Applies To
TPP Versions up to 19.4 currently, and possibly earlier versions.
Tested and verified on 18.x and 19.x versions
Overview / High Level
Most of the time, we use the various wizards to perform an installation or upgrade. However, in the event there are a large number of TPP servers, it may be worthwhile to automate the process to prevent errors.
The process can be automated to require little or no "hands on" from adminstrators, or at least remove any chances of errors. This is done by capturing an answer file for the configuration of the Venafi Configuration Console when it walks through the wizard.
In brief, this KB will cover capturing that file, and then the steps of executing the process "automatically."
Contents:
Prerequisites
Step 1 - Create the Answer File
Step 2 - Scripting the Services to Stop (upgrade only)
Step 3 - Configuring the Database
Step 4 - Installing the TPP Software
Addendum: 19.1 Sample XML File
Q/A - Common Questions
Prerequisites:
- At least one fully installed TPP server.
- NOTE: There are two possible paths for installation - a first install and any additional installations into the TPP "Cluster". This document outlines the "additional" servers, as it doesn't make sense to automate the first install.
- Service Account password and Local Master Admin Account name/password
- Direct access to the installed TPP server and the new TPP server
Process Step 1: Create The Answer File.
Some of the docs that discuss this process are as follows:
Docs: How to capture (near the bottom)
Docs: Command Line Installation
- This process begins with actually performing an installation, up to and through the wizard, until the very last step.
- Run the MSI as you normally would
- When VCC launches, select the option to "Add to existing"
- NOTE. This will require you to add the HSM configuration and/or Software Key.
- To obtain the Software Key, you go to the already installed TPP server, launch VCC, and extract the software key. This will be password protected. You'll need the encrypted key AND the password to complete the wizard.
Docs: How to export the software key
- NOTE. This will require you to add the HSM configuration and/or Software Key.
- On the last step of the wizard, you should be sure to:
- Select to save an answer file.
- (Optional) select to not complete the installation. This will allow you to test your answer file on this system if you want. {Recommended]
- (Optional) Encrypt the file with a password for potential security reasons (local admin password). The software key is already encrypted. Your choice.
- Select to save an answer file.
NOTE: The XML file is the same for either an upgrade OR a new installation. This may be a source of confusion for those who have seen that the upgrade wizard is much shorter! Though this is true, all components of the answer file must be present or execution will fail. During the upgrade process, those components that are not needed (because the settings are stored locally now) will simply be ignored.
NOTE: Be aware that not all servers may serve the same purpose (e.g. some may not be logging servers). In this case, you may need to either have some manual installations, set up multiple answer files, OR disable services / processes after-the-fact. and you may in fact want to start the services manually.
Process Step 2: Scripting the Services to Stop (upgrade only)
It's not possible to do a single script for an entire upgrade. This is because the upgrade currently has 3 distinct processes that must be run on separate systems, in order:
- Stop all services on all connected TPP servers.
- Upgrade the database (not scriptable)
- Upgrade all TPP servers.
To stop the services, you can script this from a single system using NET STOP. An example:
sc \\TPP-Server1 stop VED
sc \\TPP-Server1 stop VenafiLogServer
sc \\TPP-Server1 stop W3SVC
These commands can be used locally OR remotely to stop the relevant services for the upgrade.
Process Step 3: Configure the Database
Configuring the database is a manual process on both a new installation and on upgrade, and there is no reasonable way to script this. Please refer to the documentation for this step. It need only be done once, and on an upgrade, must be done AFTER all systems have had all services stopped.
Process Step 4: Installing the TPP Software
For the install, you will need to perform the following:
- Copy files to the servers for the installation.
- How you do this is up to you. There is a myriad of ways to accomplish this.
- Run the MSI
IMPORTANT NOTE: The documentation is broken. This process can not currently be run completely hands-free because it spawns a Secondary process that fails to complete if run hands free. The GOOD news is that if you don't run it hidden as indicated in the docs, you can tell when it's done!- The command should look like this:
msiexec /i VenafiTTPInstallx64.msi /passive
- NOTE: This will return control immediately to the command prompt, but you WILL see a progress bar. The good news is that it will also install the support tools, whereas the silent version will not.
The Bad News is that it will also launch the VCC, which defeats the next step and has to be cancelled and closed. That is, it's not a clean solution.
- The command should look like this:
- Run the configuration.
- The command will look like this (documented in the above links):
"C:\Program Files\Venafi\Platform\TppConfiguration.exe" -install:c:\YourXMLName.xml -password:YourXMLPassword -add
TppConfiguration: Installation of 'c:\19.1.xml' requested
TppConfiguration: Installation of 'c:\19.1.xml' completed without error - NOTE: This will wait for completion, as shown above.
- NOTE: The script shown above includes the -ADD option, since on a new install, the 2nd and succeeding servers will be added to an existing installation. See the following documentation page for how and when to use -ADD:
Command Line Configuration Switches - NOTE: For an upgrade (as well as the 1st server on a new install) the -ADD switch is NOT necessary.
- The command will look like this (documented in the above links):
- Ensure all services are started.
- The services may have been restarted by the XML file if you set your system to auto start the services, but remember as well the Web services. The following may be useful:
sc \\TPP-Server1 start VED
sc \\TPP-Server1 start VenafiLogServer
sc \\TPP-Server1 start W3SVC
- The services may have been restarted by the XML file if you set your system to auto start the services, but remember as well the Web services. The following may be useful:
Addendum: Sample XML captured from 19.1
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<TppConfiguration CreatedOn="04/18/2019 12:32:53" By="Me" On="WIN-VDDTEDTALKS">
<Components>
<Products>CertificateProduct
MobileProduct
SshProduct
CommonProduct
</Products>
<Features>Acme
BulkProvisioning
CAImport
Certificates
CloudMonitoring
Scep
OBDDiscovery
TrustNetIntegration
Validation
UserCertPreEnrollment
SSH
Aperture
AutoLayout
Client
Discovery
Monitoring
Reporting
WebAdmin
WebSDK
</Features>
</Components>
<SoftwareEncryption>
<Generate />
</SoftwareEncryption>
<Database>
<DSN>Data Source=sql,1433;Initial Catalog="training and install";User ID=sa;Password=MYPASSWORD</DSN>
</Database>
<AdminAccount>
<Username>admin</Username>
<Password>lOCALADMINPASSWORD</Password>
</AdminAccount>
<Logging>
<LogProcessor />
<LogExpiration Days="90" />
</Logging>
<Environment>
<CompanyName>Baird</CompanyName>
<DeploymentType>TEST</DeploymentType>
</Environment>
<Analytics>
<IncludeCompanyName>true</IncludeCompanyName>
</Analytics>
<Server>
<StartServices>no</StartServices>
<LogPath>C:\Program Files\Venafi\Logs\Tpp Configuration Log.txt</LogPath>
</Server>
</TppConfiguration>
Q/A Common Questions
Q: How would we configure new installation automation for servers that will have different components installed? Example: Aperture servers only, User portals only, Logging servers only, etc.
A: A unique answer file will be required for each installation type.
NOTE: On upgrade, a unique answer file is NOT needed. See the following question.
Q: What happens if we have a different configuration on one server vs another during an upgrade?
A: The TPPConfiguration.EXE looks at the local system and knows what to upgrade. As with a normal upgrade for a full installation, it will ignore any information in the answer file that is not needed. This includes for servers with partial vs complete product installations.
Q: How can we ensure passwords are not compromised?
A: When you create the answer file, there is an option to encrypt the answer file with a password. This password is used by the TPPConfiguration.EXE file to decrypt it. The XML file is not able to be opened in Notepad, Word, a Browser or other utilities for decryption, and you will not be prompted for the password, so without a dedicated method of decryption, the information in the XML file is safe even if you have the password.
That said, if you must be even more secure, you can pass the command in an encrypted way using 3rd party tools.
Q: Does it matter what version of the product you are upgrading from, or to?
A: No. The installation process for all versions of TPP (up to 19.1 at the time of this writing) is essentially the same: Install files, Configure the product. The MSI steps (installing the files) and the Configuration steps are always the same.
True, the wizard may look different. But what matters most is what version you're upgrading TO, or the version you're installing. As long as your answer file matches that version, you'll be fine.
Q: Can you use an answer file with the VCC on a manual upgrade?
A: No. There is no prompt for the answer file on upgrade. Then again, it's not necessary. The only prompt you receive is for an account and password to continue. The answer file generated for a full install is "mostly" ignored during the automated version of the upgrade run of the VCC, but for the manual run of the VCC, you will not be able to use it.
Q: The upgrade process doesn't allow you to save, OR enter, an Answer File? How do we script an upgrade?
A: As outlined above, the Answer File you use for an upgrade is actually the SAME as the Answer File you would use for a new installation. You are correct, there is no way to capture the file during the upgrade process. That's why you have to make a dry-run of an actual installation and create the script from there (or steal it from when you upgraded in Test/QA). There's no shortcut to this process.
Q: Can we use an answer file from a previous version during an upgrade?
A: No, we do not support this. The features/options change between versions - maybe not every time, but enough that this is not supported. You can try, but do so at your own risk - it is not supported.
Comments