Replacing all Local:Master Admin accounts

Overview

During TPP installation, the local Master Admin account is associated with many Contact and Approver fields as a back stop to ensure default notifications get sent to a user. This article will describe how to locate and change each of these default values via the Venafi REST API.

 

Locating the Master Admin Contact and Approver values

From the VedAdmin console, navigate to the root Policy -> Support -> Policy Attributes

This is the list of all Classes and Attributes that contain the default Master Admin where they are assigned as default. A strategy for coming up with a list that can easily be fed into a script or program like Postman is to copy and paste the text in this page and paste into a spreadsheet, then filter on all Attributes that are not Contact or Approver and remove those.

 

In order to change the default Contact and Approver field for every Class in the system, iterate over this list and insert logic to choose an appropriate User ID. For this example, we will show the API calls to use in order to look up a User and a Security Group and apply these to each Class.

 

Look up AD User

To look up a user in AD, the API caller must be logged in as a user in the target identity provider.

https://venafitpp.company.com/vedsdk/Identity/Browse
X-Venafi-Api-Key: 7cd2319e-5b50-4fe1-a3b6-d40c5fe1d156
{
"Filter": "Ben",
"Limit": 1,
"IdentityType": 1
}

HTTP/1.1 200 OK
{
"Identities": [
{
"FullName": "CN=Ben Rogers,CN=Users,DC=AWS,DC=SE,DC=VENAFI,DC=COM",
"IsContainer": false,
"IsGroup": false,
"Name": "ben.rogers",
"Prefix": "AD+AWS",
"Universal": "b2280f0ae080bd45b0dc36bfe42ad5e0"
}
]
}

Once you have looked up the appropriate User ID(s), they will need to be in the form Prefix:Universal. In this example, the value will be AD+AWS:b2280f0ae080bd45b0dc36bfe42ad5e0

Look up AD Security Group

https://venafitpp.company.com/vedsdk/Identity/Browse
X-Venafi-Api-Key: 7cd2319e-5b50-4fe1-a3b6-d40c5fe1d156
{
"Filter": "Approvers",
"Limit": 1,
"IdentityType": 2
}

HTTP/1.1 200 OK
{
"Identities": [
{
"FullName": "CN=Approvers,CN=Users,DC=AWS,DC=SE,DC=VENAFI,DC=COM",
"IsContainer": false,
"IsGroup": true,
"Name": "Approvers",
"Prefix": "AD+AWS",
"Universal": "0a49b75c66c86a428098f64b4db2972d"
}
]
}

Once you have looked up the appropriate Group(s), they will need to be in the form Prefix:Universal. In this example, the value will be AD+AWS:0a49b75c66c86a428098f64b4db2972d

 

Change Values by Policy

In this example, we will make the default Contacts for the Tree Root be AD user "Ben Rogers" and the AD security group "Approvers".

POST https://tpp.venafi.example/vedsdk/Config/WritePolicy
X-Venafi-Api-Key: 7cd2319e-5b50-4fe1-a3b6-d40c5fe1d156
{
"ObjectDN":"\\VED\\Policy",
"Class”:”Tree Root“,
"Locked":false,
"AttributeName”:”Contact”,
"Values":[
"AD+AWS:b2280f0ae080bd45b0dc36bfe42ad5e0”,
“AD+AWS:0a49b75c66c86a428098f64b4db2972d”
]
}

HTTP/1.1 200 OK
{
"Result": 1
}

Summary

Using these three API calls and a structured input file derived from the Policy Attributes, it is left as an exercise to the reader to replace the default Master Admin with meaningful IDs and Groups.