, see Onboard Discovery prerequisites.

This topic contains a sample script designed to create an Adaptable and Apache application for two different certificates.

In the following example, the Adaptable application will be SSL/TLS-validated at service.venafi.example:44300 and the Apache application will have SSL/TLS validation disabled.

After each object is created, the specified attribute values are assigned. If an invalid class is specified, then a Basic application is created and an error event is logged for the onboard discovery job. If a name collision occurs with a Basic application, it is then converted to the specified application class (if valid). If an attribute is not valid for the class, or the value is not a distinguished name (DN) for a DN attribute, then no value is assigned to the application and an error event is logged for the onboard discovery job.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
function Discover-Certificates
{
  Param(
    [Parameter(Mandatory=$true,HelpMessage="General Parameters")]
    [System.Collections.Hashtable]$General
  )

  ### code for retrieving certificates and instance data from remote device goes here ###

  return @{
    Result = "Success";
    Applications = @(
      @{
        Name = "virtual_server_1 (ssl_profile_1)";
        PEM = "-----BEGIN CERTIFICATE-----MIIEpTCCA42gAwIBAgIJAOw7-----END CERTIFICATE-----";
        ValidationAddress = "service.venafi.example";
        ValidationPort = "44300";
        Attributes = @{
          "Text Field 1" = "virtual_server_1";
          "Text Field 2" = "ssl_profile_1";
          "Option 1" = "1"
        }
      },
      @{
        Name = "file_path_name (host_address:port:server_name)";
        ApplicationClass = "Apache";
        PEM = "-----BEGIN CERTIFICATE-----MIIEpTCCA42gAwIBAgIJALjX-----END CERTIFICATE-----";
        Attributes = @{
          "Certificate File" = "/opt/apache/website.crt";
          "Private Key File" = "/opt/apache/website.key";
          "Certificate Chain File" = "/opt/apache/website.chain";
          "Private Key Password Credential" = "\VED\Policy\Credentials\Private Key Password"
        }
      }
    )
  }
}

For details about the related function, see Discover-Certificates function.

About debug logging

When a user has requested debug logging by checking Enable Debug Logging for Adaptable Onboard Discovery, the driver sets a global variable called $DEBUG_FILE whenever it executes a PowerShell function. So your PowerShell script should reference the value of the $DEBUG_FILE variable to decide whether or not to log information for troubleshooting purposes. The value the driver assigns to the $DEBUG_FILE variable is a recommended file path name on the Trust Protection Platform server for use when logging events to a file. The file name is designed to be unique to the instance of the Adaptable component so as to avoid conflicts when multiple scripts are running at the same time and writing to the log file. If the recommended file name is used, the resulting log file appears in the <Venafi Home>\Logs directory by default (e.g. C:\Program Files\Venafi\Logs).

For information about where Enable Debug Logging is configured for Adaptable Onboard Discovery, see .

Related Topics