Venafi Trust Protection Platform Installation Guide Trust... · Web viewMicrosoft Windows Server 2012 R2. Microsoft SQL Server 2012 Creation of database covered within this document

Venafi.com | 175 E 400 S, Suite 300, Salt Lake City, Utah 84111 USA

February 2017MM/DD/YYYY.

Venafi Trust Protection Platform Installation Runbook

PROFESSIONAL SERVICES

Table of Contents

INTRODUCTION.......................................................................................................................3PreRequisites...........................................................................................................................................................3

Venafi Prerequisites:...........................................................................................................................3

DATABASE CREATION / CONFIGURATION................................................................................3Create The Database...............................................................................................................................................4Assign Account Permissions.....................................................................................................................................4Run Database Creation Script..................................................................................................................................5Run Database Grants Script.....................................................................................................................................7

INSTALL APPLICATION SERVER PREREQUISITES........................................................................7Grant Permissions to SQL Service Account..............................................................................................................8Required Roles and Features...................................................................................................................................8Installing Microsoft URL Rewrite............................................................................................................................17

INSTALL TRUST PROTECTION PLATFORM...............................................................................18Start / Stop Venafi Trust Protection Platform Services..........................................................................................26

NEXT STEPS............................................................................................................................27

Venafi.com | 175 E 400 S, Suite 300, Salt Lake City, Utah 84111 USA

INTRODUCTIONThis document has been prepared by Venafi Professional Services as a step-by-step guide to installing Venafi Trust Protection Platform (TPP). It is not intended to encompass all aspects of TPP usage and configuration, but performing the steps outlined in this guide will establish a solid foundation from which to begin managing certificates.

PREREQUISITES

There are several pre-requisite steps that must be completed prior to beginning the installation of TPP. The key requirements for following this installation runbook are included here for convenience. For a complete list of all prerequisites and server sizing requirements, please review the installation requirements within the product documentation: https://docs.venafi.com/Docs/current/TopNav/Content/Install/r-install-SysReq-ALLVenProducts.php

Venafi Prerequisites: Microsoft Windows Server 2012 R2. Microsoft SQL Server 2012

o Creation of database covered within this document Venafi Trust Protection Platform installation zip file downloaded from https://ftp.venafi.com Latest patches for Venafi Trust Protection Platform (vupkg file) downloaded from

https://ftp.venafi.com Microsoft URL Rewrite 2.0 package is downloaded from

https://www.iis.net/downloads/microsoft/url-rewrite Required service accounts have been created:

o Database access account – either SQL or Windows Authentication supported If Windows Authentication, account must be granted local administrator rights

on all Venafi TPP serverso AD / LDAP account for querying identity provider / authenticating users

This account needs only “read” access. A standard account has read access by default.

DATABASE CREATION / CONFIGURATIONBefore the Venafi Trust Protection Platform can be installed, the database must be established and permissions granted to the assigned service account.

Venafi Professional Services | 175 E 400 S, Suite 300, Salt Lake City, Utah 84111 USA

https://www.iis.net/downloads/microsoft/url-rewrite

https://ftp.venafi.com/

https://ftp.venafi.com/

https://docs.venafi.com/Docs/current/TopNav/Content/Install/r-install-SysReq-ALLVenProducts.php

CREATE THE DATABASE

Create the database using Microsoft SQL Server Management Studio on the MS SQL server:

Figure 1

Record the “Database name” as it will be referenced during installation. Venafi makes no recommendation on database recovery model or other database options.

Please consult with your Database Administrator (DBA) for specifics in your environment. Guidance for database sizing can be found in the latest version of the Venafi Trust Protection

Platform documentation: https://docs.venafi.com/Docs/current/TopNav/Content/Install/r-install-SysReq-ALLVenProducts.php

ASSIGN ACCOUNT PERMISSIONS

Create a new “login” by identifying the AD account to be used, or creating a new SQL authenticated login. Use the “User Mapping” section of the login to grant the roles db_datareader and db_datawriter to the account:




Figure 2

RUN DATABASE CREATION SCRIPT

The database creation script is responsible for creating the necessary table structure within the newly created database for Venafi Trust Protection Platform. The SQL script to be executed is available within the Venafi installation zip file:

<Venafi Trust Protection Platform YY.Q.x.zip>\Database Scripts\MSSQL\CreateDB.sql

Execute the CreateDB.sql script by opening it using Microsoft SQL Server Management Studio:

Figure 3

Select the correct database target and execute the script:


Figure 4

The result of this script will provide some warnings which are expected. The final line will indicate that it has completed successfully executed as shown below in Figure 5:

Figure 5


RUN DATABASE GRANTS SCRIPT

In addition to the standard db_datareader and db_datawriter roles, the SQL service account will also need execute permissions on specific objects within the database. To assign these permissions a SQL script has been provided within the installation zip file.

<Venafi Trust Protection Platform YY.Q.x.zip>\Database Scripts\MSSQL\Grants\sample-grants.sql

The grants script should be executed following the same steps as the CreateDB script, after it has been appropriately modified.

IMPORTANT: The sample-grants.sql must be modified to reflect your SQL service account name before it is executed!

Figure 6

INSTALL APPLICATION SERVER PREREQUISITESApplication servers that will run Venafi Trust Protection Platform have several prerequisites that must be satisfied prior to installation. This section will walk through the installation of these prerequisites in detail. For a comprehensive list of all the prerequisites necessary, please review the product documentation section: https://docs.venafi.com/Docs/current/TopNav/Content/Install/r-install-SysReq-ALLVenProducts.php




GRANT PERMISSIONS TO SQL SERVICE ACCOUNT

NOTE: This section only applies when using Windows Authentication (and Active Directory account) to access the Venafi Trust Protection Platform Database. If you are not using Windows Authentication, you can skip this section.

The service account configured with permissions to the database in the previous section needs to have local administrator rights on the Venafi Trust Protection Platform servers. Additionally, it will be necessary to “log in interactively” as this user account to perfrom the software installation.

Figure 7

REQUIRED ROLES AND FEATURES

The following screenshots and instructions will step through the installation of the required server roles and features:

1. In Server Manager click the Add Roles and Features link.

2. Click the Next button shown in Figure 8.


Figure 8

Figure 9

3. Select Role-Based or feature-based installation for the installation type.

4. Click the Next button as shown in Figure 9 above.


Figure 10

5. When prompted for Server Selection, chose the Select a server from the server pool radio button and ensure that both the hostname and IP address are correct for the device that the roles and features should be installed on.

6. Click Next as shown in Figure 10 above.

Figure 11

7. When prompted for Server Roles, select Application Server as shown in Figure 11 above.

8. Move the scroll bar down to display additional services and select Web Server IIS.


9. A display to add the Web Server IIS management tools and management console appears. Select Include management tools (if applicable).

10. Click the Add Features button as shown in Figure 12 below.

Figure 12

11. Click the Next button as shown in Figure 13.

Figure 13

Once the features have been added the server will have both the Application Server as well as the Web Server IIS roles and features selected and ready for configuration and installation. This will prompt a set of selection items under both “Application Server” and “Web Server IIS” for configuration.


12. Select .NET framework 3.5 Features (to include NET 2.0 and NET 3.0) as shown (circled) in Figure 14 below.

Note: .NET Framework 4.5 Features are already installed by default.

13. Once selected Click the Next button to proceed.

Figure 14

The configuration will continue to the Application Server roles and features as shown in Figure 15 below.

Figure 15

Open Role Services under Application Server.


14. Click Next as shown in Figure 15 above.

15. Select Web Server (IIS) Support.

16. This will open a dialog box to add features required for Web Server (IIS) Support. Select Include management tools (if applicable)

17. Click the Add Features button as shown in Figure 16 below.

Figure 16

This will complete the Role Services configuration and drop back to the Web Server Role (IIS) configuration.

18. Click the Next button as shown in Figure 17 below.


Figure 17

The Web Server Roles for IIS configuration screen will appear.

19. Ensure that all the highlighted fields are selected as shown in Figure 18 below. Be sure to include IIS Management Compatibility which is identified as a sub image in Figure 18 below. This will allow for the use of the IIS driver for provisioning.


Figure 18

20. Click the Next button and follow the prompts to complete the installation. There may be a requirement to specify and alternate source path. The system administrator should be able to provide that path if necessary.


Figure 19

21. Click the Install button, as shown in Figure 19 above and wait for the installation to complete.

22. Once completed successfully Click Close. All the required native roles and features have been installed and configured.

The next component needed for Venafi TPP is the Microsoft URL re-write module 2.0. A link to this software is provided within the Venafi TPP zip package under a “Third Party” directory and has also been included in this document.


INSTALLING MICROSOFT URL REWRITE

Venafi Trust Protection Platform requires the installation of the Microsoft URL Rewrite 2.0 module. It can be downloaded from here: https://www.iis.net/downloads/microsoft/url-rewrite

1. Once downloaded, copy the rewrite_2.0_rtw_x64.msi installation file to the server.

2. Launch the installation by double-clicking it. (URL Rewrite 2.0 must be installed on all TPP servers that are hosting web components)

Figure 20

3. Review the license terms and if you agree, select the “I accept the terms in the License Agreement” checkbox

4. Click the Install button displayed in Figure 20.

Figure 21


https://www.iis.net/downloads/microsoft/url-rewrite

5. If prompted by the User Account Control, Click Yes to continue with the installation.

Figure 22

6. Click Finish once the installation has completed.

INSTALL TRUST PROTECTION PLATFORMRemotely login to the host where the Venafi TPP will be installed with an account that has been granted local administrative privileges.

IMPORTANT: If using Windows Authentication for connection to the database, you must log in as, and execute the steps in this section, as the SQL Service Account!

1. Open a command prompt using Run as administrator by right-clicking on the Command Prompt shortcut.

2. Navigate to the directory location of the extracted TPP software and execute the following command: “msiexec –i VenafiTPPInstallx64.msi”. As shown below in Figure 23:


Figure 23

3. Click the Next button on the installation title screen.

4. Review the license agreement, select the “I accept the terms in the License Agreement” checkbox and click next.

5. Update the installation location if desired and click next.

Figure 24

6. Click the Next button.


Figure 25

7. Click the Install button. This is installing the binaries for the Venafi TPP code, configuration and setup will occur once this step has been completed.

Figure 26

8. Once the installation is completed, the Venafi Trust Protection Platform Configuration Wizard will automatically launch:


Figure 27

9. Click the Next button shown in Figure 27 above.

10. Select all options on the Select Products screen. (It is common to simply choose all products, but at a minimum “Server Certificate Manager” and “Mobile Certificate Manager” must be enabled for proper SSL/TLS certificate management:

Figure 28


11. Select all of the TPP components under the Component Selection and click next:

Figure 29

12. Click the I accept the terms in the License Agreement radio button and click Next.

Figure 30

13. Select the two checkboxes to help Support troubleshoot issues.

14. Leave the “Shared Key” checkbox blank on the “Shared Encryption Key” screen, unless you are performing the install for an additional server.


IMPORTANT: If you are installing an ‘additional’ server to this TPP database instance you MUST choose “Use Shared Key” and paste in the key exported from the first server installed! Failure to do this may result in data loss!

Figure 31

15. Enable log event processing on this system. (Ideally multiple TPP engines should be configured as “Log Processing” engines for redundancy and efficiency):

Figure 32

16. Change the log expiration value to 90 days as highlighted above and click next.


17. Enter the database connection information required to connect to the MS SQL database:

Figure 33

IMPORTANT NOTES WHEN USING WINDOWS AUTHENTICATION

Be sure to type the password in correctly; it is not validated on this step, and if entered incorrectly will result in errors later in the installation!

Enter the username in UPN format (i.e. [email protected]). Failure to provide this will cause errors configuring the Windows services and IIS application pools!

18. Once all the database configuration fields have been populated click Verify to test the connection to the SQL database.

19. When verification is successful, proceed by clicking next.


20. Specify the desired username and password to be used to establish the first administrative user. This account will be used for installation, configuration, and upgrades.

Figure 34

21. Choose to Start Trust Protection Platform services manually, and click finish:

Figure 35


22. Click the Finish button and allow the Venafi TPP to complete the configuration tasks.

Once all the configuration tasks have completed a prompt indicating the Configuration complete will appear.

Figure 36

This concludes a single instance/installation of the Trust Protection Platform. The platform is configured, IIS is setup using a Venafi self-signed certificate for HTTPS (matching the FQDN of the host), and both the Venafi Log Server and Venafi Trust Protection Platform are installed but the services have not been started.

START / STOP VENAFI TRUST PROTECTION PLATFORM SERVICES

The following section describes the services necessary to run TPP.

1. From the Start tab on the Windows 2012 R2 server right Click and Select Run.

2. Within the open window type the command services.msc and Click OK.

3. The Services window appears. There are two services which need to be started for TPP. Both services are listed below along with their starting and stopping order. They are the Venafi Log Server and the Venafi Trust Protection Platform as seen below in Figure 37:

Figure 37


NEXT STEPSNow that the base installation of Venafi Trust Protection Platform is complete, there are many post-installation and best-practice configuration tasks to be completed. These tasks are covered in detail during the Implementation 1 webinar.

Please visit https://webinars.ps.venafi.com to see available times and to register.

If you have questions about this document, or about “what’s next”, you may also contact your assigned Venafi Professional Services architect.


https://webinars.ps.venafi.com/

Documents

Venafi Trust Protection Platform Installation Guide Trust... · Web viewMicrosoft Windows Server 2012 R2. Microsoft SQL Server 2012 Creation of database covered within this document