Upgrades to Venafi Trust Protection Platform 17.1
Trust Protection Platform 17.1 introduces new functionality integration into CyberArk as a new credential resource, Elliptic Curve Certificate (ECC) support, SUDO agentless certificate installation support, SSH Agentless integration with Privileged Access Management (PAM), a new Adaptable Log Channel, Amazon Web Services instance monitoring, and much more. Click here for a complete list of new features in 17.1. Depending upon the version you are upgrading from, some of the enhancements that have implemented over the last 2 years require action on your part either prior to upgrade or immediately after upgrade. Please read carefully through this Knowledge base article prior to upgrading. Take special attention on the the list of features deprecated as well as features scheduled for deprecation.
For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 17.1.
There is more Information about the Venafi Trust Protection Platform 17.1 life cycle here: https://support.venafi.com/entries/23267241
Oracle Database Server no longer supported
If your Trust Protection Platform database is currently being hosted on Oracle, do NOT attempt to upgrade to 17.1. You must first migrate your production database from Oracle to Microsoft SQL. Contact Venafi Customer Support to coordinate Venafi assistance with the migration.
Change in requirements for Database Service Account permissions
Enhancements made in 15.1, 15.3, 16.2, and 17.1 have changed the permissions required by the Microsoft SQL Service account used to connect to the database. Please refer to the sample grant scripts (ex: sample_grants_16.4_to_17.1.sql) in the "Database Scripts\MSSQL\Updates" folder for sample scripts on how to modify the permissions for your database. Please consult with your DBA prior to changing permissions for the database.
DSA SSH Credentials for Certificate Installations
17.1.3 has a new version of our Maverick library that is used as an SSH Client for Trust Protection Platform to communicate with remote systems. If you want to discover DSA keys:
- In the Control Panel, navigate to the Network Connections, Advanced settings. Disable the setting for Federal Information Processing Support (FIPS) compliance for this network.
- On the Trust Protection Platform server running Discovery, add the following registry key: HKLM\Software\Venafi\Platform\EnableSSHDSS (string key), value: 1.
Note: 17.1.0 and 17.1.1 does not have DSA support in TPP.
License and Usage statistics collected
New in 17.1, high level statistics and license usage can optionally be collected and emailed to Venafi at email@example.com. No sensitive or personally identifiable data, such as IP and email addresses, hostnames, and usernames is being sent. Please make sure the email account used to email other reports has access to email outside recipients.
Please refer to "Usage statistics and Licensing Report FAQ" section in product documentation for benefits and frequently asked questions about this feature.
Aperture Certificate Status Updated
Certificate Inventory Status column is broken into two columns: Risks & Status. Status contains a single life cycle stage like "Renewing" or "Pending My Approval". Risks will contain one or more tags like "Unapproved Issuer" and/or "No Local Dual Control". Certificate Overview Banner has been updated to only show "Status" information, not Risk. If you have custom reports that were reporting on "Status", if you wish for them to continue to report on certificate risk information, you will need to update the report to include the new column.
SSH Client Library Updated
In 17.1, public-key authentication to a device using a DSA key is no longer supported.
Encrypted Connection to Microsoft SQL
TPP now supports the configuration to always require a secure/encrypted connection to the Database. In order to enable this, you will need to open Venafi Control Center on each TPP server and choose "Change Database Password". You will then check "Encrypt all database communications" and click the Verify button. This security feature requires a valid TLS certificate to be installed on your Microsoft SQL Server. You may have to install/replace the certificate on your SQL server prior to enabling this functionality on each TPP server.
Update of Universal C Runtime is now required
Starting in version 16.3, in order to offer SNI (Server Name Indication) support for SSL/TLS validation of certificates, the library we use requires an update of Universal C Runtime in Windows. This update must be installed before you run the 16.4 Trust Protection Platform installer. This is required on both Windows 2008 R2 and Windows 2012 R2.
Download the update specific to your OS at: https://support.microsoft.com/en-us/kb/2999226
TPP 16.4 Requires .NET Framework 4.6.1 to install
Before installing TPP 16.4, make sure the .NET Framework is updated to 4.6.1.
You can download the offline installer for Windows 2008 R2 and Windows 2012 R2 at:
Web Administration console Policy tree performance improvement
In order to accommodate customers with larger deployments, in 16.4 the Policy Tree in the Web Administration console has been refactored to provide significantly faster load times. One behavior difference you will notice is that all nodes of the tree will have a + (plus) sign to allow for the expansion of child nodes. This sign will be displayed for all objects. If a node does not have any child objects, the + sign will disappear after it's clicked. This change was implemented originally in 16.3
Privileged command set change for SSH Agentless
In 16.4 the list of commands that the SSH discovery and remediation engine runs with privileges (“sudo” commands if sudo is being used) has changed. Some commands are no longer required in order to run as a privileged user; some new commands are required instead. Refer to the following article for detailed description on restricting commands for account to use with agentless SSH.
Beginning with version 16.3, the following commands are no longer required to be run as "privileged" and can be removed from /etc/sudoers entry:
- sh –c find *
The following new commands need to be present in /etc/sudoers entry, beginning with 16.3:
For more information, see: https://support.venafi.com/hc/en-us/articles/225511807
Updated SSH Folder Policy Violation settings in Aperture
When configuring SSH folder policy violation settings in Aperture, the functionality has been modified for consistency and clarity. For example, in previous versions, one setting was called “Allow Root Access.” This setting has been renamed “Flag Root Access” so it is clear that items will still be permitted, but they will be flagged with a status tag that allows you to find them easily.
If you are upgrading to version 16.3, your folders will be updated automatically. The underlying behavior won’t change. So, if items were being given status messages in older versions, they will continue to be given status messages in 16.3. The labels are now clearer about what is occurring when these settings are being configured.
Changes to Adaptable CA driver framework
Customers using the Adaptable Certificate Authority driver in 16.2 must update the definition of the Prepare-ForRequest function in your PowerShell scripts. This change makes additional data available to that function so that it can support more use cases.
For details on updating your script, visit: https://support.venafi.com/hc/en-us/articles/227444167
Password complexity requirements are increased and on by default
New in 16.3, complexity requirements have been updated. These changes have been implemented to allow Venafi Trust Protection Platform to meet or exceed industry standards such as SANS, NIST, Microsoft, and PCI-DSS. These changes apply to:
- Downloading certificates that contain private keys from the Web Administration console or Aperture.
- Retrieving certificates that contain private keys from WebSDK
- New Accounts Local to Trust Protection Platform (or when existing accounts change their password)
The updated requirements are:
- At least 12 characters long
- Must contain a combination of at least three out of the following four categories: uppercase alphabetic, lowercase alphabetic, numeric, and special characters
Just as before, Master Admins (or those with appropriate delegated permissions) can turn the complexity off for certificate private key download via policy.
Note: The complexity requirements listed above do not apply to the automated installation of certificates via Provisioning drivers. These are typically governed by password credential objects via permissions and policy.
Longer upgrade window when upgrading from 16.1.x or older
Significant refactoring was done in 16.2. affecting how logs are stored in the database. When the mssql_update_16.1_to_16.2.sql upgrade scripts are executed, the format of the data is modified. For every 30 million rows in the logs, you can expect the script to take approximately an hour (subject to hardware, SQL Server version, server utilization, and other factors).
It is recommended, if possible, to archive or reduce the number of logs stored in the Trust Protection Platform database prior to upgrading to 16.3 from 16.1.x or older.
If you have secondary log tables, read this KB article to learn how to migrate it: https://support.venafi.com/hc/en-us/articles/220761368.
Database log retention must be specified on upgrade
First introduced in 16.2, database log retention can now be configured in the Venafi Control Center wizard during the upgrade and installation process. If this value is left blank when upgrading from 16.1 or older, then your installation will NOT delete any logs and your logs will continue to grow. It is recommended that a value be entered in VCC (example: 365 days) on the first server that is upgraded to 16.4.
Certificate settings are "read-only" during enrollment processing or while In Error
In Trust Protection Platform 15.4, certificate enrollment settings cannot be modified while a certificate is enrolling/processing or is In Error. In order to make changes to the certificate (for example, change the common name of the certificate), users will need to Reset the certificate state in the Web Administration Console.
Security-related changes have been made in 16.1 that now prevent users from altering a certificate signing request (CSR) after it has progressed beyond the start of the renewal process, such as uploading a CSR. As such, any certificates that are waiting for a new CSR to be uploaded prior to upgrading to 16.1 will need to be reset and restarted using the Web Administration Console (after successfully upgrading Trust Protection Platform).
Approving certificate installation (Provisioning) workflows in Aperture
In Trust Protection Platform 15.3, the ability to approve installation workflows in Aperture was added. If you're using a custom SMTP Notification Channel to send emails to approvers, those custom channels will need to be updated. This will ensure that users are directed to the correct URL in Aperture to approve enrollment or certificate installation workflows.
Automatic MD5 conversion for agentless connections to SSH
In 17.1, while making an agentless connection to a device, Trust Protection Platform automatically migrates host keys that use the MD5 hash to a SHA-256 hash. The migration, which is based on the Key Type, occurs while attempting to connect to the host.
How Trust Protection Platform manages agentless connections for provisioning
SSH connectivity for provisioning is based on Web Admin settings. Use the Device Settings page to control agentless provisioning. You should also monitor the log of events for the following general agentless activities.
- If Enforce Host Key is set to 'No' (default) and the presented thumbprint is different than the stored thumbprint, the log event is 40060020,SSH Public Key Fingerprint Changed.
- If Enforce Host Key is set to 'Yes' and the presented key matches the trusted Host Key, the connection is allowed and no special log event is generated.
If the presented key does not match the trusted Host Key, the connection is refused and the log event is 40060004,SSH Connect To Host Failed. For example:
127.0.0.1, 2/22/2017 10:10:04 AM, \VED\Policy\centos-oracle: \VED\Policy\centos-oracle, Error: Error, Translated event: SSH Connection Failed, The SSH library failed to connect to 192.168.3.220 on port 22, with the Connection Result 8: The host key was not accepted.
How Trust Protection Platform manages MD5 to SHA-256 conversions
The conversion to SHA-256, which is automatic, does not require configuration. However, during conversion, the Enforce Host Key settings generate a different set of log event messages. If your SSH servers use the MD5 hash algorithm, you should monitor the log of events to manage the automatic conversion:
- If Enforce Host Key is set to 'Yes' and the Host Key matches but the presented MD5 fingerprint is a change that causes a mismatch to the trusted one, Trust Protection Platform replaces the existing fingerprint with a new one. The log event is 4006001F,SSH Public Key Fingerprint Replaced.
- If Enforce Host Key is set to 'Yes' and both the presented Host Key and MD5 fingerprint are an exact match, the log event is 40060020,SSH Public Key Fingerprint Changed.
- If Enforce Host Key is set to 'No', the log event is 40060020,SSH Public Key Fingerprint Changed.
Agent certificate discovery
Due to changes in version 15.2.0 in the configuration of work that the Venafi Server Agent does during certificate discovery, agents will stop performing certificate discovery until your Device Placement work has been configured and assigned to all applicable agents. Certificate Discovery work also needs to be updated to have certificate placement rules applied. Agents will not start or continue certificate discovery until these two configuration items have been completed in Aperture.
User Portal is now configured in Aperture
The User Portal used to be configured in the Web Administration Console. Starting with 15.4, it is now configured in Aperture using Agent Groups and User Certificate Creation work.
Brocade Application Driver
The Brocade Application Driver used for certificate installations is no longer available in TPP as of 17.1
Verizon SureServer Certificate Authority Driver
The Verizon SureServer Certificate Authority Driver used for certificate enrollments is no longer available in TPP as of 17.1
Oracle DB support
Venafi has deprecated support for Oracle in version 17.1 (Q1, 2017). For more information refer to: https://support.venafi.com/hc/en-us/articles/227567188
Canned CA Trust Report
The canned CA Trust Report found in the Web Administration console has been removed from the product in 17.1.
Web Admin Licensing Status Dashboard
This functionality has been migrated to Aperture and is now visible on the new System Status dashboard as of 17.1
Venafi Support Tool
The Venafi Support Tool was removed in 17.1. It has been replaced by a new utility called the Venafi Support Center.
"VED Client" UI Portal
There is an undocumented and unsupported UI Portal that exists that will be removed from the product in 16.4. This change should not affect any customers.
z/OS CA driver
The z/OS CA driver has been removed from Trust Protection Platform in 16.4. This integration is outdated and the Adaptable CA driver provides a better alternative.
SSH non-recursive discovery
SSH Key Discovery no longer supports performing non-recursive scans. The ability to scan "just this folder" and exclude all subfolders is not available in 16.3
Aperture certificate status “Revocation Approval Required”
The Certificate Status of Revocation Approval Required has been replaced with Pending My Approval in 16.3
Venafi Server Agent has deprecated support for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC) in 16.3.0
For 16.3, the Venafi Trust Protection Platform will no longer ship with an agent installer for HP-UX PA-RISC. This does not affect our support for HP-UX on Itanium Processors (HP-UX IA). Hewlett Packard stopped supporting HP-UX PA-RISC in early 2005. We are deprecating support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.
More information on deprecation of PA-RISC: https://support.venafi.com/hc/en-us/articles/218241207
Deprecated: Aperture License dashboard widget and filter
The License dashboard widget and certificate list License filter have been removed from the Aperture console. If this filter was used in a saved Custom Report, the report will be updated to remove this filter. Licensing information can be retrieved using the in-product Licensing Report found in the Web Administration console.
Internet Explorer 8 has not been supported since Venafi Trust Protection Platform 14.1. Core libraries of Aperture were updated for security fixes and performance enhancements which resulted in Aperture's incompatibility with Internet Explorer 8. As of release 16.1, Aperture will not load on IE8. Make plans now in your organization to make sure end users have a modern browser available to them.
Also in 16.1, our supported browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 38. The latest version of Google Chrome is still categorized as a compatible browser.
See Article: Why we deprecated Internet Explorer 8
Functionality scheduled for deprecation in future releases:
Comodo "Web Host Reseller" CA Driver
The Comodo Web Host Reseller CA Driver is being removed from TPP in 17.2. This does not affect the Comodo Certificate Manager driver. All current customers are using the Certificate Manage driver and Comodo has recommended this legacy driver be removed from TPP.
IBM GSK Driver Support for GSK version 6.0
Starting in 17.2, the GSK Certificate Installation Driver will no longer support version 6.0. Version 6.0 reached end-of-life in September 2013.
Java Key Store (JKS) Driver Support for Java version 1.4 or 1.5
Starting in 17.2, the Java Key Store (JKS) Certificate Installation Driver will no longer support Java versions 1.4 or 1.5. These version have reached their end-of-life in October 2008 and October 2009 respectively.
Transition DigiCert CA Driver from Enterprise to CertCentral API
In 17.2 (tentatively), the DigiCert CA driver will be migrated from the legacy “Enterprise” API to the current “CertCentral” API. This will require customers to have their accounts migrated. DigiCert has stated they are available to help customers with the migration.
Devices removed from Aperture Folder tree
In 17.2 - devices will be removed from the Aperture Folder tree. Only Folders will be visible. This is being done to enhance performance and usability. Devices will still be accessible to SSH customers in the Inventory => Devices top navigation menu.
Microsoft SQL Server 2008 R2
Effective with release 17.3, support for MS SQL Server 2008 R2 will be discontinued.
This change is necessary to take advantage of newer technologies available in recent versions of SQL Server. In addition, this change will allow Venafi to fully support versions 2012, 2014 and add 2016 as a compatible version.
Microsoft Windows Server 2008 R2
Effective with release 17.3, support for Windows Server 2008 R2 as a supported platform for Trust Protection Platform will be discontinued for the following reasons:
- Microsoft ended mainstream support of Windows Server 2008 R2 on January 13, 2015
- To add support for Windows Server 2016
Network Discovery Jobs in Web Admin
In 17.3, Network Discovery Jobs will be removed from the Web Administration console. Enhanced configuration options for Network Discovery have been available in Aperture since 14.3.
Transition IBM DataPower Driver interface from SSH to XML-RPC
In 17.3 tentatively, the driver will be transitioned from SSH CLI to XML-RPC API. DataPower versions prior to 6.0.2 will no longer be supported or compatible. Versions tentatively being targeted for support are 6.0.2 and 7.5.2
Certificate Authority Report
Canned Certificate Authority report will be removed from Trust Protection Platform in 17.3 release. The distribution of certificate authorities by number of issued certificates is available in Certificate Inventory Report and Certificate Dashboard in Aperture.