Venafi Trust Protection Platform 14.2.0
The release of Venafi Trust Protection Platform 14.2 brings significant changes in system and environment requirements as well as changes to platform features and architecture. Please read through this Knowledgebase Article carefully prior to upgrading. For detailed upgrade steps, please refer to the ReadMe.rtf document that was packaged with Venafi Trust Protection Platform 14.2.0.
Please carefully read through the entire list of considerations before upgrading your production environment of Venafi Director to version 14.2.0
Supported Upgrade Path
To upgrade to Venafi Trust Protection Platform 14.2.0, your current installation must be on at least Director 6.1.4 or greater. The installation MSI will not run if you are on Director 6.1.3 or lower.
The following table shows the supported upgrade paths. It outlines which versions of Director can upgrade directly to Director 14.1, and which versions need to be updated to an intermediate version prior to the final upgrade.
Note: It may be possible to successfully upgrade directly to Venafi Trust Protection Platform 14.2.0 on versions not outlined on the table below, but those upgrade paths have not been fully tested.***
***It is NOT possible to upgrade directly from version 6.1.4 to version 14.2 because of the significant changes to the rights and user-preferences subsystems.
(must upgrade to 6.1.4 from earlier versions)
|Director 14.1.0||Venafi Trust Protection
|Director 7.0.0||N/A||Venafi Trust Protection
|Director 8.0.3||Venafi Trust Protection
|Director 8.0.3||N/A||Venafi Trust Protection
|Director 11.0||Venafi Trust Protection
|Director 11.0.0||N/A||Venafi Trust Protection
|Director 14.1.0||N/A||Venafi Trust Protection
Microsoft Certificate Authority Template Credentials (applies only to 14.2.0)
New in Venafi Trust Protection Platform 14.2 is improved security around Microsoft Certificate Authority (MSCA) Template objects in the Venafi Policy Tree. In order to successfully communicate with your Microsoft CA servers, you must specify the credentials used to communicate with the CA on the template itself.
When upgrading to 14.2, you must update all of your MSCA templates to reflect the service credentials Venafi uses. These credentials are not required during installing anymore and are now configured on the policy tree.
Subject Alternative Name (SAN) Support on Microsoft Certificate Authority
New in Venafi Trust Protection Platform 14.2 is improved security around Auto-Enrollment with a Microsoft Certificate Authority. In order to be capable of supporting Subject Alternative Names (SANs) when enrolling with the Microsoft CA, you must configure templates to require approval for certificate requests. You can do this in one of two ways: for all templates used by the CA, or for individual templates.
To make the change for the whole Certificate Authority:
- Using the Certificate Authority MMC snap-in, right-click on the CA's name and select Properties.
- On the Policy Module tab, click Properties button.
- Select Set the certificate request status to pending....
To make the change to individual templates:
Using the Certificate Templates MMC snap-in, right-click on a template to be enrolled by Trust Protection Platform, and then click Properties.
On the Issuance Requirements tab, select CA Certificate Manager Approval to be required for enrollment
Network Device Enrollment One-Time Challenge Phrase
Security has been improved surrounding the "One-Time Challenge Phrases" for customers issuing certificates via Network Device Enrollment (SCEP). If you are using One-Time Challenge Phrases (OTCP) in your Network Device Enrollment deployment, you must specify the user/service accounts being used to request OTCP's so that they can be considered authorized users. Accounts that are not added to the list will be denied access to request a valid OTCP.
The configuration is found in the Web Administration Console on Platform Tree => Platform root => Network Device Enrollment tab
Certificate Scanning Agent
The KMIP Agent available in Director 6.1.x-11.0.0 has undergone major architecture improvements for the Trust Protection Platform 14.2 release. This release introduces the new Client REST agent for certificate scanning. If you currently have the KMIP Certificate agent deployed in production they will continue to function. We do however recommend that you plan to migrate all KMIP Agents to the new REST Agents.
See the following KB for a documented walk-through on upgrading your agents from KMIP to REST
Microsoft .NET Framework
Venafi Trust Protection Platform 14.2 requires that .NET Framework 4.5.1 be installed on your Windows Server 2008 R2 machine prior to upgrading.
The online installer can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=40773
If installing Venafi on a Windows Server 2012 R2 (newly supported in this release) the ASP.NET Server Role must be added.
IIS Add-on Module
Director 14.1 requires that Microsoft URL Rewrite Module 2.0 for IIS 7 be installed on your Director Servers that have any of the following Director components installed:
- Web Administration Console
- Web SDK
- Client REST
- User Portal
The installer for IIS 7.5 on Windows Server 2008 R2 can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=7435
If installing Venafi on Windows Server 2012 R2, there is not a download available. URL Rewrite must be installed using the Microsoft Web Platform Installer (Web PI). See http://www.iis.net/downloads/microsoft/url-rewrite for details.
Venafi Trust Protection Platform 14.2 supports Internet Explorer 10 and Firefox 24 ESR. Other versions of Internet Explorer and Firefox and browsers from other vendors have not been tested. Unexpected behavior may occur using an unsupported browser when using any of the Director web consoles. Prior to upgrading your production environment to 14.2, make sure your Venafi user base has a supported browser version available to them or perform your own testing on other browsers you use. Aperture is not compatible with Internet Explorer 8 and will not function.
See Article: Why we use Internet Explorer 10
VeriSign/Symantec Major Driver Update
The Venafi TrusthAuthority VeriSign driver now ONLY uses the VeriSign VICE2 API for certificate enrollment and other operations with the VeriSign MPKI service. This requires an updated admin certificate from Symantec. If you are a VeriSign MPKI customer, Director 14.1 enrollment will NOT function until you get the updated credential. The following Venafi knowledgebase article provides instructions for getting an updated Admin Certificate for VICE2 usage:
https://support.venafi.com/entries/25827006. If you are upgrading from Director 8.0.1, 8.0.2, 8.0.3, Director 11.0.0, or Director 14.1 then you have already completed these steps in your environment. They do not need to be repeated.
Venafi Operational Certificate
Venafi Trust Protection Platform 14.2 utilizes the Venafi Operational Certificate that was introduced in Director 14.1. This certificate is used by the product for securing all web traffic, log server traffic, and agent traffic. It is no longer necessary to use the IIS6 or CAPI driver to provision the Director certificate to IIS. Once you renew the Venafi Operational Certificate it will be utilized the next time the Log Server service is restarted or IIS Application Pools refresh. For best practice, you will want to delete your current Venafi IIS certificates and associated device & application objects after the upgrade so that you don't have duplicates of the same certificate or unnecessarily have the certificate set to use a provisioning driver. For more information on the Venafi Operational Certificate, including updating it, see the Venafi 14.2 product documentation.
Note: No action required if upgrading to 14.2 from 14.1
For more information on the Venafi Operational Certificate, see https://support.venafi.com/entries/54287116
Venafi Log Server
Venafi Trust Protection Platform 14.2 utilizes the Log Server caching feature that was introduced in Director 14.1. Due to this new feature, there is no longer the concept of a Secondary Log Server. On each Venafi Platform server specify the Hostname/IP address of your one Log Server. All Venafi Platform servers will send their logs to that Log Server. If the Log Server becomes unreachable, each server will begin caching their logs to their own log server cache. While in cache mode, the caching log service will check regularly if the the connection to the Log Server has been restored. Once restored, all Venafi Platform servers will feed their cached logs to the Log Server to be stored in the database for notification rule processing.
For more information on changes to Logging Services, see https://support.venafi.com/entries/53875088
The new Venafi Aperture console has higher memory (RAM) requirements than the Venafi Web Administrator Console. If you plan to deploy Aperture to a large number of end users, please review the updated hardware requirements in the product documentation titled Install Guide included with Venafi Trust Protection Platform 14.2.
Provisioning Certificates to IIS 7.x and IIS 8
If you are currently using Venafi TrustAuthority's IIS 6 provisioning driver to provision certificates to IIS 7.x or IIS 8, consider migrating to the new CAPI provisioning driver. It utilizes Windows Powershell 2.0+ and does not require that the IIS6 backward compatibility APIs be installed on Servers you are provisioning to IIS.
Upgrade Maintenance Window
If upgrading from Director 6.1.4 through Director 9, please allow extra time during your production maintenance window for the upgrade. When Director 10 was released, additional maintenance tasks were introduced that were performed on each certificate and private key in the database. Upgrade times vary greatly, plan on an additional 15 minutes for every 5,000 certificates in your database when upgrading the first Director server in your environment.