Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Transcription

1 Venafi Platform Architecture 1 Architecture Basic Professional Services 2018 Venafi. All Rights Reserved.

2 Goals Architecture Basics: An overview of Venafi Platform. Required Infrastructure: Services required for operation. # Servers: Determining number and placement of Venafi Platform Servers. Other Preparation: Other services required - CAs, Accounts, Firewalls, etc. Questions: Discussion for questions or specific use-cases 2018 Venafi. All Rights Reserved. 2

3 Architecture Basics Application Hierarchy Users Automation Endpoints Aperture WebAdmin REST API Agent API Certificate Management Network Discovery Logging Notifications and Reporting Monitoring Validation SSH Management SQL Database Cert Inventory Cert Keys SSH Keys TPP Configuration TPP Agents 2018 Venafi. All Rights Reserved 3

4 Other Processing Modules Overview IIS Applications (UI) SCEP (NDES Emulation) User Enrollment Portal Client Server Agent Processing Modules CA Import Manager Certificate Manager Certificate Pre-Enrollment Discovery Onboard Discovery Manager SSH Manager TrustNet Manager 2018 Venafi. All Rights Reserved. 4

5 Architecture Basics Multiple Servers Users Aperture WebAdmin TPP01 Certificate Management Logging Notifications and Reporting Monitoring Automation Endpoints REST API Agent API Network Discovery Validation Cert Inventory Cert Keys SSH Keys TPP02 TPP Configuration TPP Agents Agent API SQL Database Network Discovery Validation TPP Agents TPP03 SSH Key Management 2018 Venafi. All Rights Reserved. 5

6 Processing Modules Module Best Practice Partitioning General Purpose - Connect to a Microsoft CA and download all issued certificates. CA Import Manager 1 or 2 No - Data is used to populate the Venafi Platform with certificates in the environment to manage Certificate Manager 1 per isolated network segment where enrollment or provisioning occur 2018 Venafi. All Rights Reserved. 6 Yes - Certificate lifecycle Certiticate Pre-Enrollment 1 or 2 No - Used to pre-enroll user certificates by processing identity groups. 1 per isolated network segment, Discovery additional will improve throughput in large segments Yes* (zones) - Performs Network Discovery in an attempt to collect SSL Certificates and SSH Hostkeys Monitor 1 or 2 No - Evaluate objects for expiration and generate events when needed Onboard Discovery Manager 1 or 2 per isolated network segment where appliance discovery is performed Yes - Connect to Appliances to gather an inventory of it's SSL configuration. (Currently only supports F5) Reporting 1 or 2 No - Generates Canned and Custom reports SSH Manager Minimum 1 per network segment where SSH is used devices per processor core for 1/day discovery - SSH Background calculations (statistics, violations) - SSH Rotation engine - SSH Agentless Discovery - SSH Agentless Remediation Yes (required for agentless) TrustNet Manager 1 or 2 No - Communicates with TrustNet to gather data Validation Manager 1 per isolated network segment Yes - Triggers On-board and Network validation Cloud Instance Monitor 1 or 2 Yes - Cleans up Venafi Platform inventory based on cloud inventory Logging (Service) 1 or 2 No - Process the incoming log events queue - Recording events to the Default Log Channel. - Sending notifications based on configured rules

7 IIS Applications Module Best Practice Partitioning General Purpose VEDClient SSL Certificate Management - 1 VEDClient pool per 10,000 Agents checking in for Certificate Provisioning every hour (randomized) and for discovery every day with randomization set to over an hour. N/A Contains API that is used for communication with agents SSH Management - 1 VEDClient pool per 1000 agents checking in for remediation every 15 minutes and for discovery every 1 hour. VEDSCEP 1 per isolated SCEP client network zone N/A Allows SCEP clients to connect and make certificate requests certsrv 1 per SCEP client network zone N/A Emulates Microsoft's Network Device Enrollment Services VEDSDK 1 per isolated network zone where API services are required N/A Provides REST Based API access VEDAdmin Minimum 1 per Venafi Platform Environment N/A Web Administration Console. Target user is the Venafi Platform admin Aperture Minimum 1 per Venafi Platform Environment N/A Web Administration Console. Target user is the Departmental Admin, Certificate Owners and all SSH Operations. WebAdmin functionality is being migrated to this console. VACME Minimum one instance per TPP environment where service is desired N/A Protocol for cert management automation between CAs and subscribers 2018 Venafi. All Rights Reserved. 7

8 Database Design & Disaster Recovery Important! All Venafi Platform servers must connect to the SAME instance of the database. Use of a secondary database for disaster recovery (i.e. logshipping/replication) is allowed when all Venafi Platform instances use a single active database only! 2018 Venafi. All Rights Reserved. 8

9 Database DR & HA Microsoft SQL Server Always On Availability Groups are officially supported as of Venafi Platform version The Always On Availability Groups feature is a high-availability and disaster-recovery solution. Introduced in SQL Server 2012, Always On Availability Groups maximizes the availability of a set of user databases for an enterprise. For more information see: Venafi. All Rights Reserved. 9

10 Load Balancing Web Interfaces It is possible to place the Venafi Platform web-based services behind a load-balancer such as an F5 LTM or Citrix NetScaler. Persistence should be maintained longer than the inactivity session timer in WebAdmin / Aperture (15 minutes). The Venafi Platform does not share sessions between servers. Usually referred to as Session Persistence or Sticky Sessions Load Balancer Considerations Any method of persistence should work, but usually by Client IP works best Venafi. All Rights Reserved. 10

11 System Requirements Venafi Application Server 50K-250K Certificates / Keys: Two (2) Processing Cores 8 GB RAM 5 GB Disk Space 1 Million+ Certificates / Keys: Sixteen (16) Processing Cores 32 GB RAM 5 GB Disk Space Note: Achieving required processing cores and memory can be done horizontally by adding additional servers. This is usually the recommended approach to scaling for certificate estate size Venafi. All Rights Reserved. 11

12 OS & Required Features All Venafi Platform Application Servers: Microsoft Windows Server 2012R2 / 2016 Microsoft.NET Framework and higher Microsoft.NET 3.5 (Not installed by default on Windows 2012R2 / 2016) 2018 Venafi. All Rights Reserved. 12

13 OS & Required Features (Continued) Venafi Platform Application Servers with web interfaces: Internet Information Services (IIS) Server Role Required IIS Application Development Features 2012R2: ASP, ASP.NET 3.5, ASP.NET 4.5, ISAPI Extensions, ISAPI Filters,.NET Extensibility 3.5,.NET Extensibility : ASP, ASP.NET 3.5, ASP.NET 4.6, ISAPI Extensions, ISAPI Filters,.NET Extensibility 3.5,.NET Extensibility 4.6 Microsoft URL Rewrite 2.1 or higher Venafi. All Rights Reserved. 13

14 Database Requirements Supported Databases: Microsoft SQL Server 2012 SP2 through GB of space for every 5,000 certificates, per month of log retention 50K-250K Certificates / Keys: Four (4) Processing Cores 16 GB RAM 1 Million+ Certificates / Keys: Sixteen (16) Processing Cores 64 GB RAM 2018 Venafi. All Rights Reserved. 14

15 Database Access Windows Authentication or SQL authentication to the MSSQL database is supported. All Venafi Platform servers must use the same method of authentication. The roles db_datareader, db_datawriter, and execute rights for the Venafi database are required. Considerations for Windows Authentication: Venafi Platform servers must be joined to an Active Directory domain. Required for services and web application pools to be started and run as the AD service account. The AD service account must be a member of the local Administrators group on all Venafi Platform application servers. Typically the AD service account will be granted interactive login rights, and be used for performing Venafi Platform installation and upgrades. Alternatively, a separate account may be used for this purpose, but will require the same permissions to the database Venafi. All Rights Reserved. 15

16 Required Infrastructure Identity Providers The Venafi Platform supports integration with external Identity Providers. Active Directory (AD) LDAP Requires valid service account with read permissions to the directory. Requires a valid service account with read permissions to the directory. Can leverage trust relationships between domains for authentication. LDAP providers require attribute mapping files be customized for various LDAP vendors. Connections to specific domain controllers are explicitly defined. Simultaneous connections to multiple identity providers is possible Venafi. All Rights Reserved. 16

17 AD Identity Provider Best Practices Single-Forest / Multi-Domain AD implementations Multiple-Forest Implementations Domains within a single forest have an implicit 2- way trust relationship Trust relationship between forests: Leverage AD trust relationship(s) and Implement a single AD Identity provider Implement a single AD Provider targeting the Root Forest Domain No trust relationship between forests: Implement separate AD Identity Providers 2018 Venafi. All Rights Reserved. 17

18 Logging How Event Processing Works TPP Server Log Processor: - Evaluates Message Queue against the Notification Rules - Takes action if there s a match - Writes record to log tables in database LOG info Message Queue Process Logs Notification Rules Send Send to Splunk Write to File TPP Server TPP Server Log Processor Adaptable Log Driver 2018 Venafi. All Rights Reserved. 18

19 Logging Best Practices Log Processing Servers Leverage multiple Venafi Platform servers for log event processing. Ensure all log processors are able to reach intended endpoints. i.e. SMTP, syslog, Splunk, SNMP, etc. Log Retention Log retention within the application is for operational troubleshooting. Usually days Consider using a SEIM or other external system for long-term audit retention Venafi. All Rights Reserved. 19

20 Required Infrastructure SMTP Relay In order to send notifications and reports, it is necessary to specify an SMTP relay server. The relay server must be accessible to all Venafi Platform servers responsible for Log Processing. More info: Venafi. All Rights Reserved. 20

21 Other Infrastructure Hardware Security Modules The Venafi Platform uses a AES256 key to encrypt all sensitive data (private keys, credentials, etc.) written to the database. It is possible to store the AES256 key on an HSM instead of a software-based key stored by Windows DPAPI. Venafi supports SafeNet Luna and Thales based HSMs using a PKCS#11 standard interface. Important: All Venafi Platform servers must maintain connectivity to the HSM(s) at all times. Loss of HSM connection will result in the shutdown of that Venafi Platform engine Venafi. All Rights Reserved. 21

22 Number and Placement of Venafi Platform Servers Primary factors that dictate the number of required Venafi Platform servers: Certificate & Key estate size Use additional Venafi Platform servers to Scale-Out instead of Scale-Up. See System Requirements for server sizing information. Disaster recovery (DR) and high-availability (HA) Usually implement a minimum of 2 servers in a production environment. Placement of one or more Venafi Platform servers in a backup datacenter is common. Separation by Venafi Platform module i.e. Dedicated certificate processing engines with UI only servers. Physical and logical network segmentation = Network Zones Network access for Network Discovery, Validation, and Provisioning may dictate network location requirements for multiple servers Venafi. All Rights Reserved. 22

23 Number and Placement of Venafi Platform Servers Certificate Authority Database Active Directory Certificate Authority SMTP Relay Active Directory Certificate Authority 2018 Venafi. All Rights Reserved. 23

24 Other Preparation Common Firewall Rules Port Source Destination Description TCP 1433 All Venafi Platform Server(s) SQL Database Server MSSQL database access TCP 80, 443 Users logging into Venafi; Server Agents, REST Endpoint 2018 Venafi. All Rights Reserved. 24 Venafi Platform UI Servers All web interfaces utilize URL rewrite to require HTTPS TCP 389, 636 All Venafi Platform Server(s) AD Domain Controllers Authentication & lookup TCP 22 Venafi Platform SSH Manager Server(s) SSH Agentless client hosts TCP 135, TCP 443 Venafi Platform Certificate Processing Server(s) Venafi Platform Certificate Processing Server(s) Microsoft Certificate Authorities External CAs SSH key discovery and management More Info: Most public/external CAs are accessed over HTTPS. May also use a proxy. TCP 25 Venafi Platform Log Processing Server(s) SMTP Relay Used to send notifications and reports UDP 514 Venafi Platform Log Processing Server(s) Syslog Endpoints Used when forwarding log events to syslog TCP 8089 Venafi Platform Log Processing Server(s) Splunk Indexer Used when forwarding log events to Splunk More info:

25 Other Preparation Notes Service Accounts SQL Server database access requires that an account be configured with appropriate permissions: Built-in SQL Account (SQL Authentication) Active Directory Account (Windows Authentication) Active Directory Identity Provider requires a valid account for searching AD No specific permissions required If using Windows Authentication for database, can use the AD Venafi Platform SQL service account Microsoft CA requires an AD account with template read & enroll access, certificate issuance and import processes More info: Venafi. All Rights Reserved. 25

26 Other Preparation Notes Certificate Authorities Review documentation specific to CAs in use Some CAs require specific configuration or accounts be created to access APIs. May require contacting CA specific support or account teams for setup. More info: Venafi. All Rights Reserved. 26

27 Other Preparation Notes - SSH Key Management Agentless SSH key discovery and remediation Supported on: Linux kernel 2.6 AIX 6.1 (or later) Solaris 8 (or later) HP-UX (or later) IBM z/os Requires an SSH User account used to connect to each SSH device Privilege Elevation How will the agentless account elevate privileges? Sudo - Standard sudo Linux protocol for elevating privileges Support for other PAM (privileged access management) tools 2018 Venafi. All Rights Reserved. 27

28 Other Preparation Notes - SSH Key Management Features for Agent Supports key usage monitoring SSH / sudo account is not required (Runs as Service).. No service account needed The Server Agent can provision to the following keystores: PEM GSK JKS JKCS PKCS# Venafi. All Rights Reserved. 28

29 Other Preparation Notes - SSH Key Management Agent-based SSH Key Discovery and Remediation Agent Operating systems supported: Windows 7, Server Red Hat Enterprise Linux (RHEL) 4.5, 5, 6, and 7 SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11 CentOS AIX 5.3 (PPC), AIX 6 (PPC), and AIX 7 (PPC) Solaris 8 (or later) HP-UX 11 (Itanium) Requires CRL Distribution Points (CDPs) are accessible for agent-enabled systems 2018 Venafi. All Rights Reserved. 29

30 Other Preparation Change Controls Plan ahead of the change control approval cycle Required Servers Database requirements Network resources Local Venafi Platform Credentials AD Credentials AD Groups designated for Venafi Platform roles Access to MS CAs and AD Templates Admin & Operations Automated nightly backups Network firewall rules and policies Agentless SSH account SMTP messaging SIEM / syslog account, traffic preparations 2018 Venafi. All Rights Reserved. 30

31 What Do You Remember? 1. What are the two UI s that handle, Certificate Management, Logging, Notifications and Monitoring? Answer: Aperture and WebAdmin 2. All Venafi Platform servers must connect to the same what? Answer: SQL Database 3. Since the Venafi Platform does not share sessions between servers it is important to configure the load balancer to always reconnect to the same Venafi Platform server. What is this called? Answer: Session Persistence or Sticky Sessions 4. What additional components need to be installed when preparing Windows Servers? Answer: Microsoft.NET 3.5 & URL Re-Write Module 5. The SMTP relay servers must have access to the servers for log processing? Answer: Venafi Platform 6. The number and placement of Venafi Platform Servers are dictated by what 4 primary factors? Answer: Certificate and Key size, Disaster recovery and High-Availability, Venafi Platform module separation, Network zones 2018 Venafi. All Rights Reserved. 31

32 2018 Venafi. All Rights Reserved. 32 Discussion and Questions