Configuring the TPP adaptable driver

You must perform the tasks described in this topic in Venafi Trust Protection Platform (TPP).

Important

Where particular values for TPP object fields are not specified in this topic, you can leave their defaults or set them according to your own needs. If settings given in this topic conflict with your own policies, contact BMC Support for more information.

Policy objects

You must create a Policy folder and set the PowerShell script property to EC for Venafi.

If you have configured AT-TLS on the BMC AMI Enterprise Connector for Venafi gateway, and AT-TLS is configured to require a client certificate, you must create a certificate credential containing the relevant certificate and private key. You must choose this credential in the Secondary Credential field.

Set the port on which the gateway is listening in the Port field.

Important

If you install a new version of the TPP adaptable driver, you must resave the Policy object where the driver is selected. You do not need to change any of the settings, but you must resave the object to update the TPP adaptable driver hash stored in the TPP database.

Device objects

Only one Device object is required per gateway, irrespective of how many certificates are being managed.

TPP insists on a user name Credential object to authenticate to devices. However, EC for Venafi does not need one. Instead, create a place holder user name object with any user name and password. Record it in the Description field for the credential that EC for Venafi uses.

Create the Device object inside the policy folder that you created in the previous section. In the Hostname/Address field, enter either http://gateway or https://gateway, where gateway is the host name or IP address where the gateway is listening. Do not add any trailing slash or port number.

Important

(SPE2507)
To use HTTPS to connect to the gateway, make sure that the following conditions exist:

The host name or IP address that you enter here is also included as the subject name (SN) or subject alternative name (SAN) of the certificate installed on the gateway.
For example, if your gateway is https://ecgateway.example.com, the SN or SAN of the agent certificate must also be ecgateway.example.com.
If there is no match, the TPP adaptable driver fails to verify the certificate and returns the following error on any operation:
The underlying connection was closed:
Could not establish trust relationship for the SSL/TLS secure channel.

The local computer certificate store on each TPP server contains the root certificate of the certificate authority (CA) that issues the gateway certificate.

In the Device Credential field, select the place holder credential.

Workflows

EC for Venafisplits the installation of a certificate into two stages to allow operations to be paused until the certificate owner is ready for a new certificate to be made live. To achieve this, you must create a workflow in TPP and apply it to the application objects.

Task 1: Creating a workflow reason code

For Code, enter an unused value. We recommend using 803, because this corresponds to the TPP Workflow stage where the workflow takes control.

For Name, enter EC for Venafi Authorization.

For Description, enter the following text:

ECVENAFIPAUSEBEFORECERTLIVE

Your approval is required to make the new certificate for the
$CN[$Config[$SelfDN$,Owner Object]$]$ application live.

Application information: $Policy[$Config[$SelfDN$,Owner Object]$,Text Field 1]$

Task 2: Creating a workflow object

If you don't already have a defined location in your policy tree where workflow objects are created, We recommend creating the workflow object alongside your device objects.

In the appropriate location, create a Standard Workflow object with the following details:

Name—EC for Venafi Pause before certificate activation
If Stage is—803
If Application or Trust Store is—Adaptable App
Inject Commands—No
Request Approval—Yes
Approval Reason Code—EC for Venafi Authorization

Configure the Request Approval From and Specified Approver(s) fields according to your own requirements and conventions.

Task 3: Assigning the workflow object

Add the workflow object created in the previous step to the Applied Workflows list in one of the policy folders that is a parent of the device object. We recommend that you apply this workflow object in the same policy folder in which the EC for Venafi adaptable application is configured.

Notifications

The workflow that you created causes TPP to pause processing until the certificate owner is ready for the certificate to be made live. You must create a customized TPP notification to tell certificate owners when a new certificate is ready.

Task 1: Creating a notification channel

Create a new SMTP channel. Configure this channel as required for your environment except for the following options:

Recipient(s)—$IdentityEmail[$Event.Text1$]$
Message Subject—Certificate for application $CN[$Event.Component$]$ is ready to be made live
Message Body—
The certificate for the following environment(s) has been loaded but requires your approval
to be made live:

$Policy[$Event.Component$,"Text Field 1"]$

To act on this request, visit: https://$If[$Policy[$Event.Component$,Managed By]$, Aperture,
$ApertureFQDN$/aperture/workflow/$GUID[$Event.Component$]$/approve,
$WebAdminFQDN$/vedadmin/Default.aspx?w=$ENCODE[URL,$CN[$Event.Text2$]$]$]$

If you need assistance, contact your Administrator.

When approving this change, please ensure that you add the change ID in the "Comments"
section of the approval form.

This email is being sent to you by $ProductName$ because you are named as an approver for
this certificate or application: $Event.Component$
Depending on your email configuration, you might also need to use the TPP Windows Administration Console to configure an HTML version of this notification.

Task 2: Creating a notification rule

Create a new notification under Notification Rules with the following settings:

IF Event ID matches Workflow – Ticket Issued

AND Data contains ECVENAFIPAUSEBEFORECERTLIVE

Set the Target Channel to the notification channel that you created previously.