Deploy and configure the Windows servers

Here are the high level steps to deploy and configure each Windows server that will become a Venafi server.

1. Review the hardware and operating system requirements for the Windows servers.

   Hardware and operating system requirements for Windows servers

   Hardware Requirements

   Feature	Requirement
   Processor	4 processing cores
   Memory	16 GB RAM
   Disk Space (for the Trust Protection Platform application)	5 GB The Trust Protection Platform application can be installed on a secondary partition.

   Software Requirements

   Feature

   Requirement

   Operating Systems

   Microsoft Windows Server 2022 (server with user interface) is supported (and required if you want to use TLS 1.3). Microsoft Windows Server 2019 (server with user interface) is supported. Microsoft Windows Server 2016 (server with user interface) is supported. Microsoft Windows 2012 Server R2 (server with user interface) is supported for upgrades only. Do not use for new installations. Users on Windows 2012 Server should strongly consider upgrading to a newer version as Windows 2012 Server doesn’t support all Venafi features and all third-party integrations. Trust Protection Platform only supports English Language Installation Media from Microsoft. While it does support region setting configurations to ensure that date and times appear correctly, the Windows servers on which you install Trust Protection Platform must be derived from Windows English installation media.

2. Where applicable, join your Windows server to your Active Directory domain.

   Join Windows servers to Active Directory

   While a connection to Active Directory is not required for base functionality, it is required to use certain features such as Windows integrated authentication.

   Windows integrated authentication is supported in two ways in Trust Protection Platform:

   • Authentication to the database from the Venafi servers.
   • User authentication to the web interface for single sign-on (SSO).

3. Enable web services, if needed.

   Enable web services on required servers

   For each Windows server, decide if it is going to be supporting inbound web services or not. If the server will support web services, then the required windows server role and corresponding components are followed as outlined in the System Requirements guide.

   IIS can start its default web site before the Venafi site on the server, preventing the Venafi site from starting. You should remove the default web site.

   Some examples of web services are the Web Console, Web SDK, supporting connectivity from our agents, as well as some certificate protocols like ACME or SCEP. However, if you are deploying a Venafi server to a segmented network to discovery, validate, and install certificates and ssh keys, plan on leveraging partitioning to ensure that a particular Venafi server communicates with the internet or various network segments, then it is possible to configure those Venafi servers with no web services. In those cases, the IIS role does not need to be installed.

   Venafi Platform server configuration and roles required for servers that support inbound web services

   Feature	Requirement
   Web Server Roles (Venafi web services enabled)	Install the following required Microsoft Internet Information (IIS) web server roles: Common HTTP Features\Static Content Common HTTP Features\Default Document Health and Diagnostics\HTTP Logging Health and Diagnostics\Logging Tools Health and Diagnostics\Request Monitor Health and Diagnostics\Tracing Security\Request Filtering Performance\Static Content Compression
   Windows Server Roles (Web Server\Application Development\.NET Extensibility)	Microsoft Windows 2022 Server ASP.NET 4.8 ISAPI Extensions ISAPI Filters .NET Extensibility 4.8 Microsoft Windows 2019 Server ASP.NET 4.6 ISAPI Extensions ISAPI Filters .NET Extensibility 4.6 Microsoft Windows 2016 ASP.NET 4.5 ISAPI Extensions ISAPI Filters .NET Extensibility 4.5 Microsoft Windows 2012 Server R2 ASP ASP.NET 4.5 ISAPI Extensions ISAPI Filters .NET Extensibility 4.5
   Microsoft runtime libraries	You need to install both the following Visual C++ Runtime libraries: 32-bit version 64-bit version For more information, see the following from Microsoft: Latest supported Visual C++ Redistributable downloads
   Windows service dependencies	The following services should not be disabled: CNG Key Isolation (for elliptic curve key operations)
   IIS 7.5 Add-On	Microsoft URL Rewrite Module 2.1
   .NET Framework (Venafi web services enabled)	.NET Framework 4.8 is required for all OS versions. Download .NET Framework 4.8 fromhttps://dotnet.microsoft.com/download/dotnet-framework/net48.
   Port 80 Binding Requirements	If you are using SCEP (Simple Certificate Enrollment Protocol), you must allow port 80 binding. SCEP will not work without port 80 binding. Additionally, the timestamping service requires port 80. If access to port 80 is blocked, the Time Stamp Service endpoints in CodeSign Protect will not be able to get timestamping data. If you are not using SCEP, and you don't care about access to the Time Stamp Service Endpoints, you can disable access on Port 80.

4. Apply correct permissions for domain service accounts if leveraging Windows integrated authentication.

   Apply correct permissions for domain service accounts

   For Windows Servers joined to the domain, you are likely to leverage Windows Integrated Authentication to authenticate to the Venafi database on your Microsoft SQL Server. You will need two domain services accounts and they need to be given the correct permissions on each Windows Server.

   If you haven't done so yet, create the accounts. Then apply the correct permissions in AD. For specific permissions details, see Windows permissions for database service accounts.

5. If your industry requires, enable FIPS on your Windows server.

   Enable FIPS (only recommended if required by your industry)

   Venafi Trust Protection Platform support Windows servers with Federal Information Processing Standard (FIPS) enabled.

   FIPS Resources

   • Why We’re Not Recommending “FIPS Mode” Anymore (from Microsoft Security Baselines Blog)
   • Microsoft's approach to FIPS validation (from Microsoft Windows documentation)

   IMPORTANT  Because FIPS is not supported for ACMEv2, you cannot have FIPS enabled on any server that is used for ACMEv2.

   How to Enable FIPS on Windows Servers

   1. On each server, open the Local Group Policy Editor by opening the gpedit.msc snap-in.
   2. In the snap-in navigate to Local Group Policy Editor > Computer Configuration > Windows Setting > Security Settings > Local Policies > Security Options.
   3. Find the policy System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
   4. Change the option from Disabled to Enabled.

6. Verify prerequisite software and components are installed.

   Verify prerequisite software and components are installed

   Venafi Professional Services maintains a script you can run on your Venafi servers to verify the appropriate prerequisites have been met for the server, and optionally install and configure any missing components. The accompanying README.txt file provides detailed information about using the script. The script and documentation are available on Venafi's Downloads site.

   If you choose not to run the script, we strongly recommend you look at the Third Party folder contained the Venafi Trust Protection Platformzip for helpful links for finding required common components that must be installed. The URL Rewrite Module only needs to be installed on Venafi servers configured for inbound web services. (See step 3, above.)

   Install HSM client on Venafi server

   Trust Protection Platform is a native 64-bit application. When integrating with HSMs to (1) encrypt private keys, credentials, and other secrets stored in the Venafi database, or (2) for the central generation or storage of private keys, you must install the 64-bit version of the HSM vendor's client software on each Venafi server in your deployment. These settings must be configured identically on all Venafi servers in the deployment. During installation of the Trust Protection Platform software, you will need to provide details on the HSM vendor client library.

   For example:

   Trust Protection Platform requires access to the 64-bit version of Cryptoki DLL.

   For SafeNet Luna SA devices, this is the path to the cryptoki.dll file.

   For Entrust nShield Connect HSM devices, this is the path to the cknfast.dll file.

   After selecting the DLL, click Load Slots. Trust Protection Platform will query the HSM and return the available slots.

   IMPORTANT  Trust Protection Platform requires the path to the DLL file to initialize the connection to the HSM device. This path will be used for all Trust Protection Platform servers in the cluster (connected to the same database). All servers in the cluster must have their DLL file in the same location.