How to: Perform a hands-free or Unattended Installation or Upgrade of Venafi TPP

Applies To

TPP Versions up to 19.1 currently, and possibly earlier versions.


Most of the time, we use the various wizards to perform an installation or upgrade. However, in the event there are a large number of TPP servers, it may be worthwhile to automate the process to prevent errors.

The very brief information needed to do this is contained in the docs. However, these only include the core information needed to develop a process. This article discusses more of the details involved.

IMPORTANT NOTE: Currently the MSI installation can not be run completely hands-free. This is a limitation of the MSI. It can be automated for sure, but some interaction is required to make it run correctly, which is outlined below. This is contrary to the documents that may indicate it can be run silently.


Process Brief / Outline
Step 1 - Create the Answer File
Step 2 - Scripting the Services to Stop (upgrade only)
Step 3 - Configuring the Database
Step 4 - Installing the TPP Software
Addendum: 19.1 Sample XML File
Q/A - Common Questions


Process Brief / Outline

First, you should capture an answer file for the version of the product you are either 1) installing or 2) upgrading TO (not from).

Second, you should find a way to securely deliver your packages.

Third, be aware of passwords and such. There are two you should be aware of. 1) The XML file has account information in it unencrypted. 2) If you encrypt the XML file, you have to supply a password to decrypt it. Using that password on a command line is fine, if no one is looking over y our shoulder, but it is in clear text when typed. AND, if you have to SCRIPT that process, well, you'll need to encrypt the command line as well.

Finally, be aware of timing. The first script (the installation) returns control to the command prompt immediately, while the second script (configuration) waits for completion.

- TOP - 

Process Step 1: Create The Answer File.

This is mentioned in three places in the docs, one for capture and two for use:

Docs: How to capture (near the bottom)

Docs: Command Line Installation

Docs: Command Line Upgrade

The discussion of focus is the Answer File or "answerfile.xml" as mentioned.

For both the Install methods (first system / adding to an existing system) and for an upgrade, the method of creating an answer file is the same - you have to run through the new installation wizard process, AFTER installing the files using the MSI. This answer file is created by the configuration tool or TppConfiguration.exe, which is only able to be run after the MSI has installed it.

The XML file is the same for either an upgrade OR a new installation. This may be a source of confusion for those who have seen that the upgrade wizard is much shorter! Though this is true, all components of the answer file must be present or execution will fail. During the upgrade process, those components that are not needed (because the settings are stored locally now) will simply be ignored.

For an upgrade therefore, it is recommended that you plan a faux installation, just to capture this file, OR perhaps do so in test. You will need a database configured for the product, as with any new installation, but you need not actually finish the installation, as there is an option at the end of the TppConfiguration.exe process to JUST create an answer file and stop. However, you must connect to the database to get that far, and it will actually validate the version / configuration of the database.

For a new installation, the process is more simple. Simply capture the file from the first server you install, and let it continue through the process to completion.

Recommended Changes: At the end of the Answer File is a setting to NOT start the services. You may want to modify this. HOWEVER, be aware that not all servers may serve the same process (e.g. some may not be logging servers) and you may in fact want to start the services manually.

No other changes are needed or necessary.

- TOP - 

Process Step 2: Scripting the Services to Stop (upgrade only)

It's not possible to do a single script for an entire upgrade. This is because the upgrade currently has 3 distinct processes that must be run on separate systems, in order:

  1. Stop all services on all connected TPP servers.
  2. Upgrade the database (not scriptable)
  3. Upgrade all TPP servers.

To stop the services, you can script this from a single system using NET STOP. An example:

sc \\TPP-Server1 stop VED
sc \\TPP-Server1 stop VenafiLogServer
sc \\TPP-Server1 stop W3SVC

These commands can be used locally OR remotely to stop the relevant services for the upgrade.

- TOP - 

Process Step 3: Configure the Database

Configuring the database is a manual process on both a new installation and on upgrade, and there is no reasonable way to script this. Please refer to the documentation for this step. It need only be done once, and on an upgrade, must be done AFTER all systems have had all services stopped.

- TOP - 

Process Step 4: Installing the TPP Software

For the install, you will need to perform the following:

  1. Copy files to the servers for the installation.
    1. How you do this is up to you. There is a myriad of ways to accomplish this.
  2. Run the MSI
    IMPORTANT NOTE: The documentation is broken. This process can not currently be run completely hands-free because it spawns a Secondary process that fails to complete if run hands free.  The GOOD news is that if you don't run it hidden as indicated in the docs, you can tell when it's done!
    1. The command should look like this:
      msiexec /i VenafiTTPInstallx64.msi /passive
    2. NOTE: This will return control immediately to the command prompt, but you WILL see a progress bar. The good news is that it will also install the support tools, whereas the silent version will not.
      The Bad News is that it will also launch the VCC, which defeats the next step and has to be cancelled and closed. That is, it's not a clean solution.
  3. Run the configuration.
    1. The command will look like this (documented in the above links):
      "C:\Program Files\Venafi\Platform\TppConfiguration.exe" -install:c:\YourXMLName.xml -password:YourXMLPassword -add
      TppConfiguration: Installation of 'c:\19.1.xml' requested
      TppConfiguration: Installation of 'c:\19.1.xml' completed without error
    2. NOTE: This will wait for completion, as shown above.
    3. NOTE: The script shown above includes the -ADD option, since on a new install, the 2nd and succeeding servers will be added to an existing installation. See the following documentation page for how and when to use -ADD:
      Command Line Configuration Switches
    4. NOTE: For an upgrade (as well as the 1st server on a new install) the -ADD switch is NOT necessary.
  4. Ensure all services are started.
    1. The services may have been restarted by the XML file if you set your system to auto start the services, but remember as well the Web services.  The following may be useful:
      sc \\TPP-Server1 start VED
      sc \\TPP-Server1 start VenafiLogServer
      sc \\TPP-Server1 start W3SVC



- TOP - 

Addendum: Sample XML captured from 19.1

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<TppConfiguration CreatedOn="04/18/2019 12:32:53" By="Me" On="WIN-VDDTEDTALKS">
<Generate />
<DSN>Data Source=sql,1433;Initial Catalog="training and install";User ID=sa;Password=MYPASSWORD</DSN>
<LogProcessor />
<LogExpiration Days="90" />
<LogPath>C:\Program Files\Venafi\Logs\Tpp Configuration Log.txt</LogPath>


- TOP - 

Q/A Common Questions

Q: How would we configure new installation automation for servers that will have different components installed? Example: Aperture servers only, User portals only, Logging servers only, etc.

A: A unique answer file will be required for each installation type.

NOTE: On upgrade, a unique answer file is NOT needed. See the following question.


Q: What happens if we have a different configuration on one server vs another during an upgrade?

A: The TPPConfiguration.EXE looks at the local system and knows what to upgrade. As with a normal upgrade for a full installation, it will ignore any information in the answer file that is not needed. This includes for servers with partial vs complete product installations.


Q: How can we ensure passwords are not compromised?

A: When you create the answer file, there is an option to encrypt the answer file with a password. This password is used by the TPPConfiguration.EXE file to decrypt it. The XML file is not able to be opened in Notepad, Word, a Browser or other utilities for decryption, and you will not be prompted for the password, so without a dedicated method of decryption, the information in the XML file is safe even if you have the password.

That said, if you must be even more secure, you can pass the command in an encrypted way using 3rd party tools.


Q: Does it matter what version of the product you are upgrading from, or to?

A: No. The installation process for all versions of TPP (up to 19.1 at the time of this writing) is essentially the same: Install files, Configure the product. The MSI steps (installing the files) and the Configuration steps are always the same.

True, the wizard may look different. But what matters most is what version you're upgrading TO, or the version you're installing. As long as your answer file matches that version, you'll be fine.


Q: Can you use an answer file with the VCC on a manual upgrade?

A: No. There is no prompt for the answer file on upgrade. Then again, it's not necessary. The only prompt you receive is for an account and password to continue. The answer file generated for a full install is "mostly" ignored during the automated version of the upgrade run of the VCC, but for the manual run of the VCC, you will not be able to use it.


Q: The upgrade process doesn't allow you to save, OR enter, an Answer File? How do we script an upgrade?

A: As outlined above, the Answer File you use for an upgrade is actually the SAME as the Answer File you would use for a new installation. You are correct, there is no way to capture the file during the upgrade process. That's why you have to make a dry-run of an actual installation and create the script from there (or steal it from when you upgraded in Test/QA). There's no shortcut to this process.


Q: Can we use an answer file from a previous version during an upgrade?

A: No, we do not support this. The features/options change between versions - maybe not every time, but enough that this is not supported. You can try, but do so at your own risk - it is not supported.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request