Upgrades to Venafi Trust Protection Platform 17.3
Trust Protection Platform 17.3 introduces new functionality such as Approval Workflows for SSH Key Management, support for DigiCert's CertCentral Platform, a modernized DataPower certificate installation driver, and the BETA release of DataPower onboard discovery for turn key discovery and installation of DataPower certificates. There are also new features to make certificate management easier in Aperture as well as several new REST API methods that make custom integrations easier than ever before. Click here for a complete list of new features in 17.3. Depending upon the version you are upgrading from, some of the enhancements to Trust Protection Platform over the last 2 years require action on your part either prior to upgrade or immediately after upgrade. Please read carefully through this article prior to upgrading. Take special attention on the the list of features deprecated as well as features scheduled for deprecation.
For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 17.3.
There is more Information about the Venafi Trust Protection Platform 17.3 life cycle here: https://support.venafi.com/entries/23267241
DigiCert CA Platform Support
The DigiCert integration driver was updated to support CertCentral. It no longer supports the legacy Enterprise platform. If you are currently using the Enterprise platform, please coordinate with DigiCert to migrate to the new CertCentral platform prior to upgrading to 17.3.
DataPower integration support
The DataPower integration driver was updated to support the new REST interface available on newer versions of DataPower. If you are using older versions that support the legacy SSH Command Line Interface (CLI), consider upgrading so that you can take advantage of new functionality in the integration. Legacy versions using SSH CLI are expected to continue to work, but are no longer actively tested.
Venafi License Report
Starting in 17.3 - the Venafi License Report is automatically sent to Venafi.
Click here for more details: https://support.venafi.com/hc/en-us/articles/115001377272
Update to Groups and Work
There are significant updates to the ways that Server Agents, SSH Discovery/Remediation, User Portal, and Enterprise Mobility Agent are managed in 17.2. You will want to read the following article that explains what the new features are, why the changes were made, and what you will want to check-on/update after you upgrade to 17.2
Potentially longer upgrade window for migrating Logs
Significant refactoring was done in 16.2, affecting how logs are stored in the database. When the mssql_update_16.1_to_16.2.sql upgrade scripts are executed, the format of the data is modified. For every 30 million rows in the logs, you can expect the script to take approximately an hour (subject to hardware, SQL Server version, server utilization, and other factors).
It is recommended, if possible, to archive or reduce the number of logs stored in the Trust Protection Platform database prior to upgrading to 16.3 from 16.1.x or older.
If you have secondary log tables, read this KB article to learn how to migrate it: https://support.venafi.com/hc/en-us/articles/220761368.
SSH Key internal storage migration
When upgrading from 17.1 or lower, all SSH Keys in the database will be migrated to an updated storage format. When the Venafi Control Center (VCC) is executed, it may take more time in normal for the migration to complete. In Venafi's internal testing, it was able to process approximately 5,800 SSH Keys every minute. For 100,000 it may take approximately 20 minutes to run. Your actual processing rate may vary depending upon version of SQL Server, database disk speed, CPU/RAM of the SQL Server, and other load on the server at that time. The progress will be shown in Venafi Control Center user interface.
During upgrade, you might see the following message in Trust Protection Platform logs: "SSHManager - Erroneous Key Instance" - "Key at <path> removed from database because it did not have secret store association. You may need to re-discover this key"
This message indicates that you’ve been impacted by the bug with internal reference #33848. If the same private key was discovered in two devices and then first device was completely deleted, they key got into orphaned state and was non-operational. The bug has been fixed and migration script turns DB back into consistent state, but the only way to properly restore those keys is to re-discover them. On agentless, this will happen automatically on next discovery. On agent, you will need to flush agent’s SSH key cache and re-discover keys on corresponding devices if you see this message.
Symantec MPKI enrollment mode
In previous versions, the certificate renewed with the Symantec MPKI driver supported a per certificate "enrollment mode" option, where you could control whether your renewal request was treated as a new certificate, a renewed certificate, or a replacement certificate. As of 17.2 - this feature has been migrated to settings on the Symantec CA template in Web Admin. Instead of managing the enrollment logic on a certificate-by-certificate basis, the logic is now automatic and configured for all certificates being enrolled via that Certificate Authority Template.
See: Configuring the Symantec Managed PKI for SSL CA template (requires authentication)
Oracle Database Server no longer supported
If your Trust Protection Platform database is currently being hosted on Oracle, do NOT attempt to upgrade to 17.2. You must first migrate your production database from Oracle to Microsoft SQL. Contact Venafi Customer Support to coordinate Venafi assistance with the migration.
Change in requirements for Database Service Account permissions
Enhancements made in 15.1, 15.3, 16.2, and 17.1 have changed the permissions required by the Microsoft SQL Service account used to connect to the database. Please refer to the sample grant scripts (ex: sample_grants_16.4_to_17.1.sql) in the "Database Scripts\MSSQL\Updates" folder for sample scripts on how to modify the permissions for your database. Please consult with your DBA prior to changing permissions for the database.
DSA SSH credentials for SSH connections
17.2 and 17.1.2 have a new version of our Maverick library that is used as an SSH Client for Trust Protection Platform to communicate with remote systems. If you want to discover DSA keys or use DSA keys for authentication to remote systems:
- In the Control Panel, navigate to the Network Connections, Advanced settings. Disable the setting for Federal Information Processing Support (FIPS) compliance for this network.
- On the Trust Protection Platform server running Discovery, add the following registry key: HKLM\Software\Venafi\Platform\EnableSSHDSS (string key), value: 1.
License and Usage statistics collected
New in 17.1, high level statistics and license usage can optionally be collected and emailed to Venafi at email@example.com. No sensitive or personally identifiable data, such as IP and email addresses, hostnames, and usernames is being sent. Please make sure the email account used to email other reports has access to email outside recipients.
Please refer to "Usage statistics and Licensing Report FAQ" section in product documentation for benefits and frequently asked questions about this feature.
Aperture Certificate Status updated
Certificate Inventory Status column is divided into two columns: Risks & Status. Status contains a single life cycle stage like "Renewing" or "Pending My Approval". Risks will contain one or more tags like "Unapproved Issuer" and/or "No Local Dual Control". Certificate Overview Banner has been updated to only show "Status" information, not Risk. If you have custom reports that were reporting on "Status", if you wish for them to continue to report on certificate risk information, you will need to update the report to include the new column.
Encrypted connection to Microsoft SQL
TPP now supports the configuration to always require a secure/encrypted connection to the Database. To enable this, you will need to open Venafi Control Center on each TPP server and choose "Change Database Password". You will then check "Encrypt all database communications" and click the Verify button. This security feature requires a valid TLS certificate to be installed on your Microsoft SQL Server. You may have to install/replace the certificate on your SQL server prior to enabling this functionality on each TPP server.
Update of Universal C Runtime is now required
Starting in version 16.3, in order to offer SNI (Server Name Indication) support for SSL/TLS validation of certificates, the library we use requires an update of Universal C Runtime in Windows. This update must be installed before you run the 16.4 Trust Protection Platform installer. This is required on both Windows 2008 R2 and Windows 2012 R2.
Download the update specific to your OS at: https://support.microsoft.com/en-us/kb/2999226
Trust Protection Platform 16.4 Requires .NET Framework 4.6.1 to install
Before installing TPP 16.4, make sure the .NET Framework is updated to 4.6.1.
You can download the offline installer for Windows 2008 R2 and Windows 2012 R2 at:
Web Administration console Policy tree performance improvement
To accommodate customers with larger deployments, in 16.4 the Policy Tree in the Web Administration console has been refactored to provide significantly faster load times. One behavior difference you will notice is that all nodes of the tree will have a + (plus) sign to allow for the expansion of child nodes. This sign will be displayed for all objects. If a node does not have any child objects, the + sign will disappear after it's clicked. This change was implemented originally in 16.3
Privileged command set change for SSH Agentless
In 16.4 the list of commands that the SSH discovery and remediation engine runs with privileges (“sudo” commands if sudo is being used) has changed. Some commands are no longer required in order to run as a privileged user; some new commands are required instead. Refer to this article for detailed description on restricting commands for account to use with agentless SSH.
Beginning with version 16.3, the following commands are no longer required to be run as "privileged" and can be removed from /etc/sudoers entry:
- sh –c find *
The following new commands need to be present in /etc/sudoers entry, beginning with 16.3:
For more information, see: https://support.venafi.com/hc/en-us/articles/225511807
Updated SSH folder policy violation settings in Aperture
When configuring SSH folder policy violation settings in Aperture, the functionality has been modified for consistency and clarity. For example, in previous versions, one setting was called “Allow Root Access.” This setting has been renamed “Flag Root Access” so it is clear that items will still be permitted, but they will be flagged with a status tag that allows you to find them easily.
If you are upgrading to version 16.3, your folders will be updated automatically. The underlying behavior won’t change. So, if items were being given status messages in older versions, they will continue to be given status messages in 16.3. The labels are now clearer about what is occurring when these settings are being configured.
Password complexity requirements are increased and "on" by default
New in 16.3, complexity requirements have been updated. These changes have been implemented to allow Venafi Trust Protection Platform to meet or exceed industry standards such as SANS, NIST, Microsoft, and PCI-DSS. These changes apply to:
- Downloading certificates that contain private keys from the Web Administration console or Aperture.
- Retrieving certificates that contain private keys from WebSDK
- New Accounts Local to Trust Protection Platform (or when existing accounts change their password)
The updated requirements are:
- At least 12 characters long
- Must contain a combination of at least three out of the following four categories: uppercase alphabetic, lowercase alphabetic, numeric, and special characters
Just as before, Master Admins (or those with appropriate delegated permissions) can turn the complexity off for certificate private key download via policy.
Note: The complexity requirements listed above do not apply to the automated installation of certificates via Provisioning drivers. These are typically governed by password credential objects via permissions and policy.
Database log retention must be specified on upgrade
First introduced in 16.2, database log retention can now be configured in the Venafi Control Center wizard during the upgrade and installation process. If this value is left blank when upgrading from 16.1 or older, then your installation will NOT delete any logs and your logs will continue to grow. It is recommended that a value be entered in VCC (example: 365 days) on the first server that is upgraded to 16.4.
Automatic MD5 conversion for agentless connections to SSH
In 17.1, while making an agentless connection to a device, Trust Protection Platform automatically migrates host keys that use the MD5 hash to a SHA-256 hash. The migration, which is based on the Key Type, occurs while attempting to connect to the host.
How Trust Protection Platform manages agentless connections for provisioning
SSH connectivity for provisioning is based on Web Admin settings. Use the Device Settings page to control agentless provisioning. You should also monitor the log of events for the following general agentless activities.
- If Enforce Host Key is set to 'No' (default) and the presented thumbprint is different than the stored thumbprint, the log event is 40060020,SSH Public Key Fingerprint Changed.
- If Enforce Host Key is set to 'Yes' and the presented key matches the trusted Host Key, the connection is allowed and no special log event is generated.
If the presented key does not match the trusted Host Key, the connection is refused and the log event is 40060004,SSH Connect To Host Failed. For example:
127.0.0.1, 2/22/2017 10:10:04 AM, \VED\Policy\centos-oracle: \VED\Policy\centos-oracle, Error: Error, Translated event: SSH Connection Failed, The SSH library failed to connect to 192.168.3.220 on port 22, with the Connection Result 8: The host key was not accepted.
How Trust Protection Platform manages MD5 to SHA-256 conversions
The conversion to SHA-256, which is automatic, does not require configuration. However, during conversion, the Enforce Host Key settings generate a different set of log event messages. If your SSH servers use the MD5 hash algorithm, you should monitor the log of events to manage the automatic conversion:
- If Enforce Host Key is set to 'Yes' and the Host Key matches but the presented MD5 fingerprint is a change that causes a mismatch to the trusted one, Trust Protection Platform replaces the existing fingerprint with a new one. The log event is 4006001F,SSH Public Key Fingerprint Replaced.
- If Enforce Host Key is set to 'Yes' and both the presented Host Key and MD5 fingerprint are an exact match, the log event is 40060020,SSH Public Key Fingerprint Changed.
- If Enforce Host Key is set to 'No', the log event is 40060020,SSH Public Key Fingerprint Changed.
Click here for the new dedicated KB article on deprecated functionality
Functionality scheduled for deprecation in future releases:
Click here for the new dedicated KB article on features scheduled for deprecation.