Applies To
All versions of TPP
Symptom
When the binding for port 80 is removed in IIS some components of Venafi stop functioning.
Affected components include:
- Agent check-in (fails to start at all. When running in interactive mode, you literally see no activity)
- WebSDK (Receive 500 error during authentication and you don't get an API key)
- Authentication Server for WebSDK Token Issuance
- SCEP/NDES
Cause
Despite the fact the the clients in these components are not sending any traffic over port 80 to the Venafi TPP server the web.config for the API of these components requires port 80 to be open. There is, however, a modification that can be made to the web.config files for the affected components which will allow the binding to be removed.
NOTE: Removal of this binding MAY stop other unrelated processes. For instance, SCEP clients often only support HTTP. Additionally, if a CRL is actually STORED on the TPP server, then a CRL check may fail, since CRL's are only published for LDAP and HTTP.
Resolution
There are two resolutions to this. The recommended resolution is to leave port 80 bound or add it back in. The other is to follow these steps to allow us to ignore that it's missing as follows:
Edit the following Web.config files:
- <TPPInstallPath>\Venafi\Web\Client\Web.config
- <TPPInstallPath>\Venafi\Web\WebSDK\Web.config
- <TPPInstallPath>\Venafi\Web\VScep\Web.config
- <TPPInstallPath>\Venafi\Web\AuthServer\Web.config
By adding the following clause right after “ <system.serviceModel>” in each file.
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding>
<security mode="Transport" />
</binding>
</webHttpBinding>
</bindings>
</system.serviceModel>
Restart IIS (e.g. IISReset)
Comments