Important Considerations before Upgrading to Trust Protection Platform 16.2.0

Applies to:

Venafi Trust Protection Platform (TPP) 16.2.0


Trust Protection Platform 16.2.0 introduces new functionality such as enhanced Custom Reporting and a new Adaptable Certificate Authority Driver. In addition, we have addressed a number of issues and refactored areas of the product in order to improve stability and performance.  Please carefully read through this Knowledgebase Article prior to upgrading.

For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 16.2.0.

There is more Information about the Venafi Trust Protection Platform 16.2.0 Life Cycle here:

More Info:

Supported Upgrade Path

In order to upgrade to Venafi Trust Protection Platform 16.2.0, your current installation must be on Trust Protection Platform 14.2.13 or later.  In general, it is recommended that you install the latest patch for your current version of TPP prior to updating to a new major or minor version.

Customers hosting TPP Database on Oracle

Customers hosting the Trust Protection Platform database on Oracle must contact Venafi Customer Support to request the 16.1 to 16.2 database upgrade scripts. They are NOT included in the "Venafi Trust Protection Platform" file, usually available on

Please send an email to requesting access to the scripts and a Venafi representative will reach out to you to assist with the request.

Longer upgrade window for 16.2.0

Significant refactoring has been done regarding how logs are stored in the database.  When the 16.2.0 upgrade scripts are executed, the format of the data is modified.  For every 30 million rows in the logs, you can expect the script to take approximately an hour (subject to hardware, SQL Server version, server utilization, and other factors).

It is recommended, if possible, to archive or reduce the number of logs stored in the TPP database prior to upgrading to 16.2.0.

If you have a secondary log server, read this KB article to learn how to migrate it:

Database Log Retention must be specified on upgrade

Database log retention can now be configured in the Venafi Control Center wizard during the upgrade and installation configuration. If this value is left blank, then your installation will NOT delete any logs and your logs will continue to grow.  It is recommended that a value be entered in VCC (example: 365 days) on the first TPP server that is upgraded to 16.2.0.

Server Agent Upgrades to 16.2

One of the files changed in 16.2 version of the Venafi Server Agent is, the "vagent" file.  When using the built-in Agent upgrade mechanism in TPP, this file will be upgraded, but won't be used until the next time the agent restarts (stop/start of service or reboot of system).

Supported Browsers

Internet Explorer 8 has not been supported since Venafi Trust Protection Platform 14.1.0.  Core Libraries of Aperture were updated for security fixes and performance enhancements which resulted in Aperture's incompatibility with Internet Explorer 8.  Beginning with 16.1.0, Aperture will not load on IE8. Make plans now in your organization to make sure end users have a modern browser available to them.

Also in 16.1, our Supported Browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 38. The latest version of Google Chrome is still categorized as a compatible browser.

See Article: Why we deprecated Internet Explorer 8 

Deprecated: Aperture License Dashboard Widget and Filter

The License Dashboard Widget and Certificate list License Filter has been removed from the product.  If this filter was used in a saved Custom Report, the report will be updated to remove this filter.  Licensing information can be retrieved using the in-product Licensing Report found in the Web Administration Console.

Certificate Settings Read-only during Enrollment Processing or while In Error

In Trust Protection Platform 15.4.0, certificate enrollment settings cannot be modified while a certificate is enrolling/processing or is In Error.  In order to make changes to the certificate (ex: change the common name of the certificate), users will need to Reset the certificate state in the Web Administration Console.

Further security-related changes have been made in 16.1 that now prevent users from altering a certificate signing request (CSR) after it has progressed beyond the start of the renewal process, such as uploading a CSR.  As such, any certificates that are waiting for a new CSR to be uploaded prior to upgrading to 16.1 will need to be reset and restarted using the Web Administration Console (after successfully upgrading Trust Protection Platform).

Password Complexity Requirement on by default

In Trust Protection Platform 15.4.0, there was a new password complexity requirement for downloading certificates that contain private keys from the Web Administration Console or Aperture.  This requirement can be turned off by administrators via policy, but it is on by default and will probably be a change for most end users.

Change in Requirements for Database Service Account Permissions

Enhancements made in 15.1.0, 15.3.0, and 16.2.0 have changed the permissions required by the service account used to connect to the database. Due to changes to permissions calculations, log delivery, and log performance refactoring, the database service account that the Venafi Platform uses now requires "Execute" permissions to specific stored procedures in addition to "Receive" permissions to specific messages queues.  This is in addition to DataReader and DataWriter that have traditionally been required.  Please see the included example scripts for assigning the correct permissions to the database service account.

Approving Certificate Installation (Provisioning) Workflows in Aperture

In Trust Protection Platform 15.3.0, the ability to approve installation workflows in Aperture was added.  If you're using a custom SMTP Notification Channel to send emails to approvers, those custom channels will need to be updated. This will ensure that users are taken to the correct URL in Aperture to approve Enrollment or Certificate Installation workflows.

Click here for detailed steps on updating your custom notifications.

Important Note for SSH Customers

Due to re-architecting of the SSH product between 14.4 and 15.1, direct or automatic upgrades are not supported from 14.x.x to 16.1.0.  For customers using the SSH Product in production environments, please contact Venafi Professional Services (see for assistance with upgrades.  If you are using the SSH product in a sandbox or development environment, we recommend that you do not upgrade but instead install with a clean/new database. SSH Customers using 15.1.x, 15.2.x, or 15.3.x can follow normal upgrade steps to upgrade to 16.1.0.

Agent Certificate Discovery

Due to changes in version 15.2.0 in the configuration of work that the Venafi Server Agent does during certificate discovery, agents will stop performing certificate discovery until your Device Placement work has been configured and assigned to all applicable agents.  Certificate Discovery work also needs to be updated to have certificate placement rules applied. Agents will not start or continue certificate discovery until these two configuration items have been completed in Aperture.

Click here for more information about changes to Server Agent in 15.2:

Change in Hardware Requirements

Version 15.1.0 of the Venafi Platform brought large architecture changes in both the core platform and the User Interfaces for increased performance and scalability.  As of 15.1.0, the product can support 1,000,000 certificates and 1,000,000 keys.  Increasing the number of keys and certificates the platform and user interfaces support required a change in hardware requirements not only for the Venafi Platform servers, but also for the database servers as well.  This is because processing was optimized so that more calculations are done at the database level. Please carefully review the new Venafi Server and Database Server requirements before upgrading to 16.2.0.

16.2.0 System Requirements:

User Portal now configured in Aperture

The User Portal used to be configured in the Web Administration Console.  Starting with 15.4.0, it is now configured in Aperture using Agent Groups and User Certificate Creation work.

Required Version of Oracle Server and Oracle Client

Oracle 10g is no longer supported as an Oracle Server version.  The minimum required Oracle Server Version is Oracle 11g Release 2 (  The minimum required Oracle Client is ODAC 12c Release 3 (

16.2.0 System Requirements:

Note: If using Oracle, please contact Customer Support for the 16.2.0 Oracle Upgrade Scripts.

Server Agent deprecating support for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC) in 16.3

For 16.3, the Venafi Trust Protection Platform will no longer ship with an agent installer for HP-UX PA-RISC.  This does not affect our support for HP-UX on Itanium Processors (HP-UX IP).  Hewlett Packard stopped supporting HP-UX PA-RISC in early 2005.  We are deprecating support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.

More information on deprecation of PA-RISC:


Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request