Venafi Trust Protection Platform 14.3.0
The release of Venafi Trust Protection Platform 14.3.0 brings significant changes in system and environment requirements as well as changes to platform features and architecture. Please read through this Knowledgebase Article carefully prior to upgrading. For detailed upgrade steps, please refer to the ReadMe.rtf document that was packaged with Venafi Trust Protection Platform 14.3.0.
Please carefully read through the entire list of considerations before upgrading your production environment of Venafi Trust Protection Platform to version 14.3.0
Supported Upgrade Path
To upgrade to Venafi Trust Protection Platform 14.3.0, your current installation must be on at least Director 8.0.3 or greater.
The following table shows the supported upgrade paths. It outlines which versions of Venafi can upgrade directly to Venafi Trust Protection Platform 14.3.0, and which versions need to be updated to an intermediate version prior to the final upgrade.
Warning: It may be possible to successfully upgrade directly to Venafi Trust Protection Platform 14.3.0 on versions not outlined on the table below, but those upgrade paths have not been fully tested.***
Note: If your environment has KMIP agents your upgrade path will be different. See KMIP Deprecation
|Director 8.0.3||Venafi Trust Protection
|Director 8.0.3||N/A||Venafi Trust Protection
|Director 11.0||Venafi Trust Protection
|Director 11.0.x||N/A||Venafi Trust Protection
|Director 14.1.x||N/A||Venafi Trust Protection
Venafi Trust Protection
|N/A||Venafi Trust Protection
Starting in 14.3, the KMIP module has been completely removed. If you have Venafi Agents that are using the KMIP (ex. Agent 3.2 or 3.3) DO NOT UPGRADE TO Venafi Trust Protection Platform 14.3. The ability to upgrade agents from KMIP to REST is only available in 14.2.
Stay on 14.2 and completely migrate your Venafi Agents to the 14.2 REST agent before upgrading to Venafi Trust Protection Platform 14.3
For more information on how to upgrade from KMIP to REST agent in 14.2, see https://support.venafi.com/entries/76467147
Agent Registration Password
Customers currently deploying Venafi Agents 14.1 or 14.2 will need to update their deployment strategy when updating it to use the 14.3 agent. Agents 14.1 and 14.2 used either "enrollment-password" or "enrollment-secret" as attributes to initially authenticate and register with the VEnafi Trust Protection Platform. These attributes have been deprecated and replaced with a new "registration-password" attribute. This new attribute must be used when rolling out the Venafi 14.3 Agent.
IIS5 has been deprecated. Any IIS5 Application objects will be converted to "Basic" Application objects. If your organization has Windows 2000 servers hosting web sites on IIS5, it is urgently suggested that you upgrade to a secure version of the Windows Server operating system that is supported by both Microsoft and Venafi.
Note: Microsoft Windows Server 2000 extended support ended on July 13, 2010 (end of life).
Microsoft Certificate Authority Template Credentials
Originally introduced in Trust Protection Platform 14.2, the security around Microsoft Certificate Authority (MSCA) Template has been improved. In order to successfully communicate with your Microsoft CA servers, you must specify the credentials used to communicate with the CA on the template itself.
When upgrading to 14.3 from 14.1 or earlier, you must update all of your MSCA templates to reflect the service credentials Venafi uses. These credentials are no longer required during installation/upgrades and are now configured on the policy tree in the Web Administration Console.
Subject Alternative Name (SAN) Support on Microsoft Certificate Authority
Originally introduced in Venafi Trust Protection Platform 14.2 is improved security around Auto-Enrollment with a Microsoft Certificate Authority. In order to be capable of supporting Subject Alternative Names (SANs) when enrolling with the Microsoft CA, you must configure templates to require approval for certificate requests. You can do this in one of two ways: for all templates used by the CA, or for individual templates.
When upgrading to 14.3 from 14.1 or earlier, the following changes will need to be completed for the whole Microsoft Certificate Authority:
- Using the Certificate Authority MMC snap-in, right-click on the CA's name and select Properties.
- On the Policy Module tab, click Properties button.
- Select Set the certificate request status to pending....
To make the change to individual templates:
Using the Certificate Templates MMC snap-in, right-click on a template to be enrolled by Trust Protection Platform, and then click Properties.
On the Issuance Requirements tab, select CA Certificate Manager Approval to be required for enrollment
Network Device Enrollment One-Time Challenge Phrase
Originally introduced in 14.2, the security has been improved surrounding the "One-Time Challenge Phrases" for customers issuing certificates via Network Device Enrollment (SCEP). When upgrading to 14.3 from 14.1 or earlier and if you are using One-Time Challenge Phrases (OTCP) in your Network Device Enrollment deployment, you must specify the user/service accounts being used to request OTCP's so that they can be considered authorized users. Accounts that are not added to the list will be denied access to request a valid OTCP.
The configuration is found in the Web Administration Console on Platform Tree => Platform root => Network Device Enrollment tab
Microsoft .NET Framework
Starting with Trust Protection Platform 14.2, the .NET requirement was increased to require that .NET Framework 4.5.1 be installed on your Windows Server 2008 R2 machine prior to upgrading. When upgrading to 14.3 from 14.1 or earlier, make sure you have the required version installed.
The online installer can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=40773
If your Venafi Trust Protection Platform Server is on Windows Server 2012, you must have the Microsoft .NET Framework 3.5 installed on the server. It may not be installed on Server 2012 R2 by default. Additionally, you must install the ASP.NET 4.5 role to your Web Server under the Application Development section.
IIS Add-on Module
Starting with Director 14.1 there is a requirement that Microsoft URL Rewrite Module 2.0 for IIS 7 be installed on your Venafi Trust Protection Platform servers that have any of the following Venafi platform components installed:
- Web Administration Console
- Web SDK
- Client REST
- End User Portal
The installer for IIS 7.5 on Windows Server 2008 R2 can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=7435
If installing Venafi on Windows Server 2012 R2, there is not a download available. URL Rewrite must be installed using the Microsoft Web Platform Installer (Web PI). See http://www.iis.net/downloads/microsoft/url-rewrite for details.
Venafi Trust Protection Platform 14.3 supports Internet Explorer 10 and Firefox 24 ESR and is compatible with the latest version of Google Chrome. Unexpected behavior may occur using an unsupported browser when using any of the Venafi web consoles. Prior to upgrading your production environment to 14.3, make sure your Venafi user base has a supported or compatible browser version available to them or perform your own testing on other browsers you use. Aperture is not supported with Internet Explorer 8 and will not fully-function.
See Article: Why we deprecated Internet Explorer 8
Venafi Operational Certificate
Venafi Trust Protection Platform 14.3 utilizes the Venafi Operational Certificate that was introduced in Director 14.1. This certificate is used by the product for securing all web traffic, log server traffic, and agent traffic. It is no longer necessary to use the IIS6 or CAPI driver to provision the Director certificate to IIS. Once you renew the Venafi Operational Certificate it will be utilized the next time the Log Server service is restarted or IIS Application Pools refresh. For best practice, you will want to delete your current Venafi IIS certificates and associated device & application objects after the upgrade so that you don't have duplicates of the same certificate or unnecessarily have the certificate set to use a provisioning driver. For more information on the Venafi Operational Certificate, including updating it, see the Venafi 14.3 product documentation.
Note: No action required if upgrading to 14.3 from 14.2/14.1
For more information on the Venafi Operational Certificate, see https://support.venafi.com/entries/54287116
Venafi Log Server
Venafi Trust Protection Platform 14.3 utilizes the Log Server caching feature that was introduced in Director 14.1. Due to this new feature, there is no longer the concept of a Secondary Log Server. On each Venafi Platform server specify the Hostname/IP address of your one Log Server. All Venafi Platform servers will send their logs to that Log Server. If the Log Server becomes unreachable, each server will begin caching their logs to their own log server cache. While in cache mode, the caching log service will check regularly if the the connection to the Log Server has been restored. Once restored, all Venafi Platform servers will feed their cached logs to the Log Server to be stored in the database for notification rule processing.
For more information on changes to Logging Services, see https://support.venafi.com/entries/53875088
The new Venafi Aperture console has higher memory (RAM) requirements than the Venafi Web Administrator Console. If you plan to deploy Aperture to a large number of end users, please review the updated hardware requirements in the product documentation titled Install Guide included with Venafi Trust Protection Platform 14.3.