Venafi Server Agent Agent Overview
Venafi Server Agent Agent Intro Agent Architecture Agent Grouping Agent Prerequisites Agent Registration Process
What is Venafi Agent? The Venafi Agent is a client/server application that allows you to discover encryption assets on any supported system in your network Allows remediation of SSH keys Allows provisioning of Certificates and keys
Need For Agent The need for Venafi Agent: Server based vs. Agent based Server based discovery: Can only discover certificates and SSH keys that respond queries on designated IP addresses and ports Agent based Certificate provisioning: Supported keystore types: CAPI, CMS (GSK), JKS, PEM and PKCS#12 Agent based SSH discovery/remediation: Can discover encryption assets located on the file system Can rotate authorized_keys and user keys for SSH
Agent Architecture Overview Utilizes Client REST APIs over HTTPS Written in C Memory footprint: Approx: 10-30MB Storage footprint: Approx: 6MB + 2KB per discovered certificate or key + logs Includes the following third party software: Apache Portability Runtime OpenSSL CURL libxml JSON PERL Regular Expression Compatible Library SQLite Berkeley DB Jansson zlib TPL
Agent Architecture SSH Certificates SSH Detection SSH Remediation Certificate Discovery Certificate Provisioning Certificate Whitelisting Upgrade Mgmt Database Services Scheduling Logging REST Interface Authentication & Registration Agent Platform Agent Portability Layer - TPP 18.1 - Roadmap
Dynamic Groups-based Registration Authentication and attributes Assignment of work Enable authentication and grouping of assets and individuals Assignment and delegation to responsible admins
Systems Grouped by System Attribute Windows Windows Group rules assigned to Groups/Admins based on system attribute(s) Linux AIX
Prerequisite Configuration for Agents
Registration and Rolling Code Rolling code is how the agent system authenticates to Venafi Server 1. Submit registration password 3b. Increment to next rolling code using hash 5. Verify rolling code match 6. If rolling code is older, generate event 7. If rolling code is newer, allow up to x newer rolling codes Venafi Server 2. Return rolling code 4. Send incremented rolling code (subsequent sessions) 3a. Increment to next rolling code using hash Agent System
Server Thumbprint and Server Certificate Venafi Server Certificate and Agent Certificate Trust Store is how the Venafi Server Authenticates to the Agent 1. Trusted Venafi Operation Certificate is enrolled with Certificate Authority and installed on Venafi Server 2. Copy Server Thumbprint 3. Server Thumbprint is set on Agent System 5. Venafi Server Certificate is validated against know Thumbprint 4. Venafi Server Certificate is sent to Agent System during SSL Handshake 6. Agent Certificate Trust Store is downloaded to Agent System Venafi Server 7. Agent Certificate Trust store is used to validate Venafi Server Certificate on all subsequent connections Agent System
Lab: Venafi Agent No lab
Review 1. What is the need for Agent? 2. How does the Agent authenticate to TPP? 3. What protocol does the Agent use?
Preparing Agent deployment Server side configuration for Agent
Preparing Agent deployment Configure Agent Registration Create Work Create Group Assign Connectivity Work Assign Device Placement Work
Configure Agent Registration Done in Aperture by Admins Groups & Work > Agent Registration
Configure Agent Registration Authentication credentials Thumbprint Data collection
Registration Password Create New credential Used by Agents to register
Server Thumbprint Thumbprint for Agents to use One for VOC in the environment
Recording Variables Variables for Agents to gather Used for grouping
Configure Work Create Work items (Groups & Work > Work) Work is assigned through Groups 2018 Venafi. All Rights Reserved. 21
Configure Work Device Placement Name Work and Select Type Some Work types may not apply for Server Agent 2018 Venafi. All Rights Reserved. 22
Device Placement Creates Device object and links Agent to it Required for Agent discovery and remediation work 2018 Venafi. All Rights Reserved. 23
Configure Dynamic Groups Add a group (Groups & Work > Groups) Dynamic Group Membership Rules Assigning Work 2018 Venafi. All Rights Reserved. 24
Configure Dynamic Groups Group purpose will affect available Work items 2018 Venafi. All Rights Reserved. 25
Membership Criteria 2018 Venafi. All Rights Reserved. 26
Configure Membership Criteria Criteria evaluated against information provided by Agents Note Environment[DEPT]
Configure Membership Criteria Select Operator Select Condition Value Selector or text field depending on Attribute
Configure Membership Criteria Combine multiple criteria with OR or AND What would the following rule do?
Assign Work Assign the Work items we want the Agent to execute Only specific types of work apply 2018 Venafi. All Rights Reserved. 30
Work Priority and Assignment Almost all work types (e.g., Agent Config, SSH, Upgrade) only apply one work object per type. Work from the highest priority group will be applied. Scenario: Agent1 matches four groups Group1 Agent Config Work1 Cert Config Work1 Group2 Agent Config Work2 SSH Config Work2 Agent1 Group3 Group4 SSH Config Work3 Cert Config Work3 Upgrade Work4 Agent1 will execute Agent Config Work1 SSH Config Work2 Cert Config Work1 Upgrade Work4
Configuration Updating and Cache The dynamic group configuration is only read into memory every 10 minutes for performance reasons If a change is made to the configuration, you may have to wait up to 10 minutes before to new configuration takes effect You can Recycle the VEDClient Application Pool (in IIS Manager) to refresh the configuration cache immediately
Lab: Agent Preparation Configure Agent Registration settings Configure Device Placement
Review How can Agents be grouped? What type of work is there for Agents? Can Agent be configured to only have base settings? How would you group Agents?
Deploying Agent Installing Agent
Deploying Server Agent Supported Platforms Installation Server Agent Settings Server Agent Logging Server Agent Registration
Client side configuration steps Install Agent Enter server call home address Set registration password Set Server Thumbprint Start Agent System Admin
18.1 Server Agent Supported Platforms Windows 7 Windows Server 2008 Windows Server 2008 (R2) Windows Server 2012 Windows Server 2012 (R2) Windows Server 2016 (Intel) AIX 5.3 (PPC) AIX 6 (PPC) AIX 7 (PPC) Solaris 8 (SPARC) Solaris 9 (SPARC) Solaris 10 (SPARC) Solaris 11 (SPARC) HP-UX 11 (Itanium) Red Hat Enterprise Linux (RHEL) 4.5 (or later) RHEL 5 RHEL 6 RHEL 7 Community Enterprise Operating System (CentOS) 4.5 (or later) CentOS 5 CentOS 6 CentOS 7 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 12
Server Agent Installation Windows: Install from an Administrative Command Prompt: msiexec /i venafi-agent-18.1.0-windows-x64.msi server_url=serverurl registration_password=registrationpassword server_thumbprint=e6983. Start the service: vagent -k start or Start the service manually from the Services snap-in *NIX: Important: You must log in as root user CD to the folder with the install bundle Copy the installation bundle to a temp directory on the host s files system: cp venafi-agent-18.1.0-linux-x64.bundle /tmp From the temp directory run the install command:./venafi-agent-18.1.0-linux-x64.bundle --install server_url=serverurl registration_password=registrationpassword server_thumbprint=e6983...
Server Agent Installation Linux example Install: Start Service:
Server Agent Call Home Certificate Checking Agent connects to the Venafi server using HTTPS and checks the revocation status of the Venafi Operational Certificate (VOC) by retrieving a certificate revocation list (CRL). Trust chain is stored in: Windows: %ProgramFiles%\Venafi\Agent\Data\curl-ca-bundle.crt *NIX: /var/opt/venafi/agent/data/curl-ca-bundle.crt
Server Agent Call Home Certificate Checking To ensure revocation checking process works correctly, review the following guidelines: curl-ca-bundle.crt has to contain root and intermediate certificates for VOC Only HTTP-based CDPs are supported. Delta CRLs are supported but not required TPP can work as a CDP
Server Agent Logs Logging for the Agent happens in two places: On the Agent device Written to syslog / Application log On TPP Server Default SQL Channel
./vagent -l all
Agent registration Registration is unique to system + user If registration fails, retry at next call home time (daily 2AM by default) Rolling code used for authentication after initial registration Multiple registrations required if we want SYSTEM and user to run agent (testing or troubleshooting)
After registration Registered Agents can be found in Aperture under Groups & Work > Registered Clients Note the two registrations from same Windows system Click to view Client Details
Client Details
Lab: Deployment Windows Agent Deployment Lab Install Venafi Agent on a Windows Server If the class will cover Agent based SSH we will need to do the Linux Agent Deployment Lab
Review 1. What type CDPs does Venafi Agent support? 2. What happens if no CRL is available? 3. What is the purpose of curl-ca-bundle.crt file? 4. What is the correct server-url format?
Server Agent Certificate Work Configuring Agent work and viewing results
Server Agent Certificate Work Server Agent Certificate Work Overview Configuring Certificate Discovery Work Running Server Agent Certificate Discovery Viewing Scan Results 2018 Venafi. All Rights Reserved. 51
Server Agent Certificate Work Overview Agent can scan file systems for Certificates Agent will find certificates that Network Discovery can t find Certificates can be brought under management Creates Application and Certificate objects Agent can provision CAPI, JKS, PEM, CMS and PKCS#12
Server Agent Certificate Discovery Configuration Configure Agent Certificate Discovery Work Placement Rules Run Agents View results
Certificate Discovery Work Create Work under Groups & Work > Work Enable Certificate Discovery
Server Agent Certificate Discovery Work Options: Daily Weekly Monthly Hourly On Receipt Set Scan Time if applicable
Server Agent Certificate Discovery Work Randomize Scan Times Needed for VMs
Server Agent Certificate Discovery Work Scan Paths Can include subdirectories
Server Agent Certificate Discovery Work File types to scan Common extensions prepopulated
Server Agent Certificate Discovery Work CAPI store scanning (Windows only) Scan specific list options
Server Agent Certificate Discovery Work Select Password Credential Objects (created in WebAdmin) Passwords used for accessing keystores
Server Agent Certificate Discovery Work Placement Rules shared with Network Discovery Select / Create Default container
Server Agent Certificate Discovery Work Under Advanced Options Exclude remote mount points Options to exclude files/paths
Server Agent Certificate Discovery Work Scan aggressiveness Files to ignore Logging to System or Application log
Assigning Certificate Discovery Work Work is assigned to Agents through Groups (Work & Groups > Work) 2018 Venafi. All Rights Reserved. 64
After work has been configured Server Agents will receive work next time the base agent calls home Note 10 minute configuration reload time Server Agents will scan based on configured scan interval After the initial scan and check-in Server Agent will only submit deltas
Agent Certificate Discovery Results View results
Lab: Certificate Discovery Using Agent Objectives Configure Server Agent Registration Configure Certificate Work Install Venafi Server Agent View results
Review Can the Server Agent be used to discover and provision on same system? Can Server Agent discover certificates in CAPI store Can Server Agent provision certificate to CAPI store