Additional upgrade considerations

The following items, while not common, are important to consider because due to the changes in installation and upgrade introduced in 20.1, some of your configuration processes post-upgrade may change.

• If you have custom SQL log channels the way to create and maintain those database tables remains the same. It is not automated with the database owner account (Also DBO account) This is a service account that Trust Protection Platform uses for installations, upgrades, and administrative maintenance of the database. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions on all Venafi servers. See also operational database account.. The use of manual scripts is still required. For details, see Creating a custom SQL log channel.

  This is important to consider because while we've eliminated manual database updates for standard upgrades, they are still required for custom SQL log channels.

• If you are using Windows integrated authentication: WinAdmin and the Venafi Support Tool run under the account of the user logged in when the tool is launched. If that account does not have operational database account privileges, these tools cannot authenticate to the database. You have the option to grant a Windows domain account the necessary permissions to launch these tools. To grant these permissions:

  1. From an elevated command prompt browse to the Venafi\Platform directory

     If you installed Trust Protection Platform in the default location, you would browser to the following location:

     C:\Program Files\Venafi\Platform

     How to open an elevated command prompt

     1. From the Start menu, search for CMD.
     2. In the search results, right-click on Command Prompt, and choose Run as administrator.

  2. Run the configuration utility (TPPConfiguration.exe) with the -dbgrant:<user> switch.

     TppConfiguration.exe -dbgrant:john.adams@ad.example.com

     For additional information about the configuration utility and switches, see Command line configuration switches.

  This is important to consider for three reasons. First, even though additional grants for users launching Venafi tools has always been required, how the grants are given has changed. Second, starting with 20.1 it is only the WinAdmin and Venafi Support Tools that require these grants. Finally, the Venafi Updater and SchemaTool.exe have been updated to impersonate the operational database account.