Setting up your Microsoft SQL database server
You should have a database administrator complete the following steps to set up the Trust Protection Platform database on a Microsoft SQL Server.
BEST PRACTICE Venafi recommends using two separate database service accounts for Trust Protection Platform to communicate and manage the database. The database owner account (Also DBO account) This is a service account that Trust Protection Platform uses for installations, upgrades, and administrative maintenance of the database. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions on all Venafi servers. See also operational database account. is used for installing, upgrading, and administrative maintenance. The operational database account (Also limited database account) This is a service account that Trust Protection Platform uses for everyday operations. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions, and also needs to be part of the Local Administrators group, on all Venafi servers. Database grants for this account are automatically managed by the system. See also database owner account. is used for everyday operations. Having separate accounts is in line with the "Least Permissions" security principle, and is a more secure way to configure your system. The database owner account manages the necessary database grants for the operational database account.
You can connect to your database via any of the following:
-
Windows integrated authentication using standard service accounts.
-
Windows integrated authentication using Group Managed Service Accounts (gMSAs).
-
Microsoft SQL native authentication.
Windows integrated authentication is the preferred method for security purposes as it allows for central management of accounts and passwords in Active Directory.
Since Windows integrated authentication is not always possible in some network segments such as DMZs, we support dual authentication, where some Venafi servers use Windows integrated authentication, while other Venafi servers connecting to the same database use MSSQL native authentication. In this scenario, you will need double the number of MSSQL service accounts.
To create the Trust Protection Platform database on a Microsoft SQL Server
-
Verify the database server meets the system requirements of your targeted deployment size of Trust Protection Platform.Locally Hosted MSSQL Requirements
-
Create the Trust Protection Platform database. For information on creating a database see Microsoft's documentation on database creation.
The database name cannot contain any of the following characters:
[ ] ( ) { } \ " ' , $ % * ?
- If you are connecting via Windows integrated authentication (including gMSAs):
Create a database owner service account and the operational database account in Active Directory.
Grant both database service accounts "Log On As a Service" permissions on all Venafi servers. For more information, see the Microsoft TechNet article Log on as a service.
Grant the operational database account "Log On As a Batch Job" permissions on all Venafi servers.
Add the operational database account to the local administrators group on all Venafi servers. For more information, see Windows permissions for database service accounts.
- Create a login for both accounts on the database server. For more information, see Microsoft's documentation on creating logins.
- Grant the database owner account the DBO role to the database. For more information, see Microsoft's documentation on granting database permissions to users and groups.
- If you are connecting to the database with MSSQL native authentication:
Create the database owner account and the operational database account on the MSSQL server. For more information, see Microsoft's documentation on creating a database user.
- Grant the database owner account the DBO role to the database. For more information, see Microsoft's documentation on granting database permissions to users and groups.
- If you are not the person installing Trust Protection Platform on the Venafi servers, provide the credential information to the person who will do the installation.
TIP If you would like information on managing and rotating your database credentials in Trust Protection Platform, see Automatic credential rotation options.
Permissions for enhanced performance and scalability monitoring
In large deployments where you need to closely monitor performance and scalability, you can give the operational database account additional permissions in MSSQL Server. These permissions are optional, and are only recommended if you have a dedicated SQL server for Venafi Platform, because these permissions could give Venafi Platform the ability to query some limited details about other databases on the server.
IMPORTANT Venafi Platform does not collect any information about other databases on the server. However, because it is possible, we don't recommend you make these changes on shared database servers.
Giving the operational database account these permissions will allow Venafi Platform administrators to have readily available performance data on the Venafi Platform database, viewable in the Venafi Statistics MMC snap-in.
Giving enhanced reporting permissions in MSSQL
- Log in to the database server with the database owner account.
- In the Object Explorer, right-click on the database server container, then click Properties.
- In the Page panel, click Permissions.
- In the Logins or roles panel, click the name of the operational database account.
-
In the Explicit tab, click the Grant checkbox for the following permissions:
- View any definition
- View server state
- Click OK.