Venafi Server Agent Agent Overview

Similar documents
Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

SSH Product Overview

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Entrust Connector (econnector) Venafi Trust Protection Platform

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

VSP16. Venafi Security Professional 16 Course 04 April 2016

Streamline Certificate Request Processes. Certificate Enrollment

Configuring the Cisco APIC-EM Settings

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

NetBackup Deployment Template User Guide for Chef

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Configuring SSL. SSL Overview CHAPTER

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

AirWatch Mobile Device Management

Configuring SSL. SSL Overview CHAPTER

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Oracle Fusion Middleware

Configuring SSL CHAPTER

VMware AirWatch Integration with RSA PKI Guide

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

RealPresence Access Director System Administrator s Guide

Integrating AirWatch and VMware Identity Manager

Genesys Security Deployment Guide. What You Need

Upgrading an ObserveIT One-Click Installation

Managing Certificates

VMware AirWatch Content Gateway Guide For Linux

VMware AirWatch Content Gateway Guide for Linux For Linux

Trust Protection Platform 15.4

How to Configure SSL Interception in the Firewall

Public Key Enabling Oracle Weblogic Server

Performing an ObserveIT Upgrade Using the Interactive Installer

Getting Started with. Agents for Unix and Linux. Version

Discovery. Discovery

Genesys Security Pack on UNIX. Release Notes 8.5.x

F5 BIG-IQ Centralized Management: Device. Version 5.3

Securing ArcGIS Services

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

NGFW Security Management Center

VSP18 Venafi Security Professional

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Install the ExtraHop session key forwarder on a Windows server

Ansible Tower Quick Setup Guide

MSE System and Appliance Hardening Guidelines

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Adding value to your MS customers

Manage Certificates. Certificates Overview

Using VMware View Client for Mac

Entrust. Discovery 2.4. Administration Guide. Document issue: 3.0. Date of issue: June 2014

Venafi DevOps Integrations

F5 BIG-IQ Centralized Management: Device. Version 5.2

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Implementing Infoblox Data Connector 2.0

vrealize Operations Manager Configuration Guide 19 JULY 2018 vrealize Operations Manager 6.7

Security Guide. Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds

Cisco Unified Serviceability

vrealize Infrastructure Navigator Installation and Configuration Guide

Windows Server 2008 Active Directory Certificate Services Step By Step Guide Pdf

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

Centrify Server Suite, Standard Edition

ZENworks 2017 Audit Management Reference. December 2016

MOVE AntiVirus page-level reference

How to Setup Total Application Security

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

PKI Trustpool Management

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VIRTUAL GPU LICENSE SERVER VERSION , , AND 5.1.0

ArcGIS Enterprise: Advanced Topics in Administration. Thomas Edghill & Moginraj Mohandas

Setting Up Resources in VMware Identity Manager

Connection Broker Advanced Connections Management for Multi-Cloud Environments. Security Review

Administering vrealize Log Insight. September 20, 2018 vrealize Log Insight 4.7

vcenter CapacityIQ Installation Guide

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Smart Install in LMS CHAPTER

70-742: Identity in Windows Server Course Overview

Steel-Belted RADIUS. Release Notes SBR 6.25-R R1 August, Release, Build Published Document Version

Microsoft Recertification for MCSE: Server Infrastructure. Download Full Version :

Axway Validation Authority Suite

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Administering Your ArcGIS Enterprise Portal Bill Major Craig Cleveland

Centrify Infrastructure Services

Cisco Next Generation Firewall Services

Forescout. Plugin. Configuration Guide. Version 2.2.4

IBM Security QRadar supports the following Sourcefire devices:

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

MCSA Windows Server 2012 Configuring Advanced Services

SSH Communications Tectia SSH

Data Protection Guide

VMware AirWatch Mobile Management Troubleshooting Guide

Configuring a Windows Server 2008 Applications Infrastructure

Teradici PCoIP Connection Manager 1.8 and Security Gateway 1.14

ForeScout CounterACT. Configuration Guide. Version 1.2

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Connectivity Implementation Guide

Release Notes. Lavastorm Analytics Engine 6.1.3

ControlCase TM Data Discovery

OnCommand Unified Manager Installation and Setup Guide for Use with Core Package 5.2 and Host Package 1.3

KillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ

Transcription:

Venafi Server Agent Agent Overview

Venafi Server Agent Agent Intro Agent Architecture Agent Grouping Agent Prerequisites Agent Registration Process

What is Venafi Agent? The Venafi Agent is a client/server application that allows you to discover encryption assets on any supported system in your network Allows remediation of SSH keys Allows provisioning of Certificates and keys

Need For Agent The need for Venafi Agent: Server based vs. Agent based Server based discovery: Can only discover certificates and SSH keys that respond queries on designated IP addresses and ports Agent based Certificate provisioning: Supported keystore types: CAPI, CMS (GSK), JKS, PEM and PKCS#12 Agent based SSH discovery/remediation: Can discover encryption assets located on the file system Can rotate authorized_keys and user keys for SSH

Agent Architecture Overview Utilizes Client REST APIs over HTTPS Written in C Memory footprint: Approx: 10-30MB Storage footprint: Approx: 6MB + 2KB per discovered certificate or key + logs Includes the following third party software: Apache Portability Runtime OpenSSL CURL libxml JSON PERL Regular Expression Compatible Library SQLite Berkeley DB Jansson zlib TPL

Agent Architecture SSH Certificates SSH Detection SSH Remediation Certificate Discovery Certificate Provisioning Certificate Whitelisting Upgrade Mgmt Database Services Scheduling Logging REST Interface Authentication & Registration Agent Platform Agent Portability Layer - TPP 18.1 - Roadmap

Dynamic Groups-based Registration Authentication and attributes Assignment of work Enable authentication and grouping of assets and individuals Assignment and delegation to responsible admins

Systems Grouped by System Attribute Windows Windows Group rules assigned to Groups/Admins based on system attribute(s) Linux AIX

Prerequisite Configuration for Agents

Registration and Rolling Code Rolling code is how the agent system authenticates to Venafi Server 1. Submit registration password 3b. Increment to next rolling code using hash 5. Verify rolling code match 6. If rolling code is older, generate event 7. If rolling code is newer, allow up to x newer rolling codes Venafi Server 2. Return rolling code 4. Send incremented rolling code (subsequent sessions) 3a. Increment to next rolling code using hash Agent System

Server Thumbprint and Server Certificate Venafi Server Certificate and Agent Certificate Trust Store is how the Venafi Server Authenticates to the Agent 1. Trusted Venafi Operation Certificate is enrolled with Certificate Authority and installed on Venafi Server 2. Copy Server Thumbprint 3. Server Thumbprint is set on Agent System 5. Venafi Server Certificate is validated against know Thumbprint 4. Venafi Server Certificate is sent to Agent System during SSL Handshake 6. Agent Certificate Trust Store is downloaded to Agent System Venafi Server 7. Agent Certificate Trust store is used to validate Venafi Server Certificate on all subsequent connections Agent System

Lab: Venafi Agent No lab

Review 1. What is the need for Agent? 2. How does the Agent authenticate to TPP? 3. What protocol does the Agent use?

Preparing Agent deployment Server side configuration for Agent

Preparing Agent deployment Configure Agent Registration Create Work Create Group Assign Connectivity Work Assign Device Placement Work

Configure Agent Registration Done in Aperture by Admins Groups & Work > Agent Registration

Configure Agent Registration Authentication credentials Thumbprint Data collection

Registration Password Create New credential Used by Agents to register

Server Thumbprint Thumbprint for Agents to use One for VOC in the environment

Recording Variables Variables for Agents to gather Used for grouping

Configure Work Create Work items (Groups & Work > Work) Work is assigned through Groups 2018 Venafi. All Rights Reserved. 21

Configure Work Device Placement Name Work and Select Type Some Work types may not apply for Server Agent 2018 Venafi. All Rights Reserved. 22

Device Placement Creates Device object and links Agent to it Required for Agent discovery and remediation work 2018 Venafi. All Rights Reserved. 23

Configure Dynamic Groups Add a group (Groups & Work > Groups) Dynamic Group Membership Rules Assigning Work 2018 Venafi. All Rights Reserved. 24

Configure Dynamic Groups Group purpose will affect available Work items 2018 Venafi. All Rights Reserved. 25

Membership Criteria 2018 Venafi. All Rights Reserved. 26

Configure Membership Criteria Criteria evaluated against information provided by Agents Note Environment[DEPT]

Configure Membership Criteria Select Operator Select Condition Value Selector or text field depending on Attribute

Configure Membership Criteria Combine multiple criteria with OR or AND What would the following rule do?

Assign Work Assign the Work items we want the Agent to execute Only specific types of work apply 2018 Venafi. All Rights Reserved. 30

Work Priority and Assignment Almost all work types (e.g., Agent Config, SSH, Upgrade) only apply one work object per type. Work from the highest priority group will be applied. Scenario: Agent1 matches four groups Group1 Agent Config Work1 Cert Config Work1 Group2 Agent Config Work2 SSH Config Work2 Agent1 Group3 Group4 SSH Config Work3 Cert Config Work3 Upgrade Work4 Agent1 will execute Agent Config Work1 SSH Config Work2 Cert Config Work1 Upgrade Work4

Configuration Updating and Cache The dynamic group configuration is only read into memory every 10 minutes for performance reasons If a change is made to the configuration, you may have to wait up to 10 minutes before to new configuration takes effect You can Recycle the VEDClient Application Pool (in IIS Manager) to refresh the configuration cache immediately

Lab: Agent Preparation Configure Agent Registration settings Configure Device Placement

Review How can Agents be grouped? What type of work is there for Agents? Can Agent be configured to only have base settings? How would you group Agents?

Deploying Agent Installing Agent

Deploying Server Agent Supported Platforms Installation Server Agent Settings Server Agent Logging Server Agent Registration

Client side configuration steps Install Agent Enter server call home address Set registration password Set Server Thumbprint Start Agent System Admin

18.1 Server Agent Supported Platforms Windows 7 Windows Server 2008 Windows Server 2008 (R2) Windows Server 2012 Windows Server 2012 (R2) Windows Server 2016 (Intel) AIX 5.3 (PPC) AIX 6 (PPC) AIX 7 (PPC) Solaris 8 (SPARC) Solaris 9 (SPARC) Solaris 10 (SPARC) Solaris 11 (SPARC) HP-UX 11 (Itanium) Red Hat Enterprise Linux (RHEL) 4.5 (or later) RHEL 5 RHEL 6 RHEL 7 Community Enterprise Operating System (CentOS) 4.5 (or later) CentOS 5 CentOS 6 CentOS 7 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 12

Server Agent Installation Windows: Install from an Administrative Command Prompt: msiexec /i venafi-agent-18.1.0-windows-x64.msi server_url=serverurl registration_password=registrationpassword server_thumbprint=e6983. Start the service: vagent -k start or Start the service manually from the Services snap-in *NIX: Important: You must log in as root user CD to the folder with the install bundle Copy the installation bundle to a temp directory on the host s files system: cp venafi-agent-18.1.0-linux-x64.bundle /tmp From the temp directory run the install command:./venafi-agent-18.1.0-linux-x64.bundle --install server_url=serverurl registration_password=registrationpassword server_thumbprint=e6983...

Server Agent Installation Linux example Install: Start Service:

Server Agent Call Home Certificate Checking Agent connects to the Venafi server using HTTPS and checks the revocation status of the Venafi Operational Certificate (VOC) by retrieving a certificate revocation list (CRL). Trust chain is stored in: Windows: %ProgramFiles%\Venafi\Agent\Data\curl-ca-bundle.crt *NIX: /var/opt/venafi/agent/data/curl-ca-bundle.crt

Server Agent Call Home Certificate Checking To ensure revocation checking process works correctly, review the following guidelines: curl-ca-bundle.crt has to contain root and intermediate certificates for VOC Only HTTP-based CDPs are supported. Delta CRLs are supported but not required TPP can work as a CDP

Server Agent Logs Logging for the Agent happens in two places: On the Agent device Written to syslog / Application log On TPP Server Default SQL Channel

./vagent -l all

Agent registration Registration is unique to system + user If registration fails, retry at next call home time (daily 2AM by default) Rolling code used for authentication after initial registration Multiple registrations required if we want SYSTEM and user to run agent (testing or troubleshooting)

After registration Registered Agents can be found in Aperture under Groups & Work > Registered Clients Note the two registrations from same Windows system Click to view Client Details

Client Details

Lab: Deployment Windows Agent Deployment Lab Install Venafi Agent on a Windows Server If the class will cover Agent based SSH we will need to do the Linux Agent Deployment Lab

Review 1. What type CDPs does Venafi Agent support? 2. What happens if no CRL is available? 3. What is the purpose of curl-ca-bundle.crt file? 4. What is the correct server-url format?

Server Agent Certificate Work Configuring Agent work and viewing results

Server Agent Certificate Work Server Agent Certificate Work Overview Configuring Certificate Discovery Work Running Server Agent Certificate Discovery Viewing Scan Results 2018 Venafi. All Rights Reserved. 51

Server Agent Certificate Work Overview Agent can scan file systems for Certificates Agent will find certificates that Network Discovery can t find Certificates can be brought under management Creates Application and Certificate objects Agent can provision CAPI, JKS, PEM, CMS and PKCS#12

Server Agent Certificate Discovery Configuration Configure Agent Certificate Discovery Work Placement Rules Run Agents View results

Certificate Discovery Work Create Work under Groups & Work > Work Enable Certificate Discovery

Server Agent Certificate Discovery Work Options: Daily Weekly Monthly Hourly On Receipt Set Scan Time if applicable

Server Agent Certificate Discovery Work Randomize Scan Times Needed for VMs

Server Agent Certificate Discovery Work Scan Paths Can include subdirectories

Server Agent Certificate Discovery Work File types to scan Common extensions prepopulated

Server Agent Certificate Discovery Work CAPI store scanning (Windows only) Scan specific list options

Server Agent Certificate Discovery Work Select Password Credential Objects (created in WebAdmin) Passwords used for accessing keystores

Server Agent Certificate Discovery Work Placement Rules shared with Network Discovery Select / Create Default container

Server Agent Certificate Discovery Work Under Advanced Options Exclude remote mount points Options to exclude files/paths

Server Agent Certificate Discovery Work Scan aggressiveness Files to ignore Logging to System or Application log

Assigning Certificate Discovery Work Work is assigned to Agents through Groups (Work & Groups > Work) 2018 Venafi. All Rights Reserved. 64

After work has been configured Server Agents will receive work next time the base agent calls home Note 10 minute configuration reload time Server Agents will scan based on configured scan interval After the initial scan and check-in Server Agent will only submit deltas

Agent Certificate Discovery Results View results

Lab: Certificate Discovery Using Agent Objectives Configure Server Agent Registration Configure Certificate Work Install Venafi Server Agent View results

Review Can the Server Agent be used to discover and provision on same system? Can Server Agent discover certificates in CAPI store Can Server Agent provision certificate to CAPI store

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback