Installation preparation worksheet

This topic is a worksheet you can print and use to document the information required to successfully perform the base installation of Venafi Trust Protection Platform. This worksheet should be completed before you start the installation process.

Information that you gather here can be referenced during the installation process.

Venafi Platform Servers

Complete the following tables identifying your Venafi server.  It is strongly recommended that a minimum of two Venafi servers be installed. Additional servers may be added at any time to accommodate for specific use-cases. Please refer to the Venafi Platform Architecture webcast at https://ps.venafi.com or speak to Venafi Professional Services for additional information if necessary.

Information for Venafi server #1

Venafi Platform Server #1

FQDN Hostname of VENAFI server

 

Windows Server version

 

Server Specifications (CPU/RAM)

 

 

Information for Venafi server #2

Venafi Platform Server #2

FQDN Hostname of VENAFI server

 

Windows Server version

 

Server Specifications (CPU/RAM)

 

TIP  If you're installing more than two servers, make additional copies of the above tables.

Microsoft SQL Server Database

This section captures necessary information about the Microsoft SQL Database (MSSQL) that the Venafi Platform will utilize.  It may be necessary to work with your organization’s Database Administrator to complete this section.

Venafi Platform Database Preparation Items

MSSQL Database version

 

MSSQL Server FQDN Hostname

 

Database Name

 

SQL Server Instance Name (if applicable)

 

MSSQL Listening Port (TCP 1433 Default)

 

Is this an Always On Availability Group Instance?

 

MSSQL Server requires TLS connection?

 

Server Specifications (CPU/RAM)

 

Available Database Disk Space

 

Authentication Method (Windows or SQL Auth)

 

The database owner account is used only for installation, upgrades, and administrative maintenance.

Database Owner Account Authentication

Database AD account UPN or SQL account name

 

The database owner account has been granted the "DBO" role for the database.

 

For Windows integrated authentication:

Grant both database service accounts "Log On As a Service" permissions on all Venafi servers. For more information, see the Microsoft TechNet article Log on as a service.

Grant the operational database account "Log On As a Batch Job" permissions on all Venafi servers.

Add the operational database account to the local administrators group on all Venafi servers. For more information, see Windows permissions for database service accounts.

 

The operational database account is a limited account used for everyday operations. The database grants are managed automatically.

Operational Database Authentication

Database AD account UPN or SQL account name

 

For Windows integrated authentication:

Grant both database service accounts "Log On As a Service" permissions on all Venafi servers. For more information, see the Microsoft TechNet article Log on as a service.

Grant the operational database account "Log On As a Batch Job" permissions on all Venafi servers.

Add the operational database account to the local administrators group on all Venafi servers. For more information, see Windows permissions for database service accounts.

 

HSM Storage for The Venafi Platform Encryption Key

IMPORTANT  HSM connectors are global configurations. As such, the following requirements must be met before your begin:

  • All Trust Protection Platform servers need to have access to the HSM

  • The HSM client must be installed to the same location on all Trust Protection Platform servers

  • The HSM client must present the same partition label on all Trust Protection Platform servers

  • Ideally the serial number presented for the partition is the same on all servers

Make sure all of these requirements are met before creating an HSM connector.

Once these requirements are met for every Trust Protection Platform server in the cluster, you can then create a connector to the HSM from any server in the cluster. Since HSM connectors are global configurations, each server in the cluster will load the configuration after it is created on one of them.

The HSM protected database encryption key must be accessible to all Windows servers before and after installing Venafi.

HSM Information (If Applicable)

HSM Vendor & Software Version

 

HSM Client Software installed version

 

Cryptoki DLL Path

 

Partition label

 

User Type defined

 

PIN – typically not required

 

Firewall Rules

Verify your firewall rules, prepare change procedures prior to implementing the Venafi Platform. Listed below are some minimum requirements.

From

To

Port

Protocol

Purpose

Venafi Server(s)

MS SQL Server

1433

TCP

Connection to TPP database

Venafi Server(s)

DNS Server(s)

53

UDP

DNS Lookups

Venafi Server(s)

Selected AD Domain Controller(s)

UDP: 88, TCP: 88, 135, 389, 445, 636, 3268, 3269, 49152-65536

TCP/UDP

Required if using Active Directory Identity Provider or Windows Authentication to Database

Venafi Server(s)

LDAP Server(s)

389, 636

TCP

Required if using LDAP Identity Provider

Administrator Workstation(s)

Venafi Server(s)

3389

TCP/UDP

Access to Venafi TPP Server for administration tasks

Users

Venafi TPP UI Server(s)

443

TCP

HTTPS access to the Venafi TPP Server(s) Web UI(s) and REST API

Venafi Server(s)

Entrust nShield HSM(s)

9004

TCP

Required if using Entrust nShield HSM for encryption key

Venafi Server(s)

LunaSA HSM(s)

1792, 22

TCP

Required if using LunaSA HSM for encryption key