VSP16. Venafi Security Professional 16 Course 04 April 2016

Similar documents
VSP18 Venafi Security Professional

Streamline Certificate Request Processes. Certificate Enrollment

SSH Product Overview

Sophos Mobile in Central

VMware AirWatch Tizen Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Enterprise Certificate Console. Simplified Control for Digital Certificates from the Cloud

Sophos Mobile Control Administrator guide. Product version: 5.1

VMware AirWatch Integration with RSA PKI Guide

Sophos Mobile. startup guide. Product Version: 8.1

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud

Sophos Mobile as a Service

Comodo Certificate Manager Version 6.0

Apple Inc. Certification Authority Certification Practice Statement

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows,

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

VMware AirWatch Certificate Authentication for EAS with ADCS

QuickStart Guide for Managing Mobile Devices. Version

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

QuickStart Guide for Mobile Device Management. Version 8.7

CA GovernanceMinder. CA IdentityMinder Integration Guide

Sophos Mobile as a Service

Sophos Mobile in Central

VMware AirWatch Integration with SecureAuth PKI Guide

Sophos Mobile. startup guide. Product Version: 8.5

Trust Protection Platform 15.4

Apple Inc. Certification Authority Certification Practice Statement

Sophos Mobile Control SaaS startup guide. Product version: 7

Entrust Connector (econnector) Venafi Trust Protection Platform

VMware AirWatch: Directory and Certificate Authority

AirWatch Mobile Device Management

Software Version 5.0. Administrator Guide Release Date: 7th April, InCommon c/o Internet Oakbrook Drive, Suite 300 Ann Arbor MI, 48104

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Vodafone Secure Device Manager Administration User Guide

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Pulse Workspace Appliance. Administration Guide

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

ForeScout Extended Module for VMware AirWatch MDM

Sophos Mobile Control startup guide. Product version: 7

Integrating AirWatch and VMware Identity Manager

FAQ. General Information: Online Support:

Centrify for Dropbox Deployment Guide

VMware Workspace ONE UEM Integration with Apple School Manager

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Novell Access Manager

Managed Access Gateway. User Guide

Getting Started and System Guide. Version

Oracle Taleo Cloud for Midsize (Taleo Business Edition) Release 17B2. What s New

Guest Access User Interface Reference

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Managed Access Gateway. User Guide

Installing and Configuring vcloud Connector

USER GUIDE Summer 2015

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Using ZENworks with Novell Service Desk

Comodo Certificate Manager

Mobility Manager 9.5. Users Guide

Sophos Mobile SaaS startup guide. Product version: 7.1

VMware AirWatch Integration with Microsoft ADCS via DCOM

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Pre-Installation ZENworks Mobile Management 2.7.x August 2013

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

ONE ID Identity and Access Management System

Support Device Access

Integrate HEAT Software with Bomgar Remote Support

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

INSTALLATION GUIDE Spring 2017

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Comodo Device Manager Software Version 4.0

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

HEAT Software Integration with Remote Support

TREENO ELECTRONIC DOCUMENT MANAGEMENT. Administration Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

GlobalSign Enterprise Solutions. Enterprise PKI. Administrator Guide. Version 2.6

Oracle Cloud Using the Microsoft Adapter. Release 17.3

Comodo Certificate Manager Software Version 5.0

Venafi Server Agent Agent Overview

Comodo Certificate Manager

BMC FootPrints 12 Integration with Remote Support

Vendor: Citrix. Exam Code: 1Y Exam Name: Designing, Deploying and Managing Citrix XenMobile Solutions. Version: Demo

Network Rail Brand Hub USER GUIDE

ForeScout Extended Module for Carbon Black

SafeNet Authentication Manager

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Request Manager User's Guide

Transcription:

VSP16 Venafi Security Professional 16 Course 04 April 2016

VSP16 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for: Enterprise Security Officers Public Key Infrastructure (PKI) Administrators

VSP16 Prerequisites Terms & acronyms you should be familiar with: Digital Certificate Revocation CSR Certificate Authority SSL/TLS DNS IP Address Database SMTP HTML

VSP16 Outline 4 Hour Course Module 1 Introduction to Aperture & Enrolling a Certificate Module 2 Policy & Workflow Module 3 Lost & Found, Revocation, and Validation Module 4 User Portal Module 5 Intro to Web Admin & Certificate Objects Module 6 Devices, Applications, & Provisioning

Introduction to Aperture Module 1: Enrolling a Certificate

Venafi Trust Protection Platform Venafi Trust Protection Platform (Venafi Platform) is the security platform for all Venafi products Aperture is a certificate security portal designed for IT Professionals who use certificates

Before Venafi Certificates were managed in spreadsheets or home grown solutions No way to enforce corporate security standards on certificates Private Keys were mishandled Corporate security compromised from regular outages due to certificate expiration No central control over encryption assets

After Venafi One secure location to manage & protect all keys and certificates System policies and rights allow corporate security enforcement Private keys and certificates can be automatically installed on target systems RENEWAL of certificates and ROTATION of keys is automated

Venafi Browser Support

Meet Alice Smith Works in the Venafi Utah datacenter facility Member of the Application Team Responsible for IIS, Apache, and in-house applications that utilize Microsoft and a Java KeyStore (JKS)

Alice Needs a Certificate Alice is bringing a new HR system into production To make sure data transmissions are encrypted and employees know it is a trusted site, she needs a certificate for the web application

Alice logs into Aperture URL is https://[server]/aperture/ eg: vspopenenrollment.lab.venafi.com/aperture/ Typically login with enterprise credentials

Aperture Dashboard This is Alice s first time logging into Aperture, the initial page is called the Dashboard

Certificate Inventory The Certificate Inventory is where all certificates that a user has been granted permission to view are stored. Alice doesn t have any certificates.

Create New Certificate Alice needs a new certificate. She chooses Create New Certificate in the Certificate Inventory

Choose Certificate Location Alice needs to select a location that is appropriate for the type of certificate she is creating. A location is a digital folder that is created by your Venafi administration team.

Search Certificate Location If Alice had been given a large number of locations to choose from, she can search from the dropdown menu for the proper location

Nickname, Description, & Contacts

Tooltips

Certificate Signing Request Alice can have Venafi TrustAuthority generate the private key and CSR

Certificate Signing Request Alice can generate her own CSR and upload it to Venafi Venafi will check the CSR to make sure values meet corporate security requirements and standards such as certificate key length

Additional Certificate Fields Add additional DNS SANS to the certificate Specify who needs to approve this certificate prior to issuance Reuse Private Key Automatic Renewal Choose Certificate Authority & Template

Successful Submission Confirmation After clicking Submit, Alice will receive a confirmation that her request has been successfully submitted for processing.

Certificate Overview and Status As soon as Alice clicks Close on the submission confirmation window, she will be taken directly to the certificate in Aperture.

Email Confirmation Alice will also receive an email confirmation that enrollment of her certificate has begun.

Email Notification Alice receives an email notification to inform that her certificate is ready to be downloaded. Link in email takes her directly to her certificate in Aperture.

Certificate Details

Show All Properties

Certificate Download File types available for certificate download:

Renewal Details Allows you to review the values that will be used when the certificate is next renewed.

Edit Renewal Details Allows you to make changes to the renewal details.

Edit Renewal Details Same wizard as when certificate was originally requested.

Renew Now Review settings prior to renewal

Module 1 Competencies Understand the common acronyms Be able to log into Aperture Find and view your certificates

Module 1 Review What web browser(s) are supported? What is a certificate nickname? How does Venafi improve security of digital keys and certificates? Does Venafi force you to upload a CSR to request a certificate? What file formats are available when downloading a certificate?

Policies & Workflow Module 2 Locked, Suggested & Approvals

Policies Your Venafi Administrator can set policies in place that lock or suggest values for specific fields. These policies values can be system-wide or locationspecific.

Locked Policies When your Venafi Administrator sets a locked policy for a specific field, that value is always used for new certificate renewals Fields that cannot be changed due to policy locks are removed from view during the Create New Certificate wizard

Suggested Policies When your Venafi Administrator sets a suggested policy for a specific field, that value will show up in Aperture with the default value that was set in policy Fields with suggested policy values can be changed if needed in Aperture

No Policy If there is no suggested or locked policy, fields will be blank when new certificates are created

Alice needs a new certificate Alice is working on the new Venafi Threat Center website. Alice needs an SSL certificate that is publicly trusted for customers visiting the site

Choosing the Appropriate Location

Locked Policy takes effect Only common name field is displayed on Certificate Signing Request page. All other fields are hidden because they have been preconfigured by your Venafi Administrator via locked Policy

CA Vendor Specific Fields

Meet Susan Johnson Manages Venafi s Utah datacenter Applications, Authentication, Infrastructure, & Operations all report to Susan Susan approves all certificate enrollments and revocations for the Utah datacenter

Notification for Needed Approval Susan receives an email each time her approval is needed Clicking on the link takes her directly to the certificate for review and processing

Approver Certificate Details

Review & Approve Values with a lock icon are forced by policy. Susan can specify an optional comment and Reject or APPROVE the certificate.

Additional info about Workflows When multiple individuals or a group is specified for a single approval, anyone specified can approve or reject Certificates may require multiple levels of approval by various entities (manager, Venafi Administrator, Finance) If approver rejects a workflow, certificate is placed in an error state for review

Dashboard With a large certificate inventory, the Dashboard Widgets give you quick access to vital information about your certificates.

Module 2 Lab: Requesting and Approving Certificates Be able to request a certificate Approve necessary workflows Review out of the box notifications generated

Module 2 Review What effect do locked policy values have on Aperture? What effect do suggested policy values have on Aperture? Are policy settings location-specific or system wide? How is someone notified that a certificate is pending their approval?

More Aperture Features Module 3 Lost & Found, Validation, & More

Meet Frank Walton Works on the Infrastructure team in the Utah datacenter Primarily responsible for Load-Balancers, Firewalls, Routers, and Switches

Frank is looking for certificates Frank is responsible for approximately 70 different certificates on devices that he manages Frank wants all of his certificates protected by Venafi. He wants to make sure he is notified when any of his certificates nears expiration. He currently only sees 16 certificates under his name in Aperture

Lost & Found Frank looks in the Certificate Inventory and uses the quick filter to search for Lost & Found Which contains a list of unclaimed certificates that the Venafi Administrator has discovered Frank can search for certificates that are his and move them to locations that he manages

Filtering an Aperture List Frank doesn t want to scroll through all the certificates so he utilizes the search feature in Aperture to narrow the results. On the left side of the certificate inventory, Frank can apply various filters to search for specific certificates by expanding any of the five categorized search containers.

Filtering an Aperture List

Take Ownership

Review Renewal Details

Take Ownership Confirmation After the certificate has been successfully claimed, Frank will receive a confirmation

SSL/TLS Validation Network Validation confirms that the correct certificate is working and being used on the application and network

SSL/TLS Validation How SSL/TLS Validation works: Venafi contacts server hosting the SSL certificate pretending to be a web browser Venafi receives certificate from server Venafi compares certificate in secure database with the certificate presented by server Validation successful when the certificates are a match

Enable Network Validation Your Venafi Administrator may disable SSL/TLS Validation by default to prevent an abundance of Validation Failure email notifications.

Daily Network Validation SSL/TLS Validation is automatically performed daily, by default at midnight Can also be triggered manually by clicking Validate Now

Failed Validation If Validation fails, an email notification is sent to certificate contacts Certificate is put in Urgent status to fix validation settings or fix server If network validation isn t possible, it should be disabled on certificate

Revocation When we revoke a certificate, we send a request to the issuing Certificate Authority asking that it no longer vouch for the validity of a certificate. When web browsers see a certificate, they will check the Certificate Authority s revocation list. If the certificate is on the list, the certificate will be considered invalid.

Why Revoke? For the same reason we disable unnecessary ID badges that grant access to a secure building, we must also revoke digital certificates that are no longer needed. Someone with a valid certificate and private key can gain unauthorized access to enterprise resources.

How to Revoke When viewing the Details page for a certificate, click the Revoke button in the Expiration section.

How to Revoke 1. Select a reason 2. Provide a comment 3. Click Revoke 4. Page banner will reflect status

Custom Fields Admins can configure custom fields to gather specific information when certificates are requested

Module 3 Lab: Validation & Revocation Request a new certificate and revoke it

Module 3 Review What are Lost certificates? What is Network Validation? When does Network Validation occur? What happens if Network Validation fails? Why is it important to revoke certificates not in use?

User Portal Module 4 End User Certificate Request Portal

User Portal Introduction Venafi has introduced new End User Self-Enrollment Portal as part of the TrustAuthority Mobile product. Built for company employees to request and install user certificates.

Features Secure Easy to Use Supports User Certificates Supports automatic certificate installation on IOS 7 and Android 4.4 and IE10 or greater Supports multiple layers of approval On IE 10, the Private Key and CSR can be generated in the user s browser

Certificate Selection Alice is shown certificates that she has been given rights to request. Note: Your Venafi Administrator has control over all messages on the portal. Your portal will probably be different than the example in the slides.

Certificate Selection Alice needs a certificate for her ipad to authenticate to the company Wi-Fi

Confirmation Alice receives a confirmation of the successful submission request. The company identity management team will review the request and approve.

Certificate Ready Email After the request is approved, Alice receives an email with instructions and a secure link to download the certificate.

Login on ipad Alice opens the email on her ipad and logs in with her corporate credentials

Download on ipad Alice reads the instructions and clicks Download. Note: This page also tells Alice how many times she is allowed to download the certificate* *default value is 3 times

Choose Password Alice must choose a secure password to protect the certificate while it is being downloaded

Confirm Password ios will detect that a certificate is being downloaded and prompt Alice for the password she just chose to begin the certificate install

Certificate Install Success ios will show that the certificate was installed successfully

Certificate details Clicking on the certificate will show the certificate details

User Portal Closing the certificate screen in ios will return Alice to the portal page.

Module 4 Lab: User Certificates Enroll Authentication and Email certificates using the End User Portal

Module 4 Review What is the functional purpose of the User Portal? What three features of the User Portal did we discuss? On what types of devices or applications can the User Portal automate the installation of the certificate?

Web Administration Console Module 5: Advanced Certificate Features

Web Administration Console Central administration console for Venafi Trust Protection Platform Advanced Features in TrustForce for SSL for keeping certificates secure Known as Web Admin Same rights and login credentials apply to Web Admin and Aperture

Advanced Certificate Features Automatically install certificates on supported applications and appliances Check revocation status of certificates Track multiple instances of single certificates (one-tomany) Access archived certificates Fix errors in certificate processing View logs File & keystore validation (Onboard Validation) Upload certificate from file Import certificate from web server

Web Admin Overview

Types of Objects in Web Admin Policy Object Certificate Objects Device Objects Application Objects Credential Objects

Certificate Types in Web Admin Server Certificate User Certificate Client Device Certificate Web Administration Console has three types of certificate objects. The main differences are: User certificates cannot be validated or automatically provisioned User and client device certificates are licensed differently than server certificates

Certificate Type Examples

Certificate Summary Status Status Icon & Message Status icon and associated message describe the current condition of the certificate. There is no processing or error. Status message says OK.. The certificate is being processed. The status message and stage states current condition.. There is a problem and the certificate is not functioning. The status message provides a description of the problem.

Certificate Summary Top Half

Fixing Processing Errors Restart clears error, resets the certificate processing stage to zero and starts processing again from beginning Retry clears error & retries the last failed operation in processing Reset clears error and brings the certificate out of a processing state

Certificate Summary Bottom Half

Certificate Settings Top Half

Certificate Settings Bottom Half

Associations

Compliance

History

Network Validation

Logging

Logging Options

Module 5 Lab: Enrolling a Certificate in WebAdmin Get familiar with the Web Administration Console Create, Approve, & Download a certificate in Web Admin

Module 5 Review What are the three types of certificates? How does TrustAuthority treat these certificate types differently? What are the differences between Restart, Retry, Reset? What information does the Compliance Tab show? What host address is used for network validation? What is the default port for network validation?

Venafi TrustForce SSL Module 6: Automated Installation of Certificates

Provisioning At the TrustForce licensing level (formerly called Provisioning), Venafi provides the greatest level of security and protection for enterprise certificates TrustForce SSL can automatically install certificate on target application and configure for use No manual handling of certificate or private key Requires Management type to be set to Provisioning Requires association (link) between certificate object and application object

Credential Objects Credentials objects allow administrators to: Allows Trust Protection Platform users to utilize credentials in a controlled way without having direct access to the credentials themselves. Allows administrators to limit rights of who can use the credentials Allows for easier update when credentials need to be rotated. (ex: update the password on the credential object when a password expires instead of location the credential is used)

Types of Credential Objects Password (password only) Private Key Username (username & password) Certificate Generic (used for Entrust Security Manager CA)

Devices All device objects have the same fields available Are stored on the policy tree Are containers for application objects Have connection settings and other values that are applicable to multiple application types

Device Settings Hostname is a required field Device credential allows for specifying credential once for multiple applications Some application drivers require a temp directory specified for provisioning

Application Objects Application objects are always placed under device objects Multiple application objects can exist under one device object Provides specific configuration information to provision and validate certificates

General Application Settings

PEM Driver

CAPI Driver

Basic Application Object Generic placeholders for application objects Used when you don t know the application type or the application type isn t supported by TrustForce for SSL Basic application objects can be converted to other types

Onboard Validation Only configured on application object on provisioning certificates Uses application s supported management protocol Connects to application and physically locates certificate file and compare serial number and thumbprint On-Board Validation results can be seen on associated certificate object s summary tab or application object s validation tab

Onboard Validation

Renewing and Provisioning

Queued for Renewal

Processing Started

Preparing the Certificate for processing

Check Application for Key Store

Create & Configure Key Store

Create Private & Public Key Pair

Create Certificate Signing Request

Post CSR to Certificate Authority

Certificate Authority Approval

Retrieve Certificate from CA

Automated Installation of Certificate

Verify Application Configuration

Configure Application

Application Restart

Application Processing Completed

Validation Initiated

Validation Successful

Module 6 Lab: Provisioning Create a Device and Application object Provision a certificate to IIS using the CAPI driver

Module 6 Review What stage do we upload a CSR to the Certificate Authority? What stage do we download the certificate from the Certificate Authority? What stage do we install the certificate on the application? What type of application objects require a device object?

VSP16 Course Review Module 7: Course Review

Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 2014 Venafi Proprietary and Confidential

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback