Venafi Trust Protection Platform version 17.4 introduces significant improvements in stability and performance, as well as several key enhancements.
IMPORTANT! Before upgrading to the new version, carefully review the topic, Important Considerations before Upgrading.
Server Certificate product features
- Symantec Distrust Widget and Filter
On April 17, 2018, Google will release Chrome 66, which will begin the process of distrusting certificates issued under Symantec's legacy infrastructure. To help you identify all certificates that will be distrusted by Chrome (and potentially other browsers), a new dashboard micro widget and certificate inventory filter make it easy in Aperture to find and replace certificates that will not be trusted by Chrome and other browsers.
- Aperture Certificate Import from Network Address @23690; @2629
In the same way that WebAdmin can be used to connect to server and import a certificate using the Retrieve action button, Aperture has been updated to allow for importing certificates from servers. In addition to the functionality supported in WebAdmin, Aperture's network import also supports Server Name Indication (SNI) as well as File Transfer Protocol over Secure Sockets Layer (FTPS). This feature makes it easier to bring certificates into the Trust Protection Platform inventory for the first time, or to update existing certificates already in the inventory that were renewed outside of Trust Protection Platform.
- Adaptable CA Framework support for Certificate Authorities that Generate Keys
To support cases where a certificate authority (CA) is used to generate key pairs, the Venafi Adaptable CA framework has been enhanced to optionally accept private keys from a CA and replace service-generated keys and CSRs.
- Adaptable Framework Enhanced to Support Second Credential
The frameworks for Adaptable CA, Adaptable Applications, and Adaptable Logging have been enhanced to support a second credential. This is especially helpful when the associated PowerShell script needs to authenticate to multiple systems, such as a third-party API or the Venafi Web SDK.
- Entrust.net Support for Private SSL
The Entrust Private SSL product is now supported by the Venafi Entrust.NET CA driver.
- Custom Label for Private Keys Generated by Gemalto HSMs @30091; @30088
You can now specify a custom label in CAPI application object settings for private keys generated by Gemalto hardware security modules (HSMs). This optional setting makes it easier for you to identify which certificates correspond to newly generated keys.
- Improved Usability of Specific End Date functionality
The Specific End Date option supported by the Symantec MPKI, Entrust.net, and DigiCert certificate authority (CA) drivers is easier to use. This enhancement makes a clearer distinction between the validity period of certificates defined by the CA template and a specific expiration date specified by users.
- TrustNet Performance and Efficiency Optimization
The TrustNet service module now requires significantly fewer resources to process large tasks, such as downloading all reputation scores or uploading selected certificates.
- Faster Performance of Manual Validation Scans
Trust Protection Platform now gives validation work a higher priority when running a manually triggered validation scan and after a certificate enrollment or installation completes. Trust Protection Platform servers that are under constant, heavy loads will now perform on-demand validations faster.
SSH product features
- Support for 10 million SSH Keys
Because of significant performance and scalability improvements, Trust Protection Platform has been tested to support management of 10 million SSH keys across 100,000 agentless devices.
- Trusted Servers List
Updated Device Inventory view has been added to show the servers trusted by a given client device (based on known_hosts entries) and allow for easy navigation.
- Pass-through authentication
Formerly known as Custom HTTP Header authentication, Pass-through Authentication has been updated to allow support more third party authentication solutions and improve security. Pass-through authentication can now be used with any authentication provider that leverages custom HTTP header attributes to authenticate users. Solutions like Oracle Identity Access Manager, Siteminder, or third-party tools like Shibboleth Service Provider can be integrated into Trust Protection Platform for both WebAdmin and Aperture.
This enhancement includes updated the configuration screens, new documentation, additional configuration checks on each Trust Protection Platform server, and improved logging to detect misconfiguration.
For more information, see Pass-Through Authentication For SSO Updated In 17.4.
- Aperture's new About page
Aperture now has an About page. This new page lets users see the Trust Protection Platform engine they're connected to, its version number (including the patch number), and a list of the Aperture user interface plugins that are loaded. Users with administrator privileges can see additional information when accessing the About page, including details related to Schema Version, API Libraries, and Client Third-Party Libraries.
- New dedicated resource pool improves process productivity
Previous versions of Trust Protection Platform use 25 worker threads within the pool for processing work on each server. To help ensure that critical daily tasks--such as validation, monitoring, credential monitoring, and SSH workflow monitoring--continue to make progress, Trust Protection Platform 17.4 includes a newly added worker pool dedicated to processing these lowest priority (0) threads.