Follow

INFO: Rotating Trust Protection Platform's DBO/Operational/AD service account passwords

Applies To:

Trust Protection Platform (all versions, however 19.x and older only use one SQL account)

Summary:

Before proceeding with any service account password rotation, due diligence is required to ensure you know/have documented which areas of TPP are using which service accounts.

Ideally we would want you to have separate accounts for all of the below roles:

  • SQL DBO Account
  • SQL Operational Account
  • AD Service Account

Additionally, it is important to understand *where* the service account password(s) are stored:

  • DBO/Operational (SQL) service account passwords are stored on each TPP engine (updated on each TPP engine individually)
  • AD service account passwords are stored in the TPP database (only need to be updated once on any TPP engine and the rest of the engines will recognize the change)

Resolution:

Recommended password rotation process when different service accounts are being used for different roles:

  • Stop Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on all TPP engines in the environment
  • Stop IIS Service (World Wide Web Publishing Service) on all TPP engines in the environment
  • Rotate the password for the DBO/Operational (SQL) account(s) in question
  • Launch VCC on *one* of the TPP engines in the environment, it will enter 'Database Recovery Mode' and will allow you to enter the new password(s)
  • After resolving the database connectivity issue you can proceed with rotating the password for the AD account in question and then re-run the AD wizard (Connectors -> AD connector -> Re-run Wizard) to update the service account password
  • Enable and Start the Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on the above TPP engine
  • Enable and Start the IIS Service (World Wide Web Publishing Service) on the above TPP engine
  • Test the above TPP engine to ensure everything is working properly
  • Assuming the above TPP engine is working properly you can then move on to updating the database password on *each* of the remaining TPP engines (launching VCC on *each* of the remaining TPP engines in the environment, entering 'Database Recovery Mode' and entering the new password)
  • Enable and Start the Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on the above TPP engine(s)
  • Enable and Start the IIS Service (World Wide Web Publishing Service) on the above TPP engine(s)
  • Test the above TPP engine(s) to ensure everything is working properly

Recommended password rotation process when service accounts are shared across roles:

NOTE: If you are using a single account for all of the above roles then the chances that you will run into issues when rotating the password for this account are very high, and minimizing downtime would be unlikely... we advise moving away from this configuration to avoid issues.

  • Stop Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on all TPP engines in the environment
  • Disable Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on all TPP engines in the environment
  • Stop IIS Service (World Wide Web Publishing Service) on all TPP engines in the environment
  • Disable IIS Service (World Wide Web Publishing Service) on all TPP engines in the environment
  • Reboot all TPP engines in the environment (this ensures that no other TPP-related applications are running, such as VCC/WinAdmin - this is critical to this process in our experience)
  • Rotate the password for the account in question
  • If the service account is AD-sourced, then disabling account lock-out for the account in question in AD is advised until rotation is complete (this is also critical to this process in our experience)
  • Launch VCC on *one* of the TPP engines in the environment, it will enter 'Database Recovery Mode' and will allow you to enter the new password
  • After resolving the database connectivity issue (via 'Database Recovery Mode') VCC will launch, and during this process the AD connector will attempt to initialize with the old password (and if the lock-out is not disabled for the account in question in AD then it will lock as a result, breaking database connectivity and resulting in a loop/catch-22 situation that would be difficult to resolve)
  • Assuming the account has not been locked out (by the AD connector attempting to initialize with the old password) then you should be able to re-run the AD wizard for the existing AD connector to update it's service account password (Connectors -> AD connector -> Re-run Wizard)
  • Enable and Start the Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on the above TPP engine
  • Enable and Start the IIS Service (World Wide Web Publishing Service) on the above TPP engine
  • Test the above TPP engine to ensure everything is working properly
  • Assuming the above TPP engine is working properly you can then move on to updating the database password on *each* of the remaining TPP engines (launching VCC on *each* of the remaining TPP engines in the environment, entering 'Database Recovery Mode' and entering the new password)
  • Enable and Start the Venafi Services (Venafi Trust Protection Platform and Venafi Log Server) on the above TPP engine(s)
  • Enable and Start the IIS Service (World Wide Web Publishing Service) on the above TPP engine(s)
  • Test the above TPP engine(s) to ensure everything is working properly

More Info:

If you have additional questions, Please feel free to reach out to support@venafi.com for assistance.

Was this article helpful?
0 out of 0 found this helpful

Comments