Upgrading Venafi Agent from KMIP to REST in 14.2

Applies to:

Venafi Trust Protection Platform 14.2


Venafi Trust Protection Platform 14.2 reintroduce the Certificate Scanning Agent under the new REST Architecture.  In 14.2, all KMIP agents must be upgraded to the REST Agent.  All KMIP Services will be removed in future versions of the Venafi Platform.  This conversion must take place on 14.2


  1. Locate the Agent Update Package inside the "Venafi Trust Protection Platform" that was downloaded from the Venafi FTP Site:
    "Agent\Updater Packages\Director Agent Upgrade"

  2. Copy the "Director Agent Upgrade" file to the "C:\Venafi\Program Files\Venafi\Packages\" folder.
    Note: you may need to replace the default path if you have installed the software into a custom location

  3. Reference the KB "How to: Venafi Updater" ( for steps on how to use Venafi Updater to apply the Agent Updater Package to your Venafi Server that has the KMIP services role and currently has KMIP Venafi Agents reporting to it.

  4. Create and configure dynamic groups and rules for setting up Agents and distributing work.
    • For detailed information on configuring dynamic groups, see the topic in the Product Documentation: "Administration Guide > Preparing Trust Protection Platform for Agent Discovery"
  5. Enable and configure auto update on the KMIP service module by doing the following:
    • Log into the Web Administration Console.
    • From the Platforms tree, click Modules > Base Agent > Client Configuration tab.

      WARNING! Do NOT use an IP address as the KMIP call-home address. If an IP address is specified in the Call home addresses/names box on the Client Configuration tab, you must change it to match the common name (CN) of the Venafi Operational Certificate before you perform the Agent upgrade. If you fail to do so, the agents will be upgraded but they will not be able to connect to the Trust Protection Platform server successfully.
    • In the Agent Module Handlers box, select Enable Auto Update
  6. Configure Agent update rules that will be used to identify KMIP-enabled agents that you want to upgrade:
    • In the Agent Upgrade Rule box, click Add.
    • In the Add KMIP Rule box, enter a name for the new rule.
    • From the Attribute list, choose an attribute to be used to help identify KMIP-enabled Agents (or group of Agents) that you want to upgrade.
    • From the Condition list, select a condition to be used in narrowing the focus of the rule, and then specify specify a value in the Values field for identifying specific servers.

      For example, you might select the Name attribute, the Contains condition, and then type "win" as the Value to discover KMIP-enabled Agents that include win as part of their hostnames.
  7. Click OK, and then click Save.
  8. Do one of the following:
    • Restart the Trust Protection Platform services if you want to execute the rules and perform the upgrade immediately.
    • Wait for each Agent's next scheduled check-in to run.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request