Upgrades to Venafi Trust Protection Platform 17.2
Trust Protection Platform 17.2 introduces new functionality such as the ability to run TPP as an ACME server, HSM Remote Key Generation for our most popular certificate installation drivers, credential and historical certificate management in Aperture, and a revamped interface for managing groups and work for Server Agents, SSH Agentless, Enterprise Mobility Agent, and the End User Portal. Click here for a complete list of new features in 17.2. Depending upon the version you are upgrading from, some of the enhancements that have implemented over the last 2 years require action on your part either prior to upgrade or immediately after upgrade. Please read carefully through this Knowledge base article prior to upgrading. Take special attention on the the list of features deprecated as well as features scheduled for deprecation.
For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 17.2.
There is more Information about the Venafi Trust Protection Platform 17.2 life cycle here: https://support.venafi.com/entries/23267241
Update to Groups and Work
There are significant updates to the ways that Server Agents, SSH Discovery/Remediation, User Portal, and Enterprise Mobility Agent are managed in 17.2. You will want to read the following article that explains what the new features are, why the changes were made, and what you will want to check-on/update after you upgrade to 17.2
Potentially Longer upgrade window for migrating Logs
Significant refactoring was done in 16.2, affecting how logs are stored in the database. When the mssql_update_16.1_to_16.2.sql upgrade scripts are executed, the format of the data is modified. For every 30 million rows in the logs, you can expect the script to take approximately an hour (subject to hardware, SQL Server version, server utilization, and other factors).
It is recommended, if possible, to archive or reduce the number of logs stored in the Trust Protection Platform database prior to upgrading to 16.3 from 16.1.x or older.
If you have secondary log tables, read this KB article to learn how to migrate it: https://support.venafi.com/hc/en-us/articles/220761368.
SSH Key Internal Storage Migration
When Upgrading to 17.2, all SSH Keys in the database will be migrated to an updated storage format. When the Venafi Control Center (VCC) is executed, it may take more time in normal for the migration to complete. In Venafi's internal testing, it was able to process approximately 5,800 SSH Keys every minute. For 100,000 it may take approximately 20 minutes to run. Your actual processing rate may vary depending upon version of SQL Server, database disk speed, CPU/RAM of the SQL Server, and other load on the server at that time. The progress will be shown in Venafi Control Center user interface.
During upgrade, you might see the following message in Trust Protection Platform logs: "SSHManager - Erroneous Key Instance" - "Key at <path> removed from database because it did not have secret store association. You may need to re-discover this key"
This message indicates that you’ve been impacted by the bug with internal reference #33848. If the same private key was discovered in two devices and then first device was completely deleted, they key got into orphaned state and was non-operational. The bug has been fixed and migration script turns DB back into consistent state, but the only way to properly restore those keys is to re-discover it. On agentless, this will happen automatically on next discovery. On agent, you will need to flush agent’s SSH key cache and re-discover keys on corresponding devices if you see this message.
Symantec MPKI Enrollment Mode
In previous versions, the certificate renewed with the Symantec MPKI driver supported a per certificate "enrollment mode" option, where you could control whether your renewal request was treated as a new certificate, a renewed certificate, or a replacement certificate. New in 17.2 - this feature has been migrated to settings on the Symantec CA template in Web Admin. Instead of managing the enrollment logic on a certificate-by-certificate basis, the logic is now automatic and configured for all certificates being enrolled via that Certificate Authority Template.
See: Configuring the Symantec Managed PKI for SSL CA template (requires authentication)
Oracle Database Server no longer supported
If your Trust Protection Platform database is currently being hosted on Oracle, do NOT attempt to upgrade to 17.2. You must first migrate your production database from Oracle to Microsoft SQL. Contact Venafi Customer Support to coordinate Venafi assistance with the migration.
Change in requirements for Database Service Account permissions
Enhancements made in 15.1, 15.3, 16.2, and 17.1 have changed the permissions required by the Microsoft SQL Service account used to connect to the database. Please refer to the sample grant scripts (ex: sample_grants_16.4_to_17.1.sql) in the "Database Scripts\MSSQL\Updates" folder for sample scripts on how to modify the permissions for your database. Please consult with your DBA prior to changing permissions for the database.
DSA SSH Credentials for SSH Connections
17.2 and 17.1.2 has a new version of our Maverick library that is used as an SSH Client for Trust Protection Platform to communicate with remote systems. If you want to discover DSA keys or use DSA keys for authentication to remote systems:
- In the Control Panel, navigate to the Network Connections, Advanced settings. Disable the setting for Federal Information Processing Support (FIPS) compliance for this network.
- On the Trust Protection Platform server running Discovery, add the following registry key: HKLM\Software\Venafi\Platform\EnableSSHDSS (string key), value: 1.
License and Usage statistics collected
New in 17.1, high level statistics and license usage can optionally be collected and emailed to Venafi at firstname.lastname@example.org. No sensitive or personally identifiable data, such as IP and email addresses, hostnames, and usernames is being sent. Please make sure the email account used to email other reports has access to email outside recipients.
Please refer to "Usage statistics and Licensing Report FAQ" section in product documentation for benefits and frequently asked questions about this feature.
Aperture Certificate Status Updated
Certificate Inventory Status column is broken into two columns: Risks & Status. Status contains a single life cycle stage like "Renewing" or "Pending My Approval". Risks will contain one or more tags like "Unapproved Issuer" and/or "No Local Dual Control". Certificate Overview Banner has been updated to only show "Status" information, not Risk. If you have custom reports that were reporting on "Status", if you wish for them to continue to report on certificate risk information, you will need to update the report to include the new column.
Encrypted Connection to Microsoft SQL
TPP now supports the configuration to always require a secure/encrypted connection to the Database. In order to enable this, you will need to open Venafi Control Center on each TPP server and choose "Change Database Password". You will then check "Encrypt all database communications" and click the Verify button. This security feature requires a valid TLS certificate to be installed on your Microsoft SQL Server. You may have to install/replace the certificate on your SQL server prior to enabling this functionality on each TPP server.
Update of Universal C Runtime is now required
Starting in version 16.3, in order to offer SNI (Server Name Indication) support for SSL/TLS validation of certificates, the library we use requires an update of Universal C Runtime in Windows. This update must be installed before you run the 16.4 Trust Protection Platform installer. This is required on both Windows 2008 R2 and Windows 2012 R2.
Download the update specific to your OS at: https://support.microsoft.com/en-us/kb/2999226
TPP 16.4 Requires .NET Framework 4.6.1 to install
Before installing TPP 16.4, make sure the .NET Framework is updated to 4.6.1.
You can download the offline installer for Windows 2008 R2 and Windows 2012 R2 at:
Web Administration console Policy tree performance improvement
In order to accommodate customers with larger deployments, in 16.4 the Policy Tree in the Web Administration console has been refactored to provide significantly faster load times. One behavior difference you will notice is that all nodes of the tree will have a + (plus) sign to allow for the expansion of child nodes. This sign will be displayed for all objects. If a node does not have any child objects, the + sign will disappear after it's clicked. This change was implemented originally in 16.3
Privileged command set change for SSH Agentless
In 16.4 the list of commands that the SSH discovery and remediation engine runs with privileges (“sudo” commands if sudo is being used) has changed. Some commands are no longer required in order to run as a privileged user; some new commands are required instead. Refer to the following article for detailed description on restricting commands for account to use with agentless SSH.
Beginning with version 16.3, the following commands are no longer required to be run as "privileged" and can be removed from /etc/sudoers entry:
- sh –c find *
The following new commands need to be present in /etc/sudoers entry, beginning with 16.3:
For more information, see: https://support.venafi.com/hc/en-us/articles/225511807
Updated SSH Folder Policy Violation settings in Aperture
When configuring SSH folder policy violation settings in Aperture, the functionality has been modified for consistency and clarity. For example, in previous versions, one setting was called “Allow Root Access.” This setting has been renamed “Flag Root Access” so it is clear that items will still be permitted, but they will be flagged with a status tag that allows you to find them easily.
If you are upgrading to version 16.3, your folders will be updated automatically. The underlying behavior won’t change. So, if items were being given status messages in older versions, they will continue to be given status messages in 16.3. The labels are now clearer about what is occurring when these settings are being configured.
Password complexity requirements are increased and on by default
New in 16.3, complexity requirements have been updated. These changes have been implemented to allow Venafi Trust Protection Platform to meet or exceed industry standards such as SANS, NIST, Microsoft, and PCI-DSS. These changes apply to:
- Downloading certificates that contain private keys from the Web Administration console or Aperture.
- Retrieving certificates that contain private keys from WebSDK
- New Accounts Local to Trust Protection Platform (or when existing accounts change their password)
The updated requirements are:
- At least 12 characters long
- Must contain a combination of at least three out of the following four categories: uppercase alphabetic, lowercase alphabetic, numeric, and special characters
Just as before, Master Admins (or those with appropriate delegated permissions) can turn the complexity off for certificate private key download via policy.
Note: The complexity requirements listed above do not apply to the automated installation of certificates via Provisioning drivers. These are typically governed by password credential objects via permissions and policy.
Database log retention must be specified on upgrade
First introduced in 16.2, database log retention can now be configured in the Venafi Control Center wizard during the upgrade and installation process. If this value is left blank when upgrading from 16.1 or older, then your installation will NOT delete any logs and your logs will continue to grow. It is recommended that a value be entered in VCC (example: 365 days) on the first server that is upgraded to 16.4.
Certificate settings are "read-only" during enrollment processing or while In Error
In Trust Protection Platform 15.4, certificate enrollment settings cannot be modified while a certificate is enrolling/processing or is In Error. In order to make changes to the certificate (for example, change the common name of the certificate), users will need to Reset the certificate state in the Web Administration Console.
Security-related changes have been made in 16.1 that now prevent users from altering a certificate signing request (CSR) after it has progressed beyond the start of the renewal process, such as uploading a CSR. As such, any certificates that are waiting for a new CSR to be uploaded prior to upgrading to 16.1 will need to be reset and restarted using the Web Administration Console (after successfully upgrading Trust Protection Platform).
Automatic MD5 conversion for agentless connections to SSH
In 17.1, while making an agentless connection to a device, Trust Protection Platform automatically migrates host keys that use the MD5 hash to a SHA-256 hash. The migration, which is based on the Key Type, occurs while attempting to connect to the host.
How Trust Protection Platform manages agentless connections for provisioning
SSH connectivity for provisioning is based on Web Admin settings. Use the Device Settings page to control agentless provisioning. You should also monitor the log of events for the following general agentless activities.
- If Enforce Host Key is set to 'No' (default) and the presented thumbprint is different than the stored thumbprint, the log event is 40060020,SSH Public Key Fingerprint Changed.
- If Enforce Host Key is set to 'Yes' and the presented key matches the trusted Host Key, the connection is allowed and no special log event is generated.
If the presented key does not match the trusted Host Key, the connection is refused and the log event is 40060004,SSH Connect To Host Failed. For example:
127.0.0.1, 2/22/2017 10:10:04 AM, \VED\Policy\centos-oracle: \VED\Policy\centos-oracle, Error: Error, Translated event: SSH Connection Failed, The SSH library failed to connect to 192.168.3.220 on port 22, with the Connection Result 8: The host key was not accepted.
How Trust Protection Platform manages MD5 to SHA-256 conversions
The conversion to SHA-256, which is automatic, does not require configuration. However, during conversion, the Enforce Host Key settings generate a different set of log event messages. If your SSH servers use the MD5 hash algorithm, you should monitor the log of events to manage the automatic conversion:
- If Enforce Host Key is set to 'Yes' and the Host Key matches but the presented MD5 fingerprint is a change that causes a mismatch to the trusted one, Trust Protection Platform replaces the existing fingerprint with a new one. The log event is 4006001F,SSH Public Key Fingerprint Replaced.
- If Enforce Host Key is set to 'Yes' and both the presented Host Key and MD5 fingerprint are an exact match, the log event is 40060020,SSH Public Key Fingerprint Changed.
- If Enforce Host Key is set to 'No', the log event is 40060020,SSH Public Key Fingerprint Changed.
User Portal is now configured in Aperture
The User Portal used to be configured in the Web Administration Console. Starting with 15.4, it is now configured in Aperture using Agent Groups and User Certificate Creation work.
Devices removed from Aperture Folder tree
In 17.2 - devices have been removed from the Aperture Folder tree. Only Folders will be visible. This is being done to enhance performance and usability. Devices will still be accessible to SSH customers in the Inventory => Devices top navigation menu.
Agent Discovery of Root Certificates
In order to increase performance of Server Agent Certificate Discovery, in 17.2.0 TPP will no longer store data of where it was found for root and intermediate certificates. In previous versions, partial information on where the Root certificate was discovered was available in the support tab.
IBM GSK Driver Support for GSK version 6.0
In 17.2, the GSK Certificate Installation Driver no longer support version 6.0. Version 6.0 reached end-of-life in September 2013.
Java Key Store (JKS) Driver Support for Java version 1.4 or 1.5
In 17.2, the Java Key Store (JKS) Certificate Installation Driver no longer support Java versions 1.4 or 1.5. These version reached their end-of-life in October 2008 and October 2009, respectively.
Brocade Application Driver
The Brocade Application Driver used for certificate installations is no longer available in TPP as of 17.1
Verizon SureServer Certificate Authority Driver
The Verizon SureServer Certificate Authority Driver used for certificate enrollments is no longer available in TPP as of 17.1.
Oracle DB support
Venafi has deprecated support for Oracle in version 17.1 (Q1, 2017). For more information refer to: https://support.venafi.com/hc/en-us/articles/227567188
Canned CA Trust Report
The canned CA Trust Report found in the Web Administration console has been removed from the product in 17.1.
Web Admin Licensing Status Dashboard
This functionality has been migrated to Aperture and is now visible on the new System Status dashboard as of 17.1.
Venafi Support Tool
The Venafi Support Tool was removed in 17.1. It has been replaced by a new utility called the Venafi Support Center.
"VED Client" UI Portal
There is an undocumented and unsupported UI Portal that exists that will be removed from the product in 16.4. This change should not affect any customers.
z/OS CA driver
The z/OS CA driver has been removed from Trust Protection Platform in 16.4. This integration is outdated and the Adaptable CA driver provides a better alternative.
SSH non-recursive discovery
SSH Key Discovery no longer supports performing non-recursive scans. The ability to scan "just this folder" and exclude all subfolders is not available in 16.3
Aperture certificate status “Revocation Approval Required”
The Certificate Status of Revocation Approval Required has been replaced with Pending My Approval in 16.3
Venafi Server Agent has deprecated support for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC) in 16.3.0
For 16.3, the Venafi Trust Protection Platform will no longer ship with an agent installer for HP-UX PA-RISC. This does not affect our support for HP-UX on Itanium Processors (HP-UX IA). Hewlett Packard stopped supporting HP-UX PA-RISC in early 2005. We are deprecating support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.
More information on deprecation of PA-RISC: https://support.venafi.com/hc/en-us/articles/218241207
Deprecated: Aperture License dashboard widget and filter
The License dashboard widget and certificate list License filter have been removed from the Aperture console. If this filter was used in a saved Custom Report, the report will be updated to remove this filter. Licensing information can be retrieved using the in-product Licensing Report found in the Web Administration console.
Internet Explorer 8 has not been supported since Venafi Trust Protection Platform 14.1. Core libraries of Aperture were updated for security fixes and performance enhancements which resulted in Aperture's incompatibility with Internet Explorer 8. As of release 16.1, Aperture will not load on IE8. Make plans now in your organization to make sure end users have a modern browser available to them.
Also in 17.2, our supported browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 52. The latest version of Google Chrome is still categorized as a compatible browser.
See Article: Why we deprecated Internet Explorer 8
Functionality scheduled for deprecation in future releases:
Comodo "Web Host Reseller" CA Driver
The Comodo Web Host Reseller CA Driver is being removed from TPP in 17.4. This does not affect the Comodo Certificate Manager driver. All current customers should be using the Comodo Certificate Manager driver and Comodo has recommended this legacy driver be removed from TPP.
Transition DigiCert CA Driver from Enterprise to CertCentral API
In 17.3 (tentatively), the DigiCert CA driver will be migrated from the legacy “Enterprise” API to the current “CertCentral” API. This will require customers to have their accounts migrated. DigiCert has stated they are available to help customers with the migration.
Microsoft SQL Server 2008 R2
Effective with release 17.3, support for MS SQL Server 2008 R2 will be discontinued.
This change is necessary to take advantage of newer technologies available in recent versions of SQL Server. In addition, this change will allow Venafi to fully support versions 2012, 2014 and add 2016 as a compatible version.
Microsoft Windows Server 2008 R2
Effective with release 17.3, support for Windows Server 2008 R2 as a supported platform for Trust Protection Platform will be discontinued for the following reasons:
- Microsoft ended mainstream support of Windows Server 2008 R2 on January 13, 2015
- To add support for Windows Server 2016
Network Discovery Jobs in Web Admin
In 17.3, Network Discovery Jobs will be removed from the Web Administration console. Enhanced configuration options for Network Discovery have been available in Aperture since 14.3.
Transition IBM DataPower Driver interface from SSH to REST
In 17.3 (tentatively), the driver will be transitioned from SSH CLI to REST API. DataPower versions prior to 7.2 will no longer be supported but should be compatible. Versions being targeted for support are XI52 7.2 and IDG 7.5.
Certificate Authority Report
Canned Certificate Authority report will be removed from Trust Protection Platform in 17.3 release. The distribution of certificate authorities by number of issued certificates is available in Certificate Inventory Report and Certificate Dashboard in Aperture.
Tectia 4.x Authorization File Support
SSH Discovery and remediation of Tectia 4.x authorization files will be removed in 17.4 release. It will be possible to still detect and rotate actual key files used in conjunction with authorization file, but not the options.
Remove Symmetric Key Manager
The Product "Symmetric Key Manager" will be removed as an available product offering in the installer in 18.1 Symmetric key management has not been a focus of our short or long term roadmap for many years.
Network Discovery Placement Preview
In 18.1 we plan to remove the feature of "Network Discovery Placement Preview" from Aperture. After that, Network discovery will work more like Agent discovery and Trustnet discovery where items are automatically placed after they are found.