Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Similar documents
Venafi Server Agent Agent Overview

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

VSP18 Venafi Security Professional

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SSH Product Overview

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VSP16. Venafi Security Professional 16 Course 04 April 2016

Security in Bomgar Remote Support

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

VMware AirWatch Content Gateway Guide for Linux For Linux

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

Polycom RealPresence Access Director System

Two factor authentication for Citrix NetScaler

Bomgar Vault Server Installation Guide

VMware Enterprise Systems Connector Installation and Configuration

Installing and Configuring VMware Identity Manager. Modified on 14 DEC 2017 VMware Identity Manager 2.9.1

Installing and Configuring VMware Identity Manager. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

VMware AirWatch Content Gateway Guide For Linux

Securing VMware NSX-T J U N E 2018

July 2018 These release notes provide information about the The Privileged Appliance and Modules release.

NetIQ Privileged Account Manager 3.5 includes new features, improves usability and resolves several previous issues.

Administering vrealize Log Insight. September 20, 2018 vrealize Log Insight 4.7

Installing and Configuring vcloud Connector

VMware AirWatch Content Gateway Guide for Windows

Cisco ISE Ports Reference

ISEC7 - B*Nator EMM Suite. Check Before Installation Guide

Ekran System v.5.5 Deployment Guide

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.31

vsphere Replication for Disaster Recovery to Cloud

Cisco ISE Ports Reference

Storage Manager 2018 R1. Installation Guide

Installing and Configuring VMware vrealize Orchestrator

NGFW Security Management Center

Installing and Configuring VMware Identity Manager for Linux. Modified MAY 2018 VMware Identity Manager 3.2

HySecure Quick Start Guide. HySecure 5.0

App Orchestration 2.0

vshield Administration Guide

NGFW Security Management Center

vcloud Director User's Guide

Security in the Privileged Remote Access Appliance

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 6.5

Administering vrealize Log Insight. April 12, 2018 vrealize Log Insight 4.6

Application Notes for Installing and Configuring Avaya Control Manager Enterprise Edition in a High Availability mode.

Ekran System v.5.2 Deployment Guide

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

VMware AirWatch Content Gateway Guide for Windows

Entrust Connector (econnector) Venafi Trust Protection Platform

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 8.1

StreamSets Control Hub Installation Guide

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

NGFW Security Management Center

Developing Microsoft Azure Solutions (70-532) Syllabus

Vendor: Citrix. Exam Code: 1Y Exam Name: Designing, Deploying and Managing Citrix XenMobile Solutions. Version: Demo

Securing Containers Using a PNSC and a Cisco VSG

Securing VMware NSX MAY 2014

Installing and Configuring VMware Identity Manager

Securing Containers Using a PNSC and a Cisco VSG

2018 GLOBALSCAPE TRAINING OVERVIEW

Goliath Certified Platform Engineer GCPE Training Program

VMware AirWatch Content Gateway Guide for Windows

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

Administering vrealize Log Insight. 05-SEP-2017 vrealize Log Insight 4.3

Dell Storage Manager 2016 R3 Installation Guide

Installing and Configuring VMware vrealize Orchestrator. vrealize Orchestrator 7.5

Read the following information carefully, before you begin an upgrade.

vcloud Director User's Guide

Version Installation Guide. 1 Bocada Installation Guide

Cisco ISE Ports Reference

CIS Controls Measures and Metrics for Version 7

VMware AirWatch Content Gateway Guide for Windows

vcloud Director Administrator's Guide vcloud Director 9.0

LifeSize Control Installation Guide

IBM Spectrum Protect Version Introduction to Data Protection Solutions IBM

SnapCenter Software 4.0 Concepts Guide

SERV-U MANAGED FILE TRANSFER SERVER FTP SERVER SOFTWARE FOR SECURE FILE TRANSFER & FILE SHARING

Sophos Mobile. installation guide. Product Version: 8.5

vsphere Installation and Setup Update 2 Modified on 10 JULY 2018 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

vsphere Replication for Disaster Recovery to Cloud

Command Center :20:00 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Microsoft Architecting Microsoft Azure Solutions.

Reference Architecture

Developing Microsoft Azure Solutions (70-532) Syllabus

vapp Deployment and Configuration Guide

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

NGFW Security Management Center

AirWatch Mobile Device Management

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

IBM Tivoli Storage Manager Version Introduction to Data Protection Solutions IBM

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

BMC Remedyforce Discovery and Client Management. Frequently asked questions

Transcription:

Venafi Platform Architecture 1 Architecture Basic Professional Services 2018 Venafi. All Rights Reserved.

Goals 1 2 3 4 5 Architecture Basics: An overview of Venafi Platform. Required Infrastructure: Services required for operation. # Servers: Determining number and placement of Venafi Platform Servers. Other Preparation: Other services required - CAs, Accounts, Firewalls, etc. Questions: Discussion for questions or specific use-cases 2018 Venafi. All Rights Reserved. 2

Architecture Basics Application Hierarchy Users Automation Endpoints Aperture WebAdmin REST API Agent API Certificate Management Network Discovery Logging Notifications and Reporting Monitoring Validation SSH Management SQL Database Cert Inventory Cert Keys SSH Keys TPP Configuration TPP Agents 2018 Venafi. All Rights Reserved 3

Other Processing Modules Overview IIS Applications (UI) SCEP (NDES Emulation) User Enrollment Portal Client Server Agent Processing Modules CA Import Manager Certificate Manager Certificate Pre-Enrollment Discovery Onboard Discovery Manager SSH Manager TrustNet Manager 2018 Venafi. All Rights Reserved. 4

Architecture Basics Multiple Servers Users Aperture WebAdmin TPP01 Certificate Management Logging Notifications and Reporting Monitoring Automation Endpoints REST API Agent API Network Discovery Validation Cert Inventory Cert Keys SSH Keys TPP02 TPP Configuration TPP Agents Agent API SQL Database Network Discovery Validation TPP Agents TPP03 SSH Key Management 2018 Venafi. All Rights Reserved. 5

Processing Modules Module Best Practice Partitioning General Purpose - Connect to a Microsoft CA and download all issued certificates. CA Import Manager 1 or 2 No - Data is used to populate the Venafi Platform with certificates in the environment to manage Certificate Manager 1 per isolated network segment where enrollment or provisioning occur 2018 Venafi. All Rights Reserved. 6 Yes - Certificate lifecycle Certiticate Pre-Enrollment 1 or 2 No - Used to pre-enroll user certificates by processing identity groups. 1 per isolated network segment, Discovery additional will improve throughput in large segments Yes* (zones) - Performs Network Discovery in an attempt to collect SSL Certificates and SSH Hostkeys Monitor 1 or 2 No - Evaluate objects for expiration and generate events when needed Onboard Discovery Manager 1 or 2 per isolated network segment where appliance discovery is performed Yes - Connect to Appliances to gather an inventory of it's SSL configuration. (Currently only supports F5) Reporting 1 or 2 No - Generates Canned and Custom reports SSH Manager Minimum 1 per network segment where SSH is used. 2000 devices per processor core for 1/day discovery - SSH Background calculations (statistics, violations) - SSH Rotation engine - SSH Agentless Discovery - SSH Agentless Remediation Yes (required for agentless) TrustNet Manager 1 or 2 No - Communicates with TrustNet to gather data Validation Manager 1 per isolated network segment Yes - Triggers On-board and Network validation Cloud Instance Monitor 1 or 2 Yes - Cleans up Venafi Platform inventory based on cloud inventory Logging (Service) 1 or 2 No - Process the incoming log events queue - Recording events to the Default Log Channel. - Sending notifications based on configured rules

IIS Applications Module Best Practice Partitioning General Purpose VEDClient SSL Certificate Management - 1 VEDClient pool per 10,000 Agents checking in for Certificate Provisioning every hour (randomized) and for discovery every day with randomization set to over an hour. N/A Contains API that is used for communication with agents SSH Management - 1 VEDClient pool per 1000 agents checking in for remediation every 15 minutes and for discovery every 1 hour. VEDSCEP 1 per isolated SCEP client network zone N/A Allows SCEP clients to connect and make certificate requests certsrv 1 per SCEP client network zone N/A Emulates Microsoft's Network Device Enrollment Services VEDSDK 1 per isolated network zone where API services are required N/A Provides REST Based API access VEDAdmin Minimum 1 per Venafi Platform Environment N/A Web Administration Console. Target user is the Venafi Platform admin Aperture Minimum 1 per Venafi Platform Environment N/A Web Administration Console. Target user is the Departmental Admin, Certificate Owners and all SSH Operations. WebAdmin functionality is being migrated to this console. VACME Minimum one instance per TPP environment where service is desired N/A Protocol for cert management automation between CAs and subscribers 2018 Venafi. All Rights Reserved. 7

Database Design & Disaster Recovery Important! All Venafi Platform servers must connect to the SAME instance of the database. Use of a secondary database for disaster recovery (i.e. logshipping/replication) is allowed when all Venafi Platform instances use a single active database only! 2018 Venafi. All Rights Reserved. 8

Database DR & HA Microsoft SQL Server Always On Availability Groups are officially supported as of Venafi Platform version 17.1. The Always On Availability Groups feature is a high-availability and disaster-recovery solution. Introduced in SQL Server 2012, Always On Availability Groups maximizes the availability of a set of user databases for an enterprise. For more information see: https://msdn.microsoft.com/en-us/library/hh510230(v=sql.120).aspx 2018 Venafi. All Rights Reserved. 9

Load Balancing Web Interfaces It is possible to place the Venafi Platform web-based services behind a load-balancer such as an F5 LTM or Citrix NetScaler. Persistence should be maintained longer than the inactivity session timer in WebAdmin / Aperture (15 minutes). The Venafi Platform does not share sessions between servers. Usually referred to as Session Persistence or Sticky Sessions Load Balancer Considerations Any method of persistence should work, but usually by Client IP works best. 2018 Venafi. All Rights Reserved. 10

System Requirements Venafi Application Server 50K-250K Certificates / Keys: Two (2) Processing Cores 8 GB RAM 5 GB Disk Space 1 Million+ Certificates / Keys: Sixteen (16) Processing Cores 32 GB RAM 5 GB Disk Space Note: Achieving required processing cores and memory can be done horizontally by adding additional servers. This is usually the recommended approach to scaling for certificate estate size. https://docs.venafi.com/docs/current/topnav/content/install/r-install-sysreq-allvenproducts.php 2018 Venafi. All Rights Reserved. 11

OS & Required Features All Venafi Platform Application Servers: Microsoft Windows Server 2012R2 / 2016 Microsoft.NET Framework 4.6.1 and higher http://www.microsoft.com/en-us/download/details.aspx?id=40779 Microsoft.NET 3.5 (Not installed by default on Windows 2012R2 / 2016) 2018 Venafi. All Rights Reserved. 12

OS & Required Features (Continued) Venafi Platform Application Servers with web interfaces: Internet Information Services (IIS) Server Role Required IIS Application Development Features 2012R2: ASP, ASP.NET 3.5, ASP.NET 4.5, ISAPI Extensions, ISAPI Filters,.NET Extensibility 3.5,.NET Extensibility 4.5 2016: ASP, ASP.NET 3.5, ASP.NET 4.6, ISAPI Extensions, ISAPI Filters,.NET Extensibility 3.5,.NET Extensibility 4.6 Microsoft URL Rewrite 2.1 or higher https://www.iis.net/downloads/microsoft/url-rewrite#additionaldownloads 2018 Venafi. All Rights Reserved. 13

Database Requirements Supported Databases: Microsoft SQL Server 2012 SP2 through 2016 1 GB of space for every 5,000 certificates, per month of log retention 50K-250K Certificates / Keys: Four (4) Processing Cores 16 GB RAM 1 Million+ Certificates / Keys: Sixteen (16) Processing Cores 64 GB RAM 2018 Venafi. All Rights Reserved. 14

Database Access Windows Authentication or SQL authentication to the MSSQL database is supported. All Venafi Platform servers must use the same method of authentication. The roles db_datareader, db_datawriter, and execute rights for the Venafi database are required. Considerations for Windows Authentication: Venafi Platform servers must be joined to an Active Directory domain. Required for services and web application pools to be started and run as the AD service account. The AD service account must be a member of the local Administrators group on all Venafi Platform application servers. Typically the AD service account will be granted interactive login rights, and be used for performing Venafi Platform installation and upgrades. Alternatively, a separate account may be used for this purpose, but will require the same permissions to the database. 2018 Venafi. All Rights Reserved. 15

Required Infrastructure Identity Providers The Venafi Platform supports integration with external Identity Providers. Active Directory (AD) LDAP Requires valid service account with read permissions to the directory. Requires a valid service account with read permissions to the directory. Can leverage trust relationships between domains for authentication. LDAP providers require attribute mapping files be customized for various LDAP vendors. Connections to specific domain controllers are explicitly defined. https://support.venafi.com/hc/enus/community/posts/207969917-error-unable-todetermine-ldap-vendor Simultaneous connections to multiple identity providers is possible. 2018 Venafi. All Rights Reserved. 16

AD Identity Provider Best Practices Single-Forest / Multi-Domain AD implementations Multiple-Forest Implementations Domains within a single forest have an implicit 2- way trust relationship Trust relationship between forests: Leverage AD trust relationship(s) and Implement a single AD Identity provider Implement a single AD Provider targeting the Root Forest Domain No trust relationship between forests: Implement separate AD Identity Providers 2018 Venafi. All Rights Reserved. 17

Logging How Event Processing Works TPP Server Log Processor: - Evaluates Message Queue against the Notification Rules - Takes action if there s a match - Writes record to log tables in database LOG info Message Queue Process Logs Notification Rules Send Email Send to Splunk Write to File TPP Server TPP Server Log Processor Adaptable Log Driver 2018 Venafi. All Rights Reserved. 18

Logging Best Practices Log Processing Servers Leverage multiple Venafi Platform servers for log event processing. Ensure all log processors are able to reach intended endpoints. i.e. SMTP, syslog, Splunk, SNMP, etc. Log Retention Log retention within the application is for operational troubleshooting. Usually 90 120 days Consider using a SEIM or other external system for long-term audit retention. 2018 Venafi. All Rights Reserved. 19

Required Infrastructure SMTP Relay In order to send e-mail notifications and reports, it is necessary to specify an SMTP relay server. The relay server must be accessible to all Venafi Platform servers responsible for Log Processing. More info: https://docs.venafi.com/docs/current/topnav/content/logging/c-logging-smtpchannelconfig-tpp.php 2018 Venafi. All Rights Reserved. 20

Other Infrastructure Hardware Security Modules The Venafi Platform uses a AES256 key to encrypt all sensitive data (private keys, credentials, etc.) written to the database. It is possible to store the AES256 key on an HSM instead of a software-based key stored by Windows DPAPI. Venafi supports SafeNet Luna and Thales based HSMs using a PKCS#11 standard interface. Important: All Venafi Platform servers must maintain connectivity to the HSM(s) at all times. Loss of HSM connection will result in the shutdown of that Venafi Platform engine. 2018 Venafi. All Rights Reserved. 21

Number and Placement of Venafi Platform Servers Primary factors that dictate the number of required Venafi Platform servers: Certificate & Key estate size Use additional Venafi Platform servers to Scale-Out instead of Scale-Up. See System Requirements for server sizing information. Disaster recovery (DR) and high-availability (HA) Usually implement a minimum of 2 servers in a production environment. Placement of one or more Venafi Platform servers in a backup datacenter is common. Separation by Venafi Platform module i.e. Dedicated certificate processing engines with UI only servers. Physical and logical network segmentation = Network Zones Network access for Network Discovery, Validation, and Provisioning may dictate network location requirements for multiple servers. 2018 Venafi. All Rights Reserved. 22

Number and Placement of Venafi Platform Servers Certificate Authority Database Active Directory Certificate Authority SMTP Relay Active Directory Certificate Authority 2018 Venafi. All Rights Reserved. 23

Other Preparation Common Firewall Rules Port Source Destination Description TCP 1433 All Venafi Platform Server(s) SQL Database Server MSSQL database access TCP 80, 443 Users logging into Venafi; Server Agents, REST Endpoint 2018 Venafi. All Rights Reserved. 24 Venafi Platform UI Servers All web interfaces utilize URL rewrite to require HTTPS TCP 389, 636 All Venafi Platform Server(s) AD Domain Controllers Authentication & lookup TCP 22 Venafi Platform SSH Manager Server(s) SSH Agentless client hosts TCP 135, 49152-65536 TCP 443 Venafi Platform Certificate Processing Server(s) Venafi Platform Certificate Processing Server(s) Microsoft Certificate Authorities External CAs SSH key discovery and management More Info: https://msdn.microsoft.com/enus/library/cc875824.aspx Most public/external CAs are accessed over HTTPS. May also use a proxy. TCP 25 Venafi Platform Log Processing Server(s) SMTP Relay Used to send notifications and reports UDP 514 Venafi Platform Log Processing Server(s) Syslog Endpoints Used when forwarding log events to syslog TCP 8089 Venafi Platform Log Processing Server(s) Splunk Indexer Used when forwarding log events to Splunk More info: https://docs.venafi.com/docs/current/topnav/content/install/r_install_ports_configuring_tpp.php

Other Preparation Notes Service Accounts SQL Server database access requires that an account be configured with appropriate permissions: Built-in SQL Account (SQL Authentication) Active Directory Account (Windows Authentication) Active Directory Identity Provider requires a valid account for searching AD No specific permissions required If using Windows Authentication for database, can use the AD Venafi Platform SQL service account Microsoft CA requires an AD account with template read & enroll access, certificate issuance and import processes More info: https://docs.venafi.com/docs/current/topnav/content/drivers/cco-microsoftcertservices-catemplate-tpp.php 2018 Venafi. All Rights Reserved. 25

Other Preparation Notes Certificate Authorities Review documentation specific to CAs in use Some CAs require specific configuration or accounts be created to access APIs. May require contacting CA specific support or account teams for setup. More info: https://docs.venafi.com/docs/current/topnav/content/drivers/cco-catemplates-managing.php 2018 Venafi. All Rights Reserved. 26

Other Preparation Notes - SSH Key Management Agentless SSH key discovery and remediation Supported on: Linux kernel 2.6 AIX 6.1 (or later) Solaris 8 (or later) HP-UX 11.11 (or later) IBM z/os Requires an SSH User account used to connect to each SSH device Privilege Elevation How will the agentless account elevate privileges? Sudo - Standard sudo Linux protocol for elevating privileges Support for other PAM (privileged access management) tools 2018 Venafi. All Rights Reserved. 27

Other Preparation Notes - SSH Key Management Features for Agent Supports key usage monitoring SSH / sudo account is not required (Runs as Service).. No service account needed The Server Agent can provision to the following keystores: PEM GSK JKS JKCS PKCS#12 2018 Venafi. All Rights Reserved. 28

Other Preparation Notes - SSH Key Management Agent-based SSH Key Discovery and Remediation Agent Operating systems supported: Windows 7, Server 2012-2016 Red Hat Enterprise Linux (RHEL) 4.5, 5, 6, and 7 SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11 CentOS 4.5-7 AIX 5.3 (PPC), AIX 6 (PPC), and AIX 7 (PPC) Solaris 8 (or later) HP-UX 11 (Itanium) Requires CRL Distribution Points (CDPs) are accessible for agent-enabled systems 2018 Venafi. All Rights Reserved. 29

Other Preparation Change Controls Plan ahead of the change control approval cycle Required Servers Database requirements Network resources Local Venafi Platform Credentials AD Credentials AD Groups designated for Venafi Platform roles Access to MS CAs and AD Templates Admin & Operations Automated nightly backups Network firewall rules and policies Agentless SSH account SMTP messaging SIEM / syslog account, traffic preparations 2018 Venafi. All Rights Reserved. 30

What Do You Remember? 1. What are the two UI s that handle, Certificate Management, Logging, Notifications and Monitoring? Answer: Aperture and WebAdmin 2. All Venafi Platform servers must connect to the same what? Answer: SQL Database 3. Since the Venafi Platform does not share sessions between servers it is important to configure the load balancer to always reconnect to the same Venafi Platform server. What is this called? Answer: Session Persistence or Sticky Sessions 4. What additional components need to be installed when preparing Windows Servers? Answer: Microsoft.NET 3.5 & URL Re-Write Module 5. The SMTP relay servers must have access to the servers for log processing? Answer: Venafi Platform 6. The number and placement of Venafi Platform Servers are dictated by what 4 primary factors? Answer: Certificate and Key size, Disaster recovery and High-Availability, Venafi Platform module separation, Network zones 2018 Venafi. All Rights Reserved. 31

2018 Venafi. All Rights Reserved. 32 Discussion and Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback