Configuring Venafi for GIM certificates

Use the GuardiumĀ® CLI to configure your Guardium system to connect to the Venafi as a Service or TPP instance.

Before you begin

Ensure that Venafi as a Service or TPP instance is configured and running.

About this task

Use the following procedure to configure GIM certificates.

Procedure

  1. From the Guardium UI, access Manage > Module Installation > GIM Global Parameters. Ensure that the global parameter value for gim_auto_certificate_distribution is 1.
  2. If you are using the Venafi TPP instance, store the ROOT CA certificate by running the following command on your Guardium system: store certificate keystore trusted-venafi console and pasting the Venafi certificate. Skip this step if you are using Venafi as a Service.
  3. Store the Venafi connection credentials on your Guardium system by running the CLI command store certificate cms.
    1. Select 1 to Add Venafi to your Guardium system.
    2. Enter your Venafi instance type.
    3. Select GIM client as the type of certificate to install.
    4. Enter the authentication type: access token or username and password.
    5. For the TPP instance, enter the TPP URL, Venafi token, and the exact zone configuration information that you used when you created your Venafi instance. For Venafi as a Service, enter the zone value and API key. If the information does not match, the connection fails.
      Note: vCert prefixes \VED\Policy\ to the zone. When you enter the zone in the Guardium system, you must specify only the child folders under the root Policy folder.
    6. Follow the prompts to enter CN, name of your organization, organization unit, city, state, country code, and optional SANs.
  4. If prompted, enter y or n to distribute certificates from the central manager to the managed units that are GIM servers. If you enter y, propagate the Venafi certificates across your deployment by completing steps to 5 to 11. If you enter n, complete steps 5 to 7.
  5. Stage the GIM clients with the new certificate by running the CLI command store certificate gim client venafi.
    1. Select the GIM client that is registered to your Guardium system.
    2. Run the CLI command show certificate gim client.
    3. Select the GIM client to check whether the correct certificate is displayed. The status of the certificate can display as pending, processing, or deployed. You must wait until the certificate is deployed.
      CAUTION:
      Ensure that all your GIM clients are updated with the new certificate. When a new GIM server certificate is stored, a GIM client without the new certificate loses connection to the GIM server.
  6. After the GIM client certificate is deployed, run the CLI command store certificate cms.
    1. Select 1 to Add Venafi to your Guardium system.
    2. Enter your Venafi instance type.
    3. Select GIM server as the type of certificate to install.
    4. For the TPP instance, enter the TPP URL, Venafi token, and the exact zone configuration information that you used when you created your Venafi instance. For Venafi as a Service, enter the zone value and API key. If the information does not match, the connection fails.
    5. Follow the prompts to enter CN, name of your organization, organization unit, city, state, country code, and optional SANs.
  7. Import a new GIM server certificate by completing the following steps:
    1. From the CLI, run the command grdapi venafi_import variant=gim force=true.
    2. Restart the GUI by running the CLI command restart gui.
    3. Run the CLI command show certificate gim server to check whether the correct certificate is displayed.
      Note: For authentication to succeed, the GIM server and all related GIM clients must have certificates that are signed by the same CA (root and intermediate, if applicable) for both trusted and private certificates.
  8. On the central manager, run the following grdapi commands:
    Important: If the root password on the managed unit doesn't match with the root passkey, you must first reset the root password on the managed unit by running the CLI command support reset-password root.
    1. Distribute the Venafi configuration files to some or all the managed units: grdapi export_config type=venafi host=[all_managed|group:<group-name>|<IP>|<hostname>] force=[true|false]
    2. Propagate the Venafi ROOT CA certificate to some or all the managed units: grdapi export_certificate alias=<alias> host=[all_managed|group:<group-name>|<IP>|<hostname>] force=[true|false]
      Note: This command restarts the GUI on the managed unit. Wait until the GUI restarts before you proceed to the next step.
  9. Stage the GIM clients with the new certificate by running the CLI command store certificate gim client venafi.
    1. Select the GIM client that is registered to your Guardium system.
    2. Run the CLI command show certificate gim client.
    3. Select the GIM client to check whether the correct certificate is displayed. The status of the certificate can display as pending, processing, or deployed. You must wait until the certificate is deployed.
      CAUTION:
      Ensure that all your GIM clients are updated with the new certificate. When a new GIM server certificate is stored, a GIM client without the new certificate loses connection to the GIM server.
  10. Complete the following steps on the central manager:
    1. Import the GIM certificate: grdapi venafi_import variant=gim force=true api_target_host=[all|all_managed|host name|IP].
    2. For GUI certificates, you must restart the GUI on the managed units by accessing Manage > Central Management > Central Management, selecting the managed units, and clicking Restart Portal. Sniffer certificates do not require a GUI restart.
  11. Complete the following steps on each managed unit:
    1. Check whether the GIM server and client are active by running the CLI command show certificate gim client. The status of the certificate must change from deployed to active.
    2. From the Guardium UI, access Manage > Module Installation > GIM Process Monitor and ensure that the connection is active.