Creating policies

Policies provide a hierarchical framework for managing configuration and assets within your environment, much like hierarchical directories such as Active Directory. Using policies, you apply policy settings which allow you to standardize configuration parameters and enforce security requirements throughout your encryption environment.

To create a policy

  1. Log in to Policy Tree.

    IMPORTANT  You must have the Create permission on the Policy object where you want to create the new policy.

  2. Select the Policy tree from the Tree drop-down menu.
  3. In the Policy tree, select the Policy object where you want to create the new policy.
  4. Click Add > Policy.

  5. Define the Policy settings.
  6. Click Save/Apply.

After you create the Policy, you can configure policy settings for the Policy’s subordinate encryption objects. The following table describes the Policy configuration settings.

Field

Description

General

 

Policy Name

The name of the Policy object.

Description

Description for the Policy object.

Contact

User or Group Identity assigned to the current Policy object. Default system notifications are sent to the contact Identity.

To select the Policy Contact:

Click the Browse button.

The Identity Selector dialog opens.

If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, you can enter the wildcard character (*).

Select a User or Group Identity, and then click Select.

Press Shift+click to select multiple, contiguous users and groups.

Press Ctrl+click to select multiple, discontiguous users and groups.

Exclude from automatic deletion

When checked, the Recycle Bin's deletion tasks will not be run on objects that use this policy.

One feature of the Venafi Recycle Bin helps manage the size of your database by automatically deleting old objects that are outdated, based on the settings you configure. However, in cases where certain objects should be protected from deletion, like in a situation where legal obligations require it, you can protect certain objects from being deleted, while allowing the Recycle Bin to run on objects that don't require the same level of protection. To learn more about the Recycle Bin, see Venafi Recycle Bin.

Log View

 

Server

The Log View Server provides the current Policy and its subordinate objects with a reference to your Default SQL Channel object. The Default SQL Channel object is the log store for the events used to populate the Log tab within each object configuration.

When you install Trust Protection Platform, the root Policy is automatically configured with the default Log View Server object.

The Log tab within each object configuration provides a view of all events triggered by the current object. To view events on this tab, you must configure the Log View Database Access credentials in your Default SQL Channel object. For more information, see Updating the SQL Server channel object.

To view the log history for the current Policy object, click the Log tab. For more information, see General configuration options.

Processing Engines

Engines

Allows the administrator to select a specific Trust Protection Platform Server to provide monitoring, provisioning ,and validation services for the Policy’s subordinate objects.

This functionality is particularly useful in heavily firewalled environments where you want the local Trust Protection Platform server at each site to manage processing for the local certificates and keys.

IMPORTANT  For the CSR generation setting on the certificate:

When CSR generation is done by the application:

  • Stages 0 through 400 and 800 and higher use this setting from the policy containing the app.
  • Stages 500 through 700 are done by the policy containing the certificate.

When CSR generation is not done by the application:

  • Stages 0 through 700 are done by the policy containing the certificate.
  • Stages 800 and higher use this setting from the policy containing the app.

 

 

Related Topics Link IconRelated Topics