Configuring Venafi for GUI and Sniffer certificates

Use the Guardium® CLI to configure your Guardium system to connect to Venafi as a Service or TPP instance.

Before you begin

Ensure that Venafi as a Service or TPP instance is configured and running.

About this task

Use the following procedure to configure GUI or Sniffer certificates.

Procedure

  1. If you are using the Venafi TPP instance, store the ROOT CA certificate by running the following command on the central manager or stand-alone system: store certificate keystore trusted-venafi console and pasting the Venafi certificate. Skip this step if you are using Venafi as a Service.
  2. Store the Venafi connection credentials on your Guardium Guardium system by running the CLI command store certificate cms.
    1. Select 1 to Add Venafi to your Guardium system.
    2. Enter your Venafi instance type.
    3. Select GUI or Sniffer as the type of certificate to install.
    4. Enter the authentication type: access token or username and password.
    5. For the TPP instance, enter the TPP URL, Venafi token, and the exact zone configuration information that you used when you created your Venafi instance. For Venafi as a Service, enter the zone value and API key. If the information does not match, the connection fails.
      Note: vCert prefixes \VED\Policy\ to the zone. When you enter the zone in the Guardium system, you must specify only the child folders under the root Policy folder.
    6. Follow the prompts to enter CN, name of your organization, organization unit, city, state, country code, and optional SANs.
  3. When prompted, enter y or n to distribute certificates from the central manager to the managed units, if any. If you enter y, propagate the Venafi certificates across your deployment by completing steps 4 to 6 . If you enter n, complete only step 4.
  4. Import the GUI or Sniffer certificate into the central manager or stand-alone system:
    1. From the CLI, run the command grdapi venafi_import variant=[gui|sniffer].
    2. For GUI certificates, you must restart the GUI by running the CLI command restart gui. Sniffer certificates do not require a GUI restart.
    3. Run the CLI command show certificate [gui|sniffer] to check whether the correct certificate is displayed.
  5. On the central manager, run the following grdapi commands:
    Important: If the root password on the managed unit doesn't match with the root passkey, you must first reset the root password on the managed unit by running the CLI command support reset-password root.
    1. Distribute the Venafi configuration files to some or all the managed units: grdapi export_config type=venafi host=[all_managed|group:<group-name>|<IP>|<hostname>] force=[true|false]
    2. Propagate the Venafi ROOT CA certificate to some or all the managed units: grdapi export_certificate alias=<alias> host=[all_managed|group:<group-name>|<IP>|<hostname>] force=[true|false]
      Note: This command restarts the GUI on the managed unit. Wait until the GUI restarts before you proceed to the next step.
    3. Install the Venafi GUI or sniffer certificate on the managed unit: grdapi venafi_import variant=[gui|sniffer] api_target_host=[all|all_managed|group:<group-name>|<IP>|<hostname>]
    4. For GUI certificates, you must restart the GUI on the managed units by accessing Manage > Central Management > Central Management, selecting the managed units, and clicking Restart Portal. Sniffer certificates do not require a GUI restart.
  6. On each managed unit, run the CLI command show certificate [gui|sniffer] to check whether the correct certificate is displayed.