Creating an Apache application object
To enable Trust Protection Platform to manage PEM files installed on Apache and Windows servers, you must configure the Apache application object. This object provides the information Trust Protection Platform needs to monitor, enroll, or provision PEM files on its associated Apache or Windows servers, and can even provision the end-entity, chain and—as of Trust Protection Platform version 18.3— private key to a single file (rather than two or three separate files).
Before beginning this procedure, make sure that you review the topic, Apache prerequisite configuration.
BEST PRACTICE Consider managing object settings using a policy. For more information, see
DID YOU KNOW? When you add an installation to a certificate, you'll have the option of defining (and editing) this object during that process, which means that you don't have to log in to Policy Tree as the following procedure describes. And because the settings are the same, you can use this topic for information about each setting.
For more information, see Creating a certificate installation.
To create and configure an Apache application object
-
From the TLS Protect menu bar, click Policy tree.
- In the Policy tree, select the device object to which you want to add the new application object, and then click Add > Application, and then select Apache.
-
When the new application object page appears, then under Status, clear the Processing Disabled checkbox.
When checked, this option disables provisioning of the certificates installed on the current application. This means that Trust Protection Platform does not attempt to install, renew, process, or validate certificates on the application.
-
(Optional) In the Device Certificate box, click to select and associate a certificate with the new application.
NOTE If you don't have a certificate ready, you can do this later or you can do it on the certificate's Association tab.
To associate a certificate with the current application, you must have write permissions to the application object and either write or associate permissions to the certificate object.
For detailed information on associating a certificate with an application, see Associating a certificate with an application object.
-
Under General, do the following:
- In the Application Name field, type a name for the new application.
-
(Optional) In the Description field, type a description for the purpose of the application.
A strong description can help to provide context for other administrators who might need to manage the new application.
-
In the Contacts field, select user or group identities you want assigned to this application object (or choose the Use policy value to configure contacts using a policy).
Default system notifications are sent to the contact identities. The default contact is the master administrator.
TIP If the Identity Selector dialog is not populated when it first opens, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store, then return the list of requested users or groups. If you want to display all user or group entries, enter the wildcard character (*).
Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.
-
In the Approvers field, select user or group Identities you want to assign to approve workflows (certificate approval or injection command) for the new application.
The default approver is the master administrator. For more information on defining workflow objects, see Implementing certificate workflow management.
-
(Conditional) If your application (or certificate) object is affected by a defined workflow and you want users to use a console other than Policy Tree, click Managed By and select which administration console to use as part of the workflow.
You only need to configure this if you are using workflows and expect users to perform a task using a particular administration console. The default setting is Policy Tree.
For more information, see Specify folders and certificates to be managed by TLS Protect .
-
Under Application Information, do the following:
-
Click next to Application Credential to browse for the credential object that you want to use to authenticate with the application.
DID YOU KNOW? Credential objects store the credentials Trust Protection Platform uses to authenticate with devices, applications, and CAs. The stored credential might be a user name or private key credential; some drivers—such as F5, which is not SSH-based—can only use the user name credential for authentication.
NOTE The user account you select must have Read and Write access to the Temporary, Private Key, and Certificate directories.
For more information, see Working with system credentials.
DID YOU KNOW? The Connection Method is the protocol that Trust Protection Platform uses to connect to the server and manage the certificates installed on that server. In an application object's settings, this field is typically read-only.
-
(Optional) In the Port field, type the port that Trust Protection Platform should use to communicate with the server where the application is installed.
Trust Protection Platform uses the SSH protocol to communicate with the application server installed on Linux or Windows. The default SSH port assignment is port 22.
-
-
Under Remote Generation Settings, click the Private Key Location list and select where you want remotely generated key pairs to be created and select one of the following options:
TIP The Thales SafeNet Luna SA HSM and Entrust nShield HSM settings are not visible if you have not activated Venafi Advanced Key Protect. For more information, see Enabling Venafi Advanced Key Protect.
-
Device: Key pairs are generated on the device.
This is the default setting.
-
Thales SafeNet Luna SA HSM: Key pairs are generated on a Thales SafeNet Luna SA HSM.
When you select this option, do the following:
-
In the Client Tools Path field, type the directory path where the sautil command from the OpenSSL Toolkit that is located on the device.
The default path is /usr/safenet/lunaclient/bin.
- (Required) In the Partition Password Credential field, select a password credential that represents the PIN for the HSM partition where the private key is stored.
-
-
nCipher nShield HSM: Key pairs are generated on an Entrust nShield HSM.
When you select this option, do the following:
-
In the Client Tools Path field, type the directory path where the generatekey utility and other nShield Core Tools are installed on the device.
The default path is /opt/nfast/bin.
-
In the Protection Type field, select the appropriate level of protection:
- Operator Card Set. Choosing this protection type applies and enables the following:
- OCS Identifier is the label assigned to the operator card set when it was created
OCS Password Credential links to a password credential that has the passphrase assigned to the operator card when the OCS was created.
If the operator card was created without a passphrase the OCS Password Credential control should be left unassigned.
IMPORTANT Only operator card sets with a quorum of 1 are supported (1-of-N) and the operator card must be inserted into the HSM's card reader slot prior to any interaction by Trust Protection Platform with the device. An operator card may be left permanently inserted into the slot; or you can configure a workflow to pause processing until someone has acknowledged reinsertion of the card.
- Module: This is the lowest protection level. It requires that your device has been properly configured to use the HSM for key generation.
-
Softcard: This is the next highest level of protection. This is a kind of password that is stored on your HSM.
If you selected Softcard as the Protection Type, then in the Softcard Identifier field, enter your softcard's 40-character hash.
This option requires that the device is properly configured to use the HSM for key generation and that a softcard has been previously generated using the HSM, and that the requester knows the passphrase for that softcard.
NOTE If you set Reuse Private Key for Service Generated CSRs to Yes on a certificate's policy, the protection type is ignored because it cannot be changed for an existing private key. If you need to change the protection type, you must set Reuse Private Key for Service Generated CSRs to No.
For more information, see Configuring HSM-based remote key generation and Setting policy on a folder.
-
Private Key Alias: Displays the HSM key alias value for this key using the Private Key Label Apache object attribute (to save the data).
While this read-only field is visible on every Apache application object but is enabled for the Entrust nShield HSM option only.
The private key alias is created by combining the time-stamp (YYMMDDhhmmss) and file name of the key (without the file extension). For example, 190316142039_MyPrivateKey.
- Operator Card Set. Choosing this protection type applies and enables the following:
-
-
-
Refer to the following table to complete the remaining settings:
Field Policy Description Apache Settings
The following are server-specific certificate settings. They are referenced only when you associate a certificate with the current Apache application object.
Private Key File
The path and filename on the Apache application server where Trust Protection Platform installs the private key.
This setting must match the Apache application’s private key file configuration. For more information, refer to your Apache documentation.
Private Key Credential
The credential required to access the private key file for certificate renewal.
To select a private key password credential
-
Click to open the Credential Selector dialog.
-
Select the credential required to access the private key file for certificate renewal, and then click Select.
For more information, see Working with system credentials.
Trust Protection Platform does not include the private key password on the command line when performing key management operations. Instead, it provides the password when prompted.
Certificate File
The path and filename on the Apache application server where Trust Protection Platform installs the certificate.
This setting must match the Apache application’s certificate file configuration. For more information, refer to your Apache documentation.
DID YOU KNOW? If you want to provision the end-entity, chain and private key to a single file (rather than two or three separate files), then specify the same path and filename for the Certificate File and Certificate Chain File settings, and/or Private Key File settings on the application object.
Certificate Chain File
The path and filename on the Apache application server where Trust Protection Platform writes root certificates.
This setting must match the Apache application’s certificate chain file configuration. For more information, refer to your Apache documentation.
Overwrite Existing Chain
Overwrites the existing certificate chain file when Trust Protection Platform installs a new certificate and private key.
-
- (Optional) Under File Ownership and Permissions, select Yes on the Set Owner and Permissions after Provisioning Files drop-down—if you want to set specific permissions and ownership on files after they have been provisioned by Trust Protection Platform—and then do the following:
In the Owner field, type the user account name of the user who should have access to the provisioned files.
BEST PRACTICE Who you assign as owners and approvers of your certificates is an important part of your PKI strategy. This is especially true because employees continue to pose the greatest threat to securing trust. Typically, this is because many employees fail to follow security best practices.
- From the Owner Permissions list, select the level of permissions you want to grant to the owner (Read, or Read and Write).
In the Group field, type the group name to which the owner belongs.
- From the Group Permissions list, select the level of permissions you want to grant to that group (None, Read, or Read and Write).
- When you are finished, click Save.
For additional HSM configuration information, see Managing applications using HSM-protected keys and Venafi Advanced Key Protect and Configuring HSM-based remote key generation.
What's next?
After you've created an application object, here are other things you can do to manage the new application:
-
On the application's Settings sub-tab:
-
Click to push a certificate to its associated application.
For more information, see Pushing a certificate and private key to an application .
- Click Reset to stop processing the application and reset the status and stage.
- Click to reattempt installation of the certificate to its associated application, .
-
Click Validate Now to validate the applications associated certificate.
Validation requests are placed into a queue. When your validation runs, the application and its associated certificate are scanned according to the settings configured in the application object’s Validation tab.
For more information, see About certificate and application validation.
-
-
On the application object's Validation tab, you can configure validation settings for the application object.
-
On an object's General tab:
-
Click the Log sub-tab to view any events that are triggered by the template object.
-
Click the Permissions sub-tab to configure the users or groups to whom you want to grant permissions to the new object. For more information, see Permissions overview.
-