Answer File wizard

An answer file is an XML-based file that contains configuration information for your installation of Venafi Platform. It includes the enabled modules, database connection information, and security keys used for the configuration. Using an answer file during installation makes it easy to use the same installation settings across multiple servers in your Venafi Platform cluster. An answer file is also helpful for upgrading your system, if you use a non-traditional upgrade method. For more information about answer files, see Creating and using answer files.

The answer file can be generated in two different ways. If you have installed Venafi Platform, you're probably aware of the ability to create an answer file when you install Trust Protection Platform using the GUI.

You can also generate an answer file from the Venafi Configuration Console once you have installed Venafi Platform on a server. This topic discusses how to create an answer file using the Answer File Wizard in the configuration console.

To generate an answer file using Venafi Configuration Console

  1. Log in to the Venafi Platform Windows server and launch Venafi Configuration Console.
  2. [Optional] If you want to Disable validation of the provided values, check the box.

    Generally, you will want to validate the values as you enter them into the answer file wizard. However, if you are configuring for a server in a different zone (say a production server that you can't access due to the network configuration), you will want to disable validation so the system doesn't provide an error when you enter connection information that can't be verified.

  3. From the root Venafi Configuration node in Venafi Configuration Console, click Run Answer File Wizard in the Actions panel on the right.

  4. Click Next.

  5. [Optional] If you already have an answer file as a template, on the Answer File tab click the Browse button to locate the answer file. If the answer file is encrypted with a password, enter the password, then click Next.

  6. On the Component Selection tab, use the tree to select which components and features you want to enable for the installation.

    IMPORTANT  The installation will not work properly unless you select at least one product (TLS Protect, Client Protect, CodeSign Protect, or SSH Protect). If you are trying to install a UI-only server (WebConsole) you need to select one top-level product, in addition to the UI components in the Common Components list. However, in that case, you can deselect the child components of the top-level product. For example, this is a valid configuration:

    Select the components you want to install, then click Next.

  7. On the Hardware Encryption tab, determine if you want to use hardware encryption.

    Venafi Trust Protection Platform can encrypt data using one or more keys stored in an HSM. For code signing, Venafi Trust Protection Platform can use private keys stored on an HSM to sign code. To enable hardware encryption, check the box, and fill out the requested information.

    NOTE  In the table above, if you chose to disable validation, the Default Key field is a text field, and there is no Create button.

    TIP  If you are installing to an existing database, if hardware encryption is enabled, you will need to enter the PIN to continue, even though no other information appears on the screen.

    NOTE  You must select either one or both encryption types (hardware and/or software encryption).

    IMPORTANT  The keys used to encrypt Trust Protection Platform are critical to the system's functionality. Without the encryption keys, you cannot access the database or stored secrets.

  8. On the Software Encryption tab, determine if you want to use software encryption.

    Venafi Platform can encrypt data using a software encryption key.

    If you are connecting to a new database, you can either provide a key, or have one generated for you.

    If you are connecting to an existing database, you must use the software key used to encrypt that database.

    If you are connecting to an existing database (and you chose to validate the answer file) with software encryption enabled, before you can move to the next tab, the system will verify that the software key matches the existing database's software encryption key.

    TIP  If you are installing with an existing database, if software encryption has not been configured for that database, the options on this screen will be disabled.

    NOTE  You must select either one or both encryption types (hardware and/or software encryption).

    IMPORTANT  The keys used to encrypt Trust Protection Platform are critical to the system's functionality. Without the encryption keys you cannot access the database or stored secrets. Consequently, if you use a software encryption key, it is highly recommended that you back up the key to a secure location. In the event of a system failure, you can restore the key so Trust Protection Platform can access your system data.

  9. On the Database Settings tab, choose either the Settings tab or the Expert tab, and fill out the connection information for your database. If you enter different data into both tabs, the tab you are on when you click Next will determine which settings are applied.

    Before you configure a new database connection, you must have previously created the Trust Protection Platform database and configured both database service accounts.

    For information about the types of database service accounts and permissions they need, see Setting up your Microsoft SQL database server.

    If you are connecting to an existing database and you chose to validate the answer file, before you can move to the next tab, the system will verify that the database connection information is correct.

  10. On the Administrative Account tab, enter information for the local master admin account for Venafi Trust Protection Platform.

    You need to create a local master admin account for Trust Protection Platform. You will use this account to log in to Trust Protection Platform and to perform maintenance and upgrade tasks in the system. The local master admin account has all permissions to every object in Trust Protection Platform.

    Enter the user name and password. Password requirements are show on the screen. The password will be validated locally to verify it meets complexity requirements.

    Verify the password, then click Next.

  11. On the Event Logging tab, determine if you want this server to process log events.

    At least two Venafi servers needs to have event logging enabled. If event logging is configured on two different servers, you can leave this check box cleared.

    Venafi recommends you define a retention period to control growth of the database. Trust Protection Platform will periodically automatically delete logs older than the specified number of days.

    Click Next.

  12. On the Environment tab enter the required information.

    Enter your organization name, and select the deployment type for the server, then click Next.

    Your organization name and deployment type are used in Venafi reports, and may be used in the future in other ways to enhance your product experience.

  13. On the Customer Experience tab, review the information on how data is collected.

    NOTE  Participation in the Customer Experience Improvement Project is required for all customers, enabling Venafi to gather license utilization and product usage telemetry. This does not include any personally-identifiable data. Read more about our data collection policy in the Venafi Data Privacy Policy for Venafi Trust Protection Platform™.

    Click Next.

  14. On the Save Configuration tab, do the following:

    • Determine the location where the configuration progress and errors will be logged. If there is a problem with the configuration of the Venafi database, this file will show you where the error occurred, which will help Venafi Customer Support troubleshoot your issue more quickly and efficiently.
    • Specify whether Venafi Platform services should be started immediately upon completion of configuration.
    • We recommend you save your configuration as an answer file if this configuration is different than an answer file you have previously created. An answer file simplifies the process of upgrading Trust Protection Platform, reinstalling Trust Protection Platform, or installing more than one Trust Protection Platform server, connecting to the same database.

      • If you create an answer file, it is recommended that you encrypt your answer file with a password. An unencrypted answer file is a plain text XML file that contains information like your master admin user name and password, your database connection credentials, your software encryption key, and all other configuration settings.
      • If you are just completing the wizard to create an answer file, select the appropriate option. The wizard will save the answer file and will close when you click the Finish button.
  15. Click Finish.

    Venafi Platform will save the new configuration as an answer file in the specified location. When the answer file has been saved, click Close.