Configuring TPP certificate administration

(SPE2501)

This topic describes how to configure BMC AMI Enterprise Connector for Venafi to create certificate objects on Venafi Trust Protection Platform (TPP). For more information, see Certificate administration in the "Key features" topic.

The procedures described here must be performed in conjunction with a TPP Master Admin.


Related topics

Planning

Installing

Configuring-after-installation

Configure the TPP REST API

BMC AMI Enterprise Connector for Venafi uses a REST API to communicate with TPP. Before you can create certificate objects on TPP, your TPP Master Admin must register an API integration with the following details:

{
  "id": "ecvenaficertrequest",
  "name": "EC Venafi Certificate Administration UI",
  "vendor": "BMC Software, Inc",
  "description": "EC Venafi Certificate Administration UI",
  "scope": "certificate:manage"
 }


Important

The TPP Master Admin must also create a TPP user that has access to the integration.

Obtain and store an authentication token

The TPP REST API uses API tokens to authenticate users connecting to the application. After the TPP REST API is integrated, your TPP Master Admin must get a token for the previously created TPP user that has access to the integration.

To obtain an API token

  1. Locate the Utilities folder in the EC for Venafi installation directory.
    Inside Utilities is a folder called ECVenafi SPEyymm\GetAuthToken that contains the getauthtoken.exe utility. 
    The ECVenafi SPEyymm folder is specific to your SPE level. For example, if you installed EC for Venafi version 2.3 SPE2501, then the folder is named, ECVenafi SPE2501.

  2. Have the TPP Master Admin run the utility using the following syntax:

    getauthtoken <tpp hostname> <user> <password>

    Important

    EC for Venafi does not automatically renew API tokens once they expire. If a token expires, EC for Venafi cannot create certificate objects through the TPP REST API.

    We recommend that the TPP Master Admin modify the value of the expires parameter after the API token is generated so that it will last for a significant amount of time, for example one year.

To store an API token in EC for Venafi

  1. Log on to the EC for Venafi UI.
  2. Navigate to Manage > Encrypt and store Venafi API Token.
  3. In the Secret field, paste in the value from the API token's access_token parameter and click Submit.

The token is encrypted and stored in the directory that you specified as the Repository in the TPPServer statement.

Create and configure folders in TPP

The TPP Master Admin must create a Device folder and a Certificate folder in the TPP Policy Tree to receive certificates and certificate object requests from EC for Venafi. The user for which the API token was issued must have write permissions for these folders and the objects within.

The Certificate folder must have the following attributes:

  • Management type—Provisioning
  • CSR Generation—Service Generated CSR
  • CA Template—Specify as required

You may set configure other fields as required, including the Subject DN fields.

Important

  • You must specify a CA template for the Certificate folder. Users cannot select the template from EC for Venafi.
  • Users can create certificate objects by using different CAs only if you create Certificate folders for each CA and include a CertificateFolderName value for each folder.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*