Applies to:
Upgrades to Venafi Trust Protection Platform 16.4
Summary:
Trust Protection Platform 16.4 introduces new functionality for managing certificates in Aperture, F5 provisioning driver enhancements, and some new security related features in our SSH product. Depending upon the version you are upgrading from, some of the enhancements that have implemented over the last 2 years require action on your part either prior to upgrade or immediately after upgrade. Please read carefully through this Knowledge base article prior to upgrading.
For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 16.4.
There is more Information about the Venafi Trust Protection Platform 16.4 life cycle here: https://support.venafi.com/entries/23267241
More Information:
Update of Universal C Runtime is now required
Starting in version 16.3, in order to offer SNI (Server Name Indication) support for SSL/TLS validation of certificates, the library we use requires an update of Universal C Runtime in Windows. This update must be installed before you run the 16.4 Trust Protection Platform installer. This is required on both Windows 2008 R2 and Windows 2012 R2.
Download the update specific to your OS at: https://support.microsoft.com/en-us/kb/2999226
TPP 16.4 Requires .NET Framework 4.6.1 to install
Before installing TPP 16.4, make sure the .NET Framework is updated to 4.6.1.
You can download the offline installer for Windows 2008 R2 and Windows 2012 R2 at:
https://www.microsoft.com/en-us/download/details.aspx?id=49982
Web Administration console Policy tree performance improvement
In order to accommodate customers with larger deployments, in 16.4 the Policy Tree in the Web Administration console has been refactored to provide significantly faster load times. One behavior difference you will notice is that all nodes of the tree will have a + (plus) sign to allow for the expansion of child nodes. This sign will be displayed for all objects. If a node does not have any child objects, the + sign will disappear after it's clicked. This change was implemented originally in 16.3
Privileged command set change for SSH Agentless
In 16.4 the list of commands that the SSH discovery and remediation engine runs with privileges (“sudo” commands if sudo is being used) has changed. Some commands are no longer required in order to run as a privileged user; some new commands are required instead. Refer to the following article for detailed description on restricting commands for account to use with agentless SSH.
Beginning with version 16.3, the following commands are no longer required to be run as "privileged" and can be removed from /etc/sudoers entry:
- find
- sh –c find *
- host
- hostname
- touch
The following new commands need to be present in /etc/sudoers entry, beginning with 16.3:
- grep
- sha256sum
For more information, see: https://support.venafi.com/hc/en-us/articles/225511807
Updated SSH Folder Policy Violation settings in Aperture
When configuring SSH folder policy violation settings in Aperture, the functionality has been modified for consistency and clarity. For example, in previous versions, one setting was called “Allow Root Access.” This setting has been renamed “Flag Root Access” so it is clear that items will still be permitted, but they will be flagged with a status tag that allows you to find them easily.
If you are upgrading to version 16.3, your folders will be updated automatically. The underlying behavior won’t change. So, if items were being given status messages in older versions, they will continue to be given status messages in 16.3. The labels are now clearer about what is occurring when these settings are being configured.
Changes to Adaptable CA driver framework
Customers using the Adaptable Certificate Authority driver in 16.2 must update the definition of the Prepare-ForRequest function in your PowerShell scripts. This change makes additional data available to that function so that it can support more use cases.
For details on updating your script, visit: https://support.venafi.com/hc/en-us/articles/227444167
Password complexity requirements are increased and on by default
New in 16.3, complexity requirements have been updated. These changes have been implemented to allow Venafi Trust Protection Platform to meet or exceed industry standards such as SANS, NIST, Microsoft, and PCI-DSS. These changes apply to:
- Downloading certificates that contain private keys from the Web Administration console or Aperture.
- Retrieving certificates that contain private keys from WebSDK
- New Accounts Local to Trust Protection Platform (or when existing accounts change their password)
The updated requirements are:
- At least 12 characters long
- Must contain a combination of at least three out of the following four categories: uppercase alphabetic, lowercase alphabetic, numeric, and special characters
Just as before, Master Admins (or those with appropriate delegated permissions) can turn the complexity off for certificate private key download via policy.
Note: The complexity requirements listed above do not apply to the automated installation of certificates via Provisioning drivers. These are typically governed by password credential objects via permissions and policy.
Customers hosting the Trust Protection Platform database on Oracle
Customers hosting the Trust Protection Platform database on Oracle must contact Venafi Customer Support to request the "16.1 to 16.2", "16.2 to 16.3", and "16.3 to 16.4" database upgrade scripts. They are NOT included in the Venafi Trust Protection Platform 16.4.0.zip file, usually available on https://ftp.venafi.com.
Please send an email to support@venafi.com requesting access to the scripts and a Venafi representative will reach out to you to assist with the request.
Note: See below for the section of Functionality Scheduled for Deprecation in Future Releases for information on the deprecation of Oracle support.
Longer upgrade window when upgrading from 16.1.x or older
Significant refactoring was done in 16.2. affecting how logs are stored in the database. When the mssql_update_16.1_to_16.2.sql upgrade scripts are executed, the format of the data is modified. For every 30 million rows in the logs, you can expect the script to take approximately an hour (subject to hardware, SQL Server version, server utilization, and other factors).
It is recommended, if possible, to archive or reduce the number of logs stored in the Trust Protection Platform database prior to upgrading to 16.3 from 16.1.x or older.
If you have secondary log tables, read this KB article to learn how to migrate it: https://support.venafi.com/hc/en-us/articles/220761368.
Database log retention must be specified on upgrade
First introduced in 16.2, database log retention can now be configured in the Venafi Control Center wizard during the upgrade and installation process. If this value is left blank when upgrading from 16.1 or older, then your installation will NOT delete any logs and your logs will continue to grow. It is recommended that a value be entered in VCC (example: 365 days) on the first server that is upgraded to 16.4.
Certificate settings are "read-only" during enrollment processing or while In Error
In Trust Protection Platform 15.4, certificate enrollment settings cannot be modified while a certificate is enrolling/processing or is In Error. In order to make changes to the certificate (for example, change the common name of the certificate), users will need to Reset the certificate state in the Web Administration Console.
Security-related changes have been made in 16.1 that now prevent users from altering a certificate signing request (CSR) after it has progressed beyond the start of the renewal process, such as uploading a CSR. As such, any certificates that are waiting for a new CSR to be uploaded prior to upgrading to 16.1 will need to be reset and restarted using the Web Administration Console (after successfully upgrading Trust Protection Platform).
Change in requirements for Database Service Account permissions
Enhancements made in 15.1, 15.3, and 16.2 have changed the permissions required by the service account used to connect to the database. Due to changes to permissions, calculations, log delivery, and log performance refactoring, the database service account that the Venafi Platform uses now requires Execute permissions to specific stored procedures in addition to "Receive" permissions to specific messages queues. This is in addition to DataReader and DataWriter that have traditionally been required. Please see the included example scripts for assigning the correct permissions to the database service account.
Approving certificate installation (Provisioning) workflows in Aperture
In Trust Protection Platform 15.3, the ability to approve installation workflows in Aperture was added. If you're using a custom SMTP Notification Channel to send emails to approvers, those custom channels will need to be updated. This will ensure that users are directed to the correct URL in Aperture to approve enrollment or certificate installation workflows.
Click here for detailed steps on updating your custom notifications.
See: https://support.venafi.com/entries/96342568
Agent certificate discovery
Due to changes in version 15.2.0 in the configuration of work that the Venafi Server Agent does during certificate discovery, agents will stop performing certificate discovery until your Device Placement work has been configured and assigned to all applicable agents. Certificate Discovery work also needs to be updated to have certificate placement rules applied. Agents will not start or continue certificate discovery until these two configuration items have been completed in Aperture.
Click here for more information about changes to Server Agent in 15.2: https://support.venafi.com/entries/94449178
User Portal is now configured in Aperture
The User Portal used to be configured in the Web Administration Console. Starting with 15.4, it is now configured in Aperture using Agent Groups and User Certificate Cceation work.
Deprecated Functionality:
z/OS CA driver
The z/OS CA driver has been removed from Trust Protection Platform. This integration is outdated and the Adaptable CA driver provides a better alternative.
SSH non-recursive discovery
SSH Key Discovery no longer supports performing non-recursive scans. The ability to scan "just this folder" and exclude all subfolders is not available.
Aperture certificate status “Revocation Approval Required”
The Certificate Status of Revocation Approval Required has been replaced with Pending My Approval.
Venafi Server Agent has deprecated support for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC) in 16.3.0
For 16.3, the Venafi Trust Protection Platform will no longer ship with an agent installer for HP-UX PA-RISC. This does not affect our support for HP-UX on Itanium Processors (HP-UX IA). Hewlett Packard stopped supporting HP-UX PA-RISC in early 2005. We are deprecating support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.
More information on deprecation of PA-RISC: https://support.venafi.com/hc/en-us/articles/218241207
Deprecated: Aperture License dashboard widget and filter
The License dashboard widget and certificate list License filter have been removed from the Aperture console. If this filter was used in a saved Custom Report, the report will be updated to remove this filter. Licensing information can be retrieved using the in-product Licensing Report found in the Web Administration console.
Supported browsers
Internet Explorer 8 has not been supported since Venafi Trust Protection Platform 14.1. Core libraries of Aperture were updated for security fixes and performance enhancements which resulted in Aperture's incompatibility with Internet Explorer 8. As of release 16.1, Aperture will not load on IE8. Make plans now in your organization to make sure end users have a modern browser available to them.
Also in 16.1, our supported browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 38. The latest version of Google Chrome is still categorized as a compatible browser.
See Article: Why we deprecated Internet Explorer 8
Functionality scheduled for deprecation in future releases:
Oracle DB support
While Trust Protection Platform 16.4 supports both Oracle and Microsoft SQL as database platforms, Venafi intends to deprecate support for Oracle in version 17.1 (Q1, 2017). Because of this scheduled deprecation, new customers are encouraged to deploy Trust Protection Platform using Microsoft SQL.
For more information refer to: https://support.venafi.com/hc/en-us/articles/227567188
Microsoft SQL Server 2008 R2
Effective with release 17.3, support for MS SQL Server 2008 R2 will be discontinued.
This change is necessary to take advantage of newer technologies available in recent versions of SQL Server. In addition, this change will allow Venafi to fully support versions 2012, 2014 and add 2016 as a compatible version.
See: https://support.venafi.com/hc/en-us/articles/227561987
Microsoft Windows Server 2008 R2
Effective with release 17.3, support for Windows Server 2008 R2 as a supported platform for Trust Protection Platform will be discontinued for the following reasons:
- Microsoft ended mainstream support of Windows Server 2008 R2 on January 13, 2015
- To add support for Windows Server 2016
See: https://support.venafi.com/hc/en-us/articles/227629368
"VED Client" UI Portal
There is an undocumented and unsupported UI Portal that exists that will be removed from the product in 16.4. This change should not affect any customers.
Comments