Venafi Trust Protection Platform version 18.4 introduces some significant enhancements across the product line, including scale and performance improvements through the Work Queue enhancements and more.
IMPORTANT! Before upgrading to version 18.4, carefully review the topic "Important Considerations Before Upgrading to Venafi Platform 18.4."
Scale & Performance
- Documented System Requirements Update
Based on scale and performance improvements made during the 2018 release cycle, the documented system requirements for Venafi server and database sizing have been updated to help new and current customers with production deployments.
Click here for updated requirements documentation - Work requests begin processing almost instantly
A new “Work Queue” framework has been introduced in 18.4. In previous versions, even on idle systems, it would take up 60 seconds in the default configuration to begin processing work. Now work requests begin processing almost immediately. - Support for more Venafi servers
To improve performance and scalability, more Venafi servers can be added. In previous versions, adding additional Venafi Servers to run service modules (e.g. Certificate Manager, Validation), depending on the circumstances, could cause slowdowns instead of the expected processing gains. With the new Work Queue framework, the Venafi cluster can take full advantage of each Venafi server in the environment. - Work prioritization based on type of work and how it was requested
Certificate and SSH Keys requested through Aperture, WebAdmin, or WebSDK are given highest prioritization. On busy systems, these types of work requests jump to the front of the line, and special resource reservations are made for them so that they can be acted upon almost instantly, even when the system is under heavy load. Any type of work requested through the UI or WebSDK is given priority over scheduled work. - Handling higher number of scheduled certificate installations
In 18.2 standard approvals were refactored to scale better. In 18.4, the same refactoring was applied to the “Scheduled Approvals” feature often used to schedule the installation of certificates during maintenance windows. Scheduled workflow approvals can now scale to much higher numbers without impacting the usability of the system. In previous versions, when exceeding 1,000 scheduled workflow approvals, the system usability would be negatively impacted. - Increase scalability of Adaptable Workflow scripts
In 18.3 the Adaptable Workflow feature was introduced. One of the use cases for the feature was to allow to integrate with Change Management control systems or Configuration Management Databases (CMDB) for handling approvals. In these types of use cases, Venafi would check on the status of the approval every 60 seconds, which wouldn’t scale to a high number of concurrent approvals taking place. Now, in 18.4, the “Seconds to Pause” parameter can be leveraged in adaptable scripts to let the script decide how frequently the script is executed to check on the approval status in the CMDB. - Simplified Venafi database maintenance
In previous versions of the Venafi Platform, database administrators (DBAs) would frequently get alerted to high fragmentation of database indexes and unique constraint violations within database tables. With the introduction of the new Work Queue framework in 18.4 the occurrence of both alerts should be significantly reduced. - Troubleshooting of Work Processing issues
The new Work Queue framework provides greater visibility into, and logging of, problems that might occur while work is processing. While speed, scalability, and stability were the main design goals of the new framework, supportability and debugging were also important design considerations. Previously, special tools were required for troubleshooting. In 18.4, greatly enhanced log messages give critical insight if a problem occurs.
TLS/SSL Certificate Product
- Distributed discovery of TLS certificates across segmented networks and overlapping IP ranges
The Venafi Platform now ships with Scanafi, a new lightweight and robust utility for discovering TLS server certificates in various parts of your network. You can now discover certificates without deploying additional Venafi servers. Scanafi automatically uploads discovery results to the Venafi Platform using the new POST Discovery/Import REST API method. Scanafi also alleviates challenges with proxy servers and overlapping IP ranges. Regular scanning can be easily achieved using common schedulers (e.g. cron and Windows Task Scheduler). Scanafi is available in Linux, macOS, and Windows versions.
See more in product documentation - Aperture Support for Citrix NetScaler and IBM DataPower installations
Easily install certificates onto Citrix NetScaler and IBM DataPower appliances. These new installation types are now available in Aperture for teams to use. Previously was only available in WebAdmin.
See more on Netscaler and DataPower certificate installation - General Availability of Onboard Discovery for NetScaler and DataPower
Previously only available in BETA, NetScaler and DataPower are now generally available for Onboard Discovery. It has never been easier to import and rotate your NetScaler and DataPower certificates. This turnkey solution is easy to use and configures everything needed for certificate installation. Also supports scheduling.
See more on Netscaler and DataPower onboard discovery - Enhanced renewal capability for DigiCert
When the Venafi Platform renews DigiCert certificates that were created by discovery or import, the certificates can now be renewed so customers get credit for any time remaining on the expiring certificate. #43393 - Option to Opt-Out of Certificate Transparency (CT) logging for DigiCert and Entrust
New option on CA template allows administrators to control whether their OV certificates are published to a Certificate Transparency log. This typically applies to publicly trusted certificates that are only used inside the organization's private network. - Enhanced Key Usage (EKU) selection for Entrust
New option on CA template allows administrators to specify whether their Entrust issued certificates can be used for Server Authentication, Client Authentication, or both.
SSH Product
- Discovery of sshd_config for review in Aperture
Server Agent now discovers the sshd_config files for the SSH server. This allows SSH administrators to be able to review SSH server configurations and centrally spot configuration problems that can pose security or operational issues.
See more in product documentation - Autocomplete for authorized keys path based on sshd_config
When adding an authorized key file, you can choose from an existing location, based on discovered authorized key locations by sshd_config, or you can add a custom location if the location you need was not discovered by the system.
See more in product documentation
Enterprise Mobility Protect Product
- Android devices can download historical certificates on User Portal
If end users need to be able to read older encrypted mail on their mobile devices, the User Portal detects Android devices and shows historical versions of their S/MIME certificates. Each version can be downloaded and installed onto the device. Separating historical certificates into a list is necessary because Android devices can’t open a single certificate file that contains multiple certificates. - Easier to deploy User Agent onto macOS
Installation of the User Agent for macOS now supports installation parameters to configure the User Agent installation. Previously administrators had to modify the macOS agent deployment package to configure the agent to set things like Venafi server URL or registration password. Command line installation parameters allow easier deployment without breaking the digital signature of the deployment packages that Venafi ships.
See more in product documentation - User Agent support for macOS 10.14 Mojave
The 18.4 User Agent officially supports the latest version of macOS, 10.14 Mojave. Although not specifically tested, 18.2 and 18.3 versions of macOS agent are also expected to work on Mojave, but will always be in "Light mode."
REST API (Web SDK)
- POST Discovery/Import
New API method that imports your SSL/TLS server certificates to a zone Name (Policy DN). Designed to work with the Scanafi discovery utility.
See more in product documentation - POST Certificates/Validate
Validation is the best way to confirm that your certificate inventory is always current and accurate. Now, you can automate the validation of one or more certificates through a new API method that initiates SSL/TLS and installation validation. While Aperture only allows you to click “Validate Now” one at a time, this method supports bulk validation processing. - See more in product documentation
- GET ProcessingEngines
Returns a list of all Venafi Servers/Engines
See more in product documentation - GET ProcessingEngines/Engine/{engine guid}
For a given server, the call returns the list of folders that the Venafi Engine has been assigned to process.
See more in product documentation - POST ProcessingEngines/Engine/{engine guid}
Assigns the Venafi Server/Engine to the list of folders provided.
See more in product documentation - GET ProcessingEngines/Folder/{folder guid}
For a given folder, provides a list of engines that are explicitly assigned for processing on that specific folder.
See more in product documentation - PUT ProcessingEngines/Folder/{folder guid}
Allows to assign a list of engines to a specified folder
See more in product documentation - DELETE ProcessingEngines/Folder/{folder guid}
Removes all Venafi Servers/Engines from processing assignments on the given folder
See more in product documentation - DELETE ProcessingEngines/Folder/{folder guid}/{engine guid}
Removes a specific Venafi Server/Engine from processing assignment on a specific folder
See more in product documentation
Server Agent
- Server Agent Sets File Permission on Certificate Keystores
Linux and Unix agents are updated so that they honor file permissions configured for certificate keystore installation. This allows the targeted application that consumes the certificate to have appropriate permissions to the keystore. - Discovery of sshd_config for review in Aperture
Server Agent now discovers the sshd_config filesf or the SSH server. This allows SSH administrators to be able to review SSH server configurations and centrally spot configuration problems that can pose security or operational issues. - Improved Aperture Status for Certificate Installation
When a certificate installation is in a pending status while it waits for it’s assigned agent to check-in, a more detailed and accurate installation status is available so the certificate administration knows what the next steps are.
Platform
- Script the rotation of TPP Database Credentials and HSM Pin
You can now use the CLI to rotate database and HSM credentials without opening the Venafi Configuration Console. This allows scripting of database and HSM pin changes.
See more in product documentation - Adaptable Scripts Change Detection
The Venafi Platform now securely stores the last known good hash of enabled Adaptable PowerShell scripts. If script files change on any Venafi server, the Adaptable driver will not execute it until a Venafi administrator approves the change. This enhances the security posture of the Adaptable Framework so users with administrative access to the Windows servers where Venafi is installed can’t alter scripts without also having administrative access into the Venafi Platform.
See more in product documentation
TrustNet Product
The features in TrustNet will be released after 18.4’s public release date and will be available for some older versions of Venafi Platform as well.
- Trust Protection Platform Event Generation and Logging
Generate Event: Company reputation score change. Will be made available for 18.2 and later. - New dashboard widgets
Trend widgets to capture customer risk and score trends, and to capture certificates discovered by source (Internet scan, customer-initiated scan, Google, Censys, etc.). Dynamic widget to filter by certificate location in public IaaS, PaaS (Aws, Azure, GCP). Will be made available for 18.1 and later.
Driver integration
- HashiCorp Vault integration
A new open source integration between a HashiCorp Vault and a Trust Protection Platform backend. After, HashiCorp issues CA issues certificates, it can automatically forward them to Trust Protection Platform. Available for Windows or Linux. To download, go to https://github.com/Venafi/vault-pki-backend-venafi. - HashiCorp Vault PKI secrets engine
A new open source integration that can import signed certificates to the Venafi Platform. Available for Windows or Linux. To download, go to https://github.com/Venafi/vault-pki-monitor-venafi. - VCert is Open Source
The VCert command line utility and a Go SDK are now available to the open source community. VCert has been designed to simplify integrations with the Venafi Platform including key generation, certificate enrollment, renewal, and To download, go to https://github.com/Venafi/vcert. - Cert-manager demo
A new demo shows how you can integrate the Kubernetes Jetstack Cert manager with Trust Protection Platform is available: https://github.com/Venafi/cert-manager-venafi-demo.
Comments