Automatically calling Discovery/Import from Scanafi

You can use the VenafiScanafi command line utility to add network certificates to Trust Protection Platform. In Scanafi Provider mode, Scanafi discovers TLS 1.0, 1.1, 1.2, and 1.3 certificates, and then calls POST Discovery/Import to add them to a policy folder.

To call automatically Discovery/Import from Scanafi

  1. In Trust Protection Platform, create a Scanafi user:

    • To allow Scanafi to authenticate to Trust Protection Platform, create a user identity. Use this information in the username and password parameters of the JSON input file.
    • In API Integrations page, grant the caller access to Scanafi. For more information, see Setting up token authentication.

      Client ID is the Application ID

    • In the Policy folder, grant Write permission and Create permission. This folder stores Scanafi-discovered certificates. Use the folder name as the zone parameter.
    • Recommended but not required. If some of the certificates are in a different policy folder than the one you are scanning, grant View permission with Associate permission to the folders that contain those certificates. The extra permissions prevent errors while associating new devices and applications with them.

    If the Scanafi computer cannot access POST Discovery/Import, you can run Scanafi in Standalone mode instead. For more information, see Manually calling Discovery/Import with Scanafi data.

  2. To prevent SSL/TLS handshake errors, such as error 12045, make sure the Scanafi computer trusts the server certificate that secures the Web SDK URL. For more information, see Customization Support.
  3. Download the latest executable and documentation from the [Venafi Installation folder]\Utilities\Scanafi\Venafi_Scanafi_Update.
  4. Use the latest documentation to customize the sample in this topic.

    JSON Keys

    JSON Key

    Description

    id

    The Application ID. Specify scanafi.

    inputs

    An array of scan parameters.

    log_level

    (Optional) Specify one: trace, debug, Info (default), warning, error, fatal.

    outputs

    The scan source and destination of the Discovery results.

    password

    The Trust Protection Platform password.

    path

    The directory and endpoint JSON file name. Use valid syntax for your operating system. For example:

    • Windows: C:\\Tpp\\Scanafi\\report.json
    • Linux, macOS: //home//user//Scanafi//report.json

    ports

    (Optional) If this parameter is not specified, Scanafi uses default port 443. An array of comma separated or range of ports for scanning. For example "443","80", "8080-8089". The scan priority is from the highest port number to the lowest.

    provider

    The scan source and destination of the Discovery results.

    type

    The provider type. Specify tpp.

    threads

    The scan source and destination of the Discovery results.

    url

    The Trust Protection Platform server that will hold the imported certificates.

    username

    The Trust Protection Platform user name.

    zone

    An existing policy folder for certificates.

    For example:

    {
       "zone":"Policy\\CertsfromScanafi",
       "log_level":"info",
       "id":"scanafi",
       "provider":{
          "type":"tpp",
          "config":{
             "url":"https://192.168.2.84",
             "username":"ScanafiUser",
             "password":"myPassw0rd!"
          },
          "inputs":[
             {
                "type":"CIDR",
                "subnet":"192.168.0.1/25",
                "ports":[
                   "443",
                   "80",
                   "8080-8089"
                ]
             }
          ]
       }
    }
  5. Copy the Scanafi executable from the [Venafi Home]\Utilities\Scanafi directory of your Trust Protection Platform server to the Linux, macOS, or Windows computer that will run certificate discovery.
  6. From a command line, navigate to the Scanafi directory.
  7. (Optional) Use additional flags from scanafi_win_x64 -h.

  8. To confirm certificate placement, check the Policy folder that you specified in the zone parameter.