Venafi Trust Protection Platform 17.1 brings an exhaustive list of exciting new features to help you solve your most important business problems related to securing and protecting Keys and Certificates within your organization today.
Server Certificate Product Features
- CyberArk Credential Integration
Leverage passwords stored in CyberArk safes for provisioning certificates to devices that make use of username credentials. Eliminates the need to keep credentials in TPP up-to-date as they are changed in accordance with security best practices. Link to CyberArk and allow CyberArk to manage the credential.
- Support for Elliptic Curve Certificates (ECC)
Migrating to ECC certificates? TPP now has support for generating ECC private keys and CSRs and enrollment/renewal with Venafi-supported CAs that offer that support through their APIs.
- SUDO Agentless Certificate Installation
Apache, PEM, GSK, iPlanet, JKS, PEM, and PKCS#12 installation types have been updated support SUDO when installing and validating certificates with SSH.
- Updated Citrix NetScaler Certificate Installation Driver
NetScaler Driver has been updated to transition from the SSH CLI to the new Nitro API. Along with this comes support for binding certificates to Services and Service Groups, certificates used in SNI configurations, and provisioning of password encrypted private keys.
- Citrix NetScaler Onboard Discovery (BETA)
Provide TPP with the IP Address and Credentials to your NetScaler appliances and let TPP do the rest. This feature will discover the certificates and associated configuration on your Netscalers for a true turnkey experience to rotate certificates. Request a BETA license
- Schedule Certificate Installations in Aperture
When approving workflows for installing certificates, the installation can be scheduled for a specified window in the future. Makes it easier to install certificates during maintenance windows. Feature introduced in Web Admin in 14.4 - now available in Aperture.
- Improved Installation Type filter in Aperture
Installation Type Filter is now more accessible and makes it easier to find certificates that are configured with installations. Also makes it easy to find certificates that are not configured for installations.
- Improved Aperture Status Column
Certificate Inventory Status column is broken into two columns: Risks & Status. Status contains a single life cycle stage like "Renewing" or "Pending My Approval". Risks will contain one or more tags like "Unapproved Issuer" and/or "No Local Dual Control". Certificate Overview Banner has been updated to only show "Status" information, not Risk.
- Add New Certificate Installations in Aperture
Whether you want to track additional locations for nightly validation or you want to configure the automatic installation of a certificate, you can now easily add new installations to your certificate in Aperture using the "Add Installation" action. It is also much easier to select the correct Installation Type with a new Installation selector that features improved friendly names and descriptions of the installation drivers available in Aperture.
- Improved Installation Configuration
Aperture has been improved so that configuring certificates for automatic installation is easier. Fields are hidden when not needed. Installation Interface is hidden unless a Server Agent is installed on the device. Port, Device, and Installation Credentials are hidden when configured to use an Agent. Installation Credential and Port are hidden by default in "Advanced Connection Settings". Display the last person who clicked "Install" for certificate and when it was performed. Show the folder that the device is stored in.
- Add Credentials for Certificate Installations
When configuring a certificate for installation, add new connection and keystore credentials on-the-fly into the TPP inventory.
- View previous versions of certificates
In Aperture, view the details of previous versions of a certificate for each time it was renewed. More features coming to this area in 17.2
- VCert Utility Enhancements
Minor enhancements made to VCert Utility to make it easier to use for DevOps use cases.
- Enhance Security For Private Key Re-Use
The Policy "Allow Private Key Re-Use (User Provided CSR)" has been relabeled to "Allow Users to Import Duplicate Certificates and Reuse Private Keys" in Aperture. When set to "No" (default setting), it will prevent duplicate certificates from being imported by file, retrieved in web admin, or discovered via "Instant Discovery". It will prevent two different certificate items in inventory from referencing the same certificate. Like before, it will also continue to prevent uploading of User Provided CSRs that are signed with a private key that has been previously used.
- Last Renewed/Installed
In Aperture, it is easy to filter, view, report on who last clicked "Renew Now" for a certificate. When Approving a workflow for Renewal, Installation, or Revocation, the approver sees on the approval screen who initiated the action.
- CAPI Certificate Installation Driver Update
CAPI Driver has been updated so that "Set-ExecutionPolicy" prerequisite is no longer required when binding a certificate to IIS
SSH Product Features
- Agentless integration with Privileged Access Management (PAM)
Enter a customized PAM command and credential to integrate with centralized PAM solutions, like PowerBroker.
- Device Connection Policy
Use policy to configure all (or groups of) devices in a standardized way to connect to SSH Servers for agentless management.
- On Demand Scans
Easily select one or more devices to perform on-demand scans of systems.
- Improved Device details interface
Easier to see what clients are authorized on a given device.
- Adaptable Log Channel
The Adaptable Framework has been extended to the log system. Trigger custom PowerShell scripts based on any event in TPP. Write scripts to edit data, push data, or pull data. This log channel opens up vast possibilities for improving custom business logic within TPP.
- Amazon Web Services (AWS) Instance Monitoring
Provide your AWS credentials and TPP will automatically keep your inventory up to date when EC2 instances are terminated. Automatically disable/delete installations. Also can automatically revoke and move certificates when the systems the certificates were being used on are terminated.
- Microsoft SQL Server AlwaysOn Availability Group Support
TPP now supports the use of High Availability Groups within Microsoft SQL. TPP can now point to an Availability Group listener for connectivity to the database. The availability group listeners will always present the Primary SQL server in the Availability Group.
- Encrypted Connection to Microsoft SQL
TPP now supports the configuration to always require a secure/encrypted connection to the DB.
- Usage Report
New automatic report that collects high level information of how the product is used so that administrators and Venafi can focus on improving the features your organization uses the most.
- Aperture System Status Dashboard
See your system status at a glance. See important details like the number Venafi servers, what patch version those servers are on. Gain visibility into what components are installed on each server and if venafi services are up or down. Same information is available via new WebSDK API.
- Aperture License Widgets
On the new System Status Dashboard, you can easily see the license consumption for your organization.
- New User/Group Entitlements View
In Aperture, visit the new "Identity" section under Inventory. You'll be able to easily see what permissions a user or group have been given anywhere in TPP. Feature only available to Master Administrators.
- Effective Permissions and Permission Troubleshooting
When viewing the permissions for any item in Aperture, you'll be able to see the inherited permissions for higher folders in the folder structure. Also able to analyze permissions to see where they are set and what identity they are applied to. For example, compare the permissions for two users on a certificate when one person has a working set of permissions and the other person is missing functionality.
- Venafi Support Center (VSC)
A new support utility that is packaged with TPP that will make more information available where troubleshooting or debugging is required. Typically used when working with Venafi Customer Support.
- Microsoft SQL Server 2016 Compatible
Venafi Trust Protection Platform now considers Microsoft SQL Server 2016 as a compatible database version to host the TPP database.
- Disaster Recovery
A new section of the documentation has been added to discuss recommended options for implementing a Disaster Recovery plan for your organization.
- Support for Windows 2016
The Venafi Server Agent is now officially supported on Microsoft Windows Server 2016
- Collect information from Cloud & Virtual Platforms
When the agent is installed on a VM running on VmWare, Amazon Web Services, or Azure, the agent collects the Virtual Machine ID and reports it to TPP. On Amazon Web Services, the Region is collected as well. This data is available through WebSDk, Aperture, and Custom Reports.
- Improved WebSDK
Optionally delete the linked device from inventory when you use the WebSDK to delete the Agent/Client record in TPP. New API to view all Agent/Client details.
- Improved Certificate Discovery
Server Agent now discovers and places the Alias/Label for PKCS12 and IBM (CMS) Keystores.