Trust Protection Platform 16.3
Venafi driver updates and enhancements
New! Adaptable Application Driver for agentless certificate provisioning
Introducing a new TrustForce driver that separates the logic for provisioning to a network device from the inner-workings of Trust Protection Platform. You can now integrate your favorite network manageable device with Trust Protection Platform for provisioning certificates and keys.
Assign file ownership and permissions following certificate provisioning
You can now set the owner, group and permissions of files when they are provisioned by the Apache, GSK, iPlanet, JKS, PEM, and PKCS#12 drivers. This enhancement provides better protection of certificates, keys, and keystores on their hosts and eliminates the need for scripts to be invoked by command injection workflow for this purpose.
Download certificates in Java Keystore (JKS) format
Aperture™ and Web Administration Consoles are updated with a new download option. If installing a certificate manually on a server that requires JKS, Venafi Trust Protection Platform can now output the certificate in that format for you.
Install Password Encrypted Private Keys onto F5
A new option has been added to the F5 driver that allows it to password encrypt private keys before they are provisioned to F5 v11.5 and higher. The F5 stores private keys as they were provisioned so the password protection persists when the keys are accessed by administrators using the F5 web management console.
Install certificates onto F5 with SNI-enabled SSL profiles
The F5 driver has been enhanced to account for the SNI-related settings of client SSL profiles. When the driver creates profiles, it can now apply SNI settings and when it discovers or provisions to existing profiles it automatically adjusts the SNI settings to match.
CA drivers updated with certificate transparency option
On the CA Template configuration, you can choose to have sub-domains redacted or to log the complete domain to certificate transparency log servers for the following CA drivers:
- Symantec MPKI
- GeoTrust TrueFlex
For more information about supported drivers, see Venafi Drivers Library.
Increased password complexity requirements
Passwords used to encrypt private keys before they are downloaded and passwords assigned to local user accounts are now subject to the following criteria:
- Password must be at least 12 characters long
- Password must contain a combination of at least three (3) of the following categories:
- Uppercase letters
- Lowercase letters
- Numeric characters
- Special characters
Support stronger password-based encryption algorithms (PBE)
This release of Trust Protection Platform adds support for two stronger password-based encryption algorithms when PKCS#8 private keys are downloaded (SHA1/3DES, SHA256,/AES256). When stronger algorithms are locked by policy, downloading private keys in the legacy OpenSSL format is not allowed.
Delete certificates and certificate installations in Aperture
Certificate Managers with delete permissions can now remove retired certificates from the product inventory. When certificates are deleted, user is prompted to either delete all associated installations or associate them to another certificate.
Troubleshoot certificate errors in Aperture
When certificates encounter a processing error or are rejected in an approval workflow, Aperture now shows the detailed error message on the Certificate Inventory List and the Certificate Details page. Once you resolve the issue, you can now "Retry" or "Cancel" the renewal request.
Easier to find required approvals in Aperture
Certificate Renewals, Revocations of current certificates, and Certificate Installations that require approval are all easier to find in Aperture with an Updated "Pending My Approval" Status. Use the filter on the inventory list or the microwidget on the dashboard and be taken to a custom action list to find what current workflows require your review and decision.
Validation SNI (Server Name Indication) Support
Accuracy of validation results for SSL/TLS Validation is improved because Server Name Indication is now supported.
To learn more, see Server Name Indication (SNI) support for validation.
Improved validation notifications
The Validation section on the certificate's Summary tab identifies the combined result of all validations performed for the certificate (SSL/TLS, installations, and chain, where applicable). The result shows Success only when all validations were successful.
To learn more, see Review validation results.
Automatic Enrollment and Provisioning from the SDK
The Certificates/Request API call allows you to enroll or provision certificates from a single REST API call. For more information, see the Web SDK documentation.
Manage registered client agents from Web SDK
The Client programming interface allows you to manage registered client agents. For more information, see the Web SDK documentation.
Server Agent support RHEL 7 and CentOS 7
The Server Agent has been updated to support Red Hat Enterprise Linux (RHEL) 7 and Community Enterprise Operating System (CentOS) 7.
Support for Microsoft SQL 2014
Previously listed as "compatible", with this release of Trust Protection Platform, Microsoft SQL 2014 is now listed as "supported."
Read store associations from Secret Store via Web SDK
Developer (SDK) documentation had been updated to provide information on how to read secret store attributes from information like revocation status.
SSH network device placement
The new Aperture interface for SSH allows not only network scanning of SSH ports (like in Web Administration Console), but also the automatic placement of discovered SSH devices in the policy tree using preconfigured placement rules that dynamically select the policy folder for the discovered device by its attributes such as IP address, host name, SSH server version, etc. The placement is integrated with TLS Network Discovery so that you can discover and place both using the same network scan.
SSH Agentless discovery improvements
This release contains a number of improvements for SSH Agentless discovery such as a reduced list of commands that are required to run as a privileged user, pre-filtering for keys on the remote server, checking if a key file was changed before downloading it, as well as significant performance improvements.
Because the privileged commands list has changed, configuration changes may be required if you are upgrading from an older version of Trust Protection Platform. Refer to the important upgrade considerations knowledge base article found here:
SSH Key rotation and Operation Performance Improvements
This release contains significant improvements for SSH key rotation and key operation (add, remove, edit key), including handling large keysets (up to 10,000 keys).