Follow

Info: Important considerations before upgrading to Venafi Trust Protection Platform 15.1

Applies to:

Venafi Trust Protection Platform 15.1.0

Summary:

The release of Venafi Trust Protection Platform 15.1.0 brings significant changes in system and environment requirements.  Please read through this Knowledgebase Article carefully prior to upgrading. For detailed upgrade steps, please refer to the ReadMe.rtf document that was packaged with Venafi Trust Protection Platform 15.1.0.

Please carefully read through the entire list of considerations before upgrading your production environment of Venafi Trust Protection Platform to version 15.1.0

More Information on Venafi Trust Protection Platform 15.1 Life Cycle: https://support.venafi.com/entries/23267241

More Info:

Supported Upgrade Path

To upgrade to Venafi Trust Protection Platform 15.1.0, your current installation must be on at least Director 8.0.3 or greater.  

The following table shows the supported upgrade paths. It outlines which versions of Venafi can upgrade directly to Venafi Trust Protection Platform 15.1.0, and which versions need to be updated to an intermediate version prior to the final upgrade.

Warning: It may be possible to successfully upgrade directly to Venafi Trust Protection Platform 15.1.0 on versions not outlined on the table below, but those upgrade paths have not been fully tested.***  

Note: If your environment currently has deprecated KMIP agents your upgrade path will be different. See section KMIP Deprecation

Current Version

Intermediate
Upgrade Step 

Final Version

Director 8.0.0
Director 8.0.1
Director 8.0.2
Director 8.0.3 Venafi Trust Protection
Platform 15.1.0
Director 8.0.3 N/A Venafi Trust Protection
Platform 15.1.0
Director 9.0.x
Director 10.0.x
Director 11.0.x
Director 14.1.2 Venafi Trust Protection
Platform 15.1.0
Director 14.1.2 N/A Venafi Trust Protection
Platform 15.1.0
Trust Protection
Platform 14.2.11
N/A Venafi Trust Protection
Platform 15.1.0

Trust Protection
Platform 14.3.7

N/A Venafi Trust Protection
Platform 15.1.0

Trust Protection
Platform 14.4.4

N/A Venafi Trust Protection
Platform 15.1.0

 

Important Note for SSH Customers

Due to the amount of rearchitecting of the SSH product between 14.4 and 15.1 - direct/automatic upgrades are not supported.  Customers using the SSH Product in production envionrments, please contact Venafi Professional Services (see https://www.venafi.com/contact/) for assistance with upgrades.  If using the SSH product in a sandbox or development environment, it is recommended to not upgrade but instead to install with a clean/new database.

Change in Hardware Requirements

Version 15.1 of the Venafi Platform brings large architecture changes in both the core platform and the User Interfaces for increased performance and scalability.  In 15.1, the product is able to support 1,000,000 certificates and 1,000,000 keys.  Increasing the amount of keys and certificates the platform and user interfaces support required a change in hardware requirements not only for the Venafi Platform servers, but also for the database servers as well.  This is because processing was optimized so that more calculations are done on the database level. Please carefully review the new Venafi Server and Database Server requirements before upgrading to 15.1

15.1 System Requirements: https://support.venafi.com/entries/88170977

Required Version of Oracle Server and Oracle Client

Oracle 10g is no longer supported as an Oracle Server version.  The minimum required Oracle Server Version is Oracle 11g Release 2 (11.2.0.4).  The minimum required Oracle Client is ODAC 12c Release 3 (12.1.0.2.1)

15.1 System Requirements: https://support.venafi.com/entries/88170977

Change in Requirements for Database Service Account Permissions

Many permissions and other calculations have been moved from the Platform Server to the database server.  Because of this change, the database service account that the Venafi Platform uses now requires "Execute" permissions in addition to DataReader and DataWriter.  Please see the following two attached example scripts for assigning the correct permissions to the database service account.

 

Browser Cache for Aperture and End User Portal

Its possible that users may need to click the "Refresh" button in their browser when visiting Aperture or the End User Portal for the first time after the Venafi Trust Protection Platform is upgraded to 15.1.  Clicking the "Refresh" button will tell the browser to ignore the cache and request new content for the login screen.

For more information on this issue, see: https://support.venafi.com/entries/91202208

IIS5 Deprecation

IIS5 has been deprecated in Venafi Trust Protection Platform 14.3.  Any IIS5 Application objects will be converted to "Basic" Application objects.  If your organization has Windows 2000 servers hosting web sites on IIS5, it is urgently suggested that you upgrade to a secure version of the Windows Server operating system that is supported by both Microsoft and Venafi.
Note: Microsoft Windows Server 2000 extended support ended on July 13, 2010 (end of life).

Microsoft Certificate Authority Template Credentials

Originally introduced in Trust Protection Platform 14.2,  the security around Microsoft Certificate Authority (MSCA) Template has been improved.  In order to successfully communicate with your Microsoft CA servers, you must specify the credentials used to communicate with the CA on the template itself.

When upgrading to 15.1 from 14.1 or earlier, you must update all of your MSCA templates to reflect the service credentials Venafi uses.  These credentials are no longer required during installation/upgrades and are now configured on the policy tree in the Web Administration Console.

 
2014-06-21_1-23-33.png

Subject Alternative Name (SAN) Support on Microsoft Certificate Authority

Originally introduced in Venafi Trust Protection Platform 14.2 is improved security around Auto-Enrollment with a Microsoft Certificate Authority.  In order to be capable of supporting Subject Alternative Names (SANs) when enrolling with the Microsoft CA, you must configure templates to require approval for certificate requests. You can do this in one of two ways: for all templates used by the CA, or for individual templates.

When upgrading to 15.1 from 14.1 or earlier, the following changes will need to be completed for the whole Microsoft Certificate Authority:

  1. Using the Certificate Authority MMC snap-in, right-click on the CA's name and select Properties.
  2. On the Policy Module tab, click Properties button.
  3. Select Set the certificate request status to pending....
    MSCA_PolicyModule.png

 To make the change to individual templates:

  1. Using the Certificate Templates MMC snap-in, right-click on a template to be enrolled by Trust Protection Platform, and then click Properties.

  2. On the Issuance Requirements tab, select CA Certificate Manager Approval to be required for enrollment

    MSCA_Template_IssuanceRequirements__2_.png

Network Device Enrollment One-Time Challenge Phrase

Originally introduced in 14.2, the security has been improved surrounding the "One-Time Challenge Phrases" for customers issuing certificates via Network Device Enrollment (SCEP).  When upgrading to 15.1 from 14.1 or earlier and if you are using One-Time Challenge Phrases (OTCP) in your Network Device Enrollment deployment, you must specify the user/service accounts being used to request OTCP's so that they can be considered authorized users.  Accounts that are not added to the list will be denied access to request a valid OTCP.

The configuration is found in the Web Administration Console on Platform Tree => Platform root => Network Device Enrollment tab

2014-06-21_1-02-17.png

 

Microsoft .NET Framework 

Starting with Trust Protection Platform 14.2, the .NET requirement was increased to require that .NET Framework 4.5.1 be installed on your Windows Server 2008 R2 machine prior to upgrading.  When upgrading to 15.1 from 14.1 or earlier, make sure you have the required version installed.

The online installer can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=40773

If your Venafi Trust Protection Platform Server is on Windows Server 2012, you must have the Microsoft .NET Framework 3.5 installed on the server. It may not be installed on Server 2012 R2 by default. Additionally, you must install the ASP.NET 4.5 role to your Web Server under the Application Development section.

 

IIS Add-on Module

Starting with Director 14.1 there is a requirement that Microsoft URL Rewrite Module 2.0 for IIS 7 be installed on your Venafi Trust Protection Platform servers that have any of the following Venafi platform components installed:

  • Aperture
  • Web Administration Console
  • Web SDK
  • Client REST
  • End User Portal

The installer for IIS 7.5 on Windows Server 2008 R2 can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=7435

If installing Venafi on Windows Server 2012 R2, there is not a download available.  URL Rewrite must be installed using the Microsoft Web Platform Installer (Web PI).  See http://www.iis.net/downloads/microsoft/url-rewrite for details.

Supported Browser

Venafi Trust Protection Platform 15.1 supports Internet Explorer 10 and Firefox 24 ESR and is compatible with the latest version of Google Chrome.  Unexpected behavior may occur using an unsupported browser when using any of the Venafi web consoles. Prior to upgrading your production environment to 15.1, make sure your Venafi user base has a supported or compatible browser version available to them or perform your own testing on other browsers you use. Aperture is not supported with Internet Explorer 8 and will not fully-function.

See Article: Why we deprecated Internet Explorer 8

Venafi Operational Certificate

Venafi Trust Protection Platform 15.1 utilizes the Venafi Operational Certificate that was introduced in Director 14.1.  This certificate is used by the product for securing all web traffic, log server traffic, and agent traffic. It is no longer necessary to use the IIS6 or CAPI driver to provision the Venafi platform certificate to IIS.  Once you renew the Venafi Operational Certificate it will be utilized the next time the Log Server service is restarted or IIS Application Pools refresh.  For best practice, you will want to delete your current Venafi IIS certificates and associated device & application objects after the upgrade so that you don't have duplicates of the same certificate or unnecessarily have the certificate set to use a provisioning driver.  For more information on the Venafi Operational Certificate, including updating it, see the Venafi 15.1 product documentation.

Note: No action required if upgrading to 15.1 from 14.3/14.2/14.1

For more information on the Venafi Operational Certificate, see https://support.venafi.com/entries/54287116

Venafi Log Server

Venafi Trust Protection Platform 15.1 utilizes the Log Server caching feature that was introduced in Director 14.1.  Due to this new feature, there is no longer the concept of a Secondary Log Server.  On each Venafi Platform server specify the Hostname/IP address of your one Log Server. All Venafi Platform servers will send their logs to that Log Server.  If the Log Server becomes unreachable, each server will begin caching their logs to their own log server cache.  While in cache mode, the caching log service will check regularly if the the connection to the Log Server has been restored.  Once restored, all Venafi Platform servers will feed their cached logs to the Log Server to be stored in the database for notification rule processing.

For more information on changes to Logging Services, see https://support.venafi.com/entries/53875088

 

KMIP Deprecation

Starting in 14.3, the KMIP module has been completely removed.  If you have Venafi Agents that are using the KMIP (ex. Agent 3.2 or 3.3) DO NOT UPGRADE TO Venafi Trust Protection Platform 15.1.  The ability to upgrade agents from KMIP to REST is only available in 14.2.
Stay on 14.2 and completely migrate your Venafi Agents to the 14.2 REST agent before upgrading to Venafi Trust Protection Platform 15.1

For more information on how to upgrade from KMIP to REST agent in 14.2, see https://support.venafi.com/entries/76467147

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk