Applies To:
Venafi Trust Protection 15.2.0 and Venafi Server Agent 15.2.0
Summary:
Customers currently using the Venafi Server Agent should carefully read this Knowledgebase article to understand changes in behavior for Certificate and SSH functions on the Venafi Server Agent prior to upgrading to Venafi Trust Protection Platform 15.2.0
More Info:
Device Placement Work
New in Venafi Trust Protection Platform 15.2.0 is Device Placement Work. This work needs to be configured for SSH and Certificate Discovery to function. It tells the Venafi Platform where to create the devices within Venafi Inventory that will contain the configuration information for each device that your Venafi Server Agent is installed on. SSH and Certificate Discovery will not continue unless a device within Venafi Inventory has already been created to represent the system your Venafi Server Agent is installed on.
Certificate Discovery
In addition to Device Placement needing to be configured and assigned to all Venafi Server Agents, existing Certificate Discovery work needs to be updated for new configuration requirements for Venafi Trust Protection Platform 15.2.0. The primary item that needs to be configured is where to place new certificates directly within Venafi Inventory once discovered. Important Note: once you upgrade your Venafi Platform to 15.2.0 and upgrade your Device Placement and Certificate Discovery work, new certificates that the Venafi Server Agents discover will place only newly discovered certificates into Venafi Inventory. In order to place certificates that were discovered on older versions of Venafi Trust Protection Platform, all agents need to be upgraded to version 15.2.0 which will trigger the agents to disregard existing agent discovery cache and resend all discovery results to the Venafi Platform for placement.
Server Agent Check-in
Due to how Venafi Trust Protection Platform randomly performs assigned work, your Venafi Server agent may not receive assigned SSH and/or Certificate Discovery work on first check-in. Even Device Placement (and Certificate Discovery) is configured correctly, the SSH Discovery or Certificate Discovery work may not be received by the agent until the second check-in. This is because the device that represents the system must already be created within Venafi Inventory prior to the Server Agent receiving the assigned discovery work.
Root Certificate Discovery
Root certificates discovered by the Venafi Server Agent will automatically be placed in the Roots Tree within the Web Administration Console. Venafi Trust Protection Platform 15.2 - Smart Config (the process of automatically creating configuration of certificates, devices, and applications through different discovery methods) does not support showing the relationship of where Root Certificates were discovered. This functionality is planned to be implemented in future versions of the Venafi Platform.
Discovery Changes in Certificates
In previous versions of Venafi Trust Protection Platform, when the Venafi Server Agent discovered on subsequent scans that a known cert is no longer present on a system, it would remove the result from the Discovery Results in the Web Administration Console. In version 15.2.0 of the Venafi Platform, there is no current functionality to inform users when agents learn that the instance of the certificate is no longer on a system. This functionality is planned to be added in future versions of the Venafi Platform.
Known Issue:
- Agent Registration Password - In 15.2.0 there is a known defect where Agent Registration Passwords configured in Aperture from previous versions do not get displayed properly in Aperture after upgrading. The cause of this bug is because the format that references to Registration Passwords has changed in 15.2 (previously stored as a Distinguished Name and now stored as a GUID). Agents will continue to check-in normally. However, it is advised that after upgrading customers go into Aperture and reselect the credentials that were selected in previous versions so they can show up in Aperture and the references can be updated to a GUID. (Venafi Internal Bug #20056)
Comments