Applies to:
All Versions
Summary:
Validation allows us to ensure that the public certificate we have stored in our database is, in fact, still available on the device/application we are monitoring. There are two ways to turn off validation for your certificates and/or drivers.
- At the server level, using the platform tree.
- At the object level in the policy tree.
Definition:
Network Validations merely sync to the correct IP address, and port, whereas, On-board Validations will attach to the server in question via SSH, authenticate and browse it's file system to procure and validate the certificate. The Validation Manager runs Network validations of SSH Server Key, Certificate, and Application objects. It also performs On-Board Validations of Application objects.
More info:
This article addresses on-board, and network validations of your certificates.
1: Network Validation:
Network Validation requires network access to the server where the certificate is installed. During the Network Validation process, TPP sends an SSL request to the server. If the server responds to the SSL request, TPP retrieves the certificate’s serial number and compares it to the certificate TPP has archived for the corresponding Certificate object.
If you enable Network Validation on a Certificate object and select the Use Certificate Common Name option, TPP does a DNS lookup of the certificate’s common name. It then validates the certificate at every IP address returned from the DNS lookup.
Network Validation is available for Application and Certificate objects. If you enable Network Validation on the Application object validates the certificate associated with the Application object.
2: On board Validation:
On-Board Validation can be enabled only on Application objects. During On-Board Validation TPP uses the information defined in the Application object to authenticate with the server and locate the installed certificate. It then compares the installed certificate's serial number to the certificate TPP Certificate Manager has archived for the application's corresponding Certificate object. On-Board Validation is performed using the application’s supported management protocol.
The purpose of On-Board Validation is to determine if the Application object configuration is correct and to verify that the correct certificate is installed on the server. If TPP can authenticate with the server, it knows the Application object’s credentials are correct. If it can locate the certificate, it knows the Application object’s certificate configuration is correct. Finally, when it retrieves the certificate serial number, TPP can determine if the correct certificate is installed.
Configuring Validation:
To configure validation for Application objects (on board validation):
- Log in to the TPP web console.
- RIghts: You must have the View and Write rights to the Application object.
- Select the Policy tree from the drop-down menu.
- In the Policy tree, expand the parent Device object, then select the Application object.
- Click the Validation tab.
- Configure the Application object Validation settings, then click Apply/Save.
Disabling via policy:
To disable both On-Board Validation, and Network validations follow these steps.
Using the Policy Tree:
- Navigate to to a policy object.
- Select the applications tab.
- Select the application you want to turn validation off for.
- Under the validation title choose one of these options:
- To only disable the onboard Validation choose the "Disable" under the File Settings title.
- To only disable Network validation, choose 'Disable Network Validation.
- To do both, choose both.
- Log in to the TPP web console.
- Tip: You must have the View and Write rights to the Certificate object.
- Select the Policy tree from the Tree drop-down menu.
- In the Policy tree, expand the parent Policy, Device, or Application object, then select the Certificate object.
- Click the Validation tab.
- Configure the Certificate object Validation settings, then click Apply/Save.
NOTE: To turn off network validation select the "Do not validate" option under network settings.
Frequently asked questions:
1: To disable Validation at the server level:
- Log in to the Venafi Configuration Console (versions 23.3 and higher).
- TIP: You must have the View and Write rights to the Validation Manager module.
- Select Product
- Find Validation
- Select the disable radio button, and press apply.
By default, Validation scans occur daily according to the daily task schedule configured on the TPP server object in the Platforms tree; however, you can manually run a Validation scan at any time by clicking the Validate Now option in the Application and Certificate objects.
Comments