Onboard Discovery prerequisites
Before running an onboard discovery, review the following:
- Make sure that the devices to be analyzed are compatible with the software platform versions and that any platform-specific prerequisites are met.
- Make certain that all devices are configured with a device credential, which is used by Trust Protection Platform to authenticate with each device.
IMPORTANT For a discovery job to complete successfully, the correct HostName/IP and device credentials must be set on the devices to be scanned. Not doing so results in a device scan failure and a corresponding error is logged in the Onboard Discovery object log.
General permissions (Required)
Venafi Trust Protection Platform requires a sufficient level of permissions to export certificates and read certificate-related details from the device configuration. The specific permissions requirements and mechanism used to provide them varies by the platform to be scanned.
Connectivity requirements are the same as they are for provisioning using the HTTPS connection method (for F5, NetScaler, and DataPower).
Specific requirements
Click to expand the installation type you plan to use with Onboard Discovery and carefully review the requirements before creating your new job.
Adaptable
Similar to the Adaptable Application used for provisioning, the Adaptable application type requires that you first create a PowerShell script that implements the Discover-Certificates function and save it in the <Venafi_Home>\Scripts\AdaptableApp directory of the Trust Protection Platform server.
After creating and saving your script to the correct directory, you must assign it by policy to the folder containing the device objects to be scanned by selecting it from the policy's PowerShell Script list (policy > Applications > Adaptable sub-tab). For more information, see Assigning the PowerShell script to a policy.
NOTE Adaptable imports certificates but does not import keys.
For more information about the Discover-Certificates function, see Discover-Certificates function. For more information about the Adaptable Framework and PowerShell scripting, see PowerShell script reference for Adaptable Application.
Amazon Web Services
If you're using Amazon Web Services (AWS) as your installation type, do the following before you create your onboard discovery job:
-
Review AWS permission requirements.
-
Create an Amazon credential.
When configuring your onboard discovery job, you'll need to select your Amazon credential.
-
Create a policy folder that where discovered AWS certificates and installations can be placed.
See Creating policies.
Azure Key Vault
If you're using Microsoft Azure Key Vault as your installation type, do the following before you create your onboard discovery job:
-
Review Azure permission requirements.
-
Create a certificate credential.
When configuring your onboard discovery job, you'll need to select a certificate credential.
-
Create a policy folder where discovered Azure Key Vault certificates can be placed.
See Creating policies.
CAPI (IIS Bindings)
Use this application type to specifically discover Internet Information Service (IIS) bindings only (available websites and corresponding certificates). All other certificates in CAPI are excluded.
Each binding that is discovered is represented in Trust Protection Platform by a new CAPI application object and an associated certificate.
For prerequisite information, refer to the Venafi CAPI driver topic, CAPI driver prerequisite configuration.
Citrix NetScaler
Onboard Discovery interfaces with Citrix NetScaler devices using their Nitro API, which is supported by Citrix NetScaler 10.5 (or higher).
For prerequisite information, refer to the Venafi NetScaler driver topic, NetScaler prerequisite configuration.
F5 Big-IP Local Traffic Manager (F5 LTM Advanced)
Onboard discovery interfaces with F5 LTM Advanced devices using their iControl REST API, which is fully supported by versions 11.5 (or higher) of the F5 Networks product.
F5 LTM Advanced Permissions: At minimum, the user account used by Trust Protection Platform to access your F5 device must have the Administrator role, which can be assigned to a local user or a Remote Role Group for a non-local user. This is because the Administrator role is the least privilege required for interfacing with the iControl REST API.
IBM WebSphere DataPower
Onboard Discovery interfaces with DataPower devices, versions 7.2 (or higher), because those are the versions that support a REST API.
For prerequisite information, refer to the Venafi DataPower driver topic, IBM WebSphere DataPower prerequisite configuration.