Applies to: TPP 15.3 and Agent
The Venafi TPP Agent 15.3 is able to provision certificates to the end points. Sometimes, registration, assigned work for the agent, or even a misunderstanding of what you are trying to accomplish can be tricky.
We have put together a helpful list to cover when you are having agent problems that address some of the most common issues
Here is a check-list to run through when trouble shooting agent certificate provisioning:
- Is the Agent Version 15.3 or higher?
only Agents that are 15.3 or higher support Certificate Provisioning
- Is the TPP Version 15.3 or higher?
only TPP 15.3 or higher supports certificate provisioning
- Is the keystore attempting provisioning PEM or JKS?
In TPP 15.3 through 16.2 – we only support PEM and JKS keystores for provisioning in production (we hope to add new keystores in 16.3)
- Is the agent registered with TPP and trusted?
You should be able to see it in Aperture under Agents =>Agents menu and trust level should be something like “Specific Credential”. It should NOT be missing or show up as “untrusted”.
- Has the Agent checked in recently?
You should be able to see it in Aperture under Agents =>Agents menu and the “Last seen” timestamp should be within the expected time frame (if scheduled to check-in daily, it is a red flag if the last time stamp is from two weeks ago).
- Does the agent belong to an Agent Group?
You should have an agent group created that the agent belongs to. Look up your group and make sure the agent shows up as a member.
- Does this group have “Device Placement” enabled and configured?
In order for Agents to do certificate discovery and installation, TPP must automatically create the device object, or link to an existing device object. Go to the agent details, in the pop-up window it will show you the full Policy path of the device it is linked to. If you don’t see this, or you see it linked to a device you don’t expect, you have a problem.
- In Web Admin or Aperture, is the “Installation/Provisioning Mode” set to “Agent”?
If TPP Automatically creates the device through Device Placement, the Installation mode will be set to “Agent” – but if TPP automatically links to a device that already existed, you’ll have to set the mode to “Agent” either through policy or explicitly on the device.
- Does the PEM or JKS App object enabled?
Certificate Installation will not take place on Application objects (Installations) that are disabled.
- Are there any required fields missing?
When creating apps/installations automatically through discovery, required fields can be missing. Ensure that all required fields are present.
- Is the associated certificate management mode set to “Provisioning”?
In order to Agent or Agentless installation of a certificate, the management type of the certificate must be set to “Provisioning”. Any other value will not work.
- Did you click the “install” or “push” button on the JKS/PEM Application to start the installation process?
Provisioning certificates may provision automatically after they renew. Outside of renewal, the installation would need to started manually by clicking “install” in the Aperture Console or “Push” in the Web Administration console.
- Is there an approval workflow configured for 800 that hasn’t been approved yet?
As of TPP 15.3 through 16.2; the Agent does not support custom command injection during provisioning, but does support workflow approval at stage 800. Is there an approval workflow configured? If so, the designated approver will need to review and approval the workflow ticket in Web Admin or Aperture before the TPP will assign the certificate installation work to the agent.
- Did Provisioning fail with an error?
Typically if Certificate Installation fails with an error, you can see the details of the failure in an updated status message in both Web Admin and Aperture. Did you see an error? If so, please review the error message for details as to why it wasn’t successful (Example, folder for installing the certificate on the target system did not exist)
If none of these checks find anything, you may need to set TPP and Agent logs to debug and look for errors in the TPP Default SQL Channel or the Agent events.sq3 file. If an Error is found, please make sure to review the error and info/debug events before and after the error to provide context to the error in what was trying to be done when the error occurred.