Configuring Venafi for GUI and Sniffer certificates
Use the Guardium® CLI to configure your Guardium system to connect to Venafi as a Service or TPP instance.
Before you begin
About this task
Procedure
- If you are using the Venafi TPP instance, store the ROOT CA certificate by running the following command on the central manager or stand-alone system: store certificate keystore trusted-venafi console and pasting the Venafi certificate. Skip this step if you are using Venafi as a Service.
- Store the Venafi connection credentials on your Guardium
Guardium system by running the CLI command store certificate cms.
- Select 1 to Add Venafi to your Guardium system.
- Enter your Venafi instance type.
- Select GUI or Sniffer as the type of certificate to install.
- Enter the authentication type: access token or username and password.
- For the TPP instance, enter the TPP URL, Venafi token, and
the exact zone configuration information that you used when you created your Venafi instance. For
Venafi as a Service, enter the zone value and API key. If the information does not match, the connection fails. Note: vCert prefixes \VED\Policy\ to the zone. When you enter the zone in the Guardium system, you must specify only the child folders under the root Policy folder.
- Select enroll or pick up for the vcert
action.
- Enroll
- Use the enroll option to create a new certificate on Venafi and add it to the Guardium keystore.
- After selecting enroll, if you have custom fields configured on Venafi, add up to nine fields
using the
name=value
format.Attention: If custom fields are configured as mandatory on Venafi, the names and values must be provided accurately and in the correct format otherwise certificate creation fails. - After selecting enroll and defining any custom fields, follow the prompts to enter CN, name of your organization, organization unit, city, state, country code, and optional SANs. This completes the creation of a new certificate on Venafi.
- After selecting enroll, if you have custom fields configured on Venafi, add up to nine fields
using the
- Pick up
- Use the pick up option to retrieve certificates manually created on Venafi and add them to the Guardium keystore. Use this option if you do not want to create new certificates through Guardium.
- When prompted, enter y or n to distribute certificates from the central manager to the managed units, if any. If you enter y, propagate the Venafi certificates across your deployment by completing steps 4 to 6 . If you enter n, complete only step 4.
- Import the GUI or Sniffer certificate into the
central manager or stand-alone system:
- From the CLI, run the command grdapi venafi_import variant=[gui|sniffer].
- For GUI certificates, you must restart the GUI by running the CLI command restart gui. Sniffer certificates do not require a GUI restart.
- Run the CLI command show certificate [gui|sniffer] to check whether the correct certificate is displayed.
- On the central manager, run the following grdapi commands: Important: If the root password on the managed unit doesn't match with the root passkey, you must first reset the root password on the managed unit by running the CLI command support reset-password root.
- Distribute the Venafi configuration files to some or all the managed units: grdapi export_config type=venafi host=[all_managed|group:<group-name>|<IP>|<hostname>] force=[true|false]
- Propagate the Venafi ROOT CA certificate to some or all the managed units:
grdapi export_certificate alias=<alias>
host=[all_managed|group:<group-name>|<IP>|<hostname>] force=[true|false] Note: This command restarts the GUI on the managed unit. Wait until the GUI restarts before you proceed to the next step.
- Install the Venafi GUI or sniffer certificate on the managed unit: grdapi venafi_import variant=[gui|sniffer] api_target_host=[all|all_managed|group:<group-name>|<IP>|<hostname>]
- For GUI certificates, you must restart the GUI on the managed units by accessing Manage > Central Management > Central Management, selecting the managed units, and clicking Restart Portal. Sniffer certificates do not require a GUI restart.
- On each managed unit, run the CLI command show certificate [gui|sniffer] to check whether the correct certificate is displayed.