Creating an Adaptable Flow
Adaptable Flows allow you to customize the issuance of SSH Certificates. After you have updated the required PowerShell scripts on the Venafi server, you're ready to get to work creating your flow.
To create and configure a new Adaptable Flow object
- From the SSH Protect menu, click Configuration > Policy Tree, then open the Certificate Authority tree.
- Expand the SSH > Flows folder.
- Click Add > SSH Certificate Issuance Flow.
-
Give the Flow a name and a description.
-
Click Save.
A new flow will be created with several nodes.
-
Right-click on the new flow you created, then click Add > Adaptable Action.
-
Enter the values on the Adaptable Action page.
Section
Field
Description
General
Name
The name of this adaptable action
Description
Enter a description for this flow configuration.
Skip this Action
Used to temporarily skip this action (helpful for debugging)
Action
PowerShell Script
Select the PowerShell script that you want to run with this flow.
You can only see scripts that are located in the
\Venafi\Scripts\AdaptableSSHCertificateIssuanceFlow\
folder, but not any of its sub-folders.Position
Select from a list of positions, indicating when in the process the adaptable script will be run.
Allow Script to Modify Certificate Requests
When checked, this PowerShell script will be able to modify certificate requests, using macros.
Validate Certificate Requests Prior to Issuance
When checked, after the PowerShell script has run, the resulting certificate requests will be validated against the restrictions defined in the SSH certificate issuance template.
Enable Debug Logging
(Optional) If you want to enhance troubleshooting capabilities of your Adaptable Flow, select the Enable Debug Logging check box.
For information about how enabling this option works with the PowerShell script, see in the Adaptable Flow PowerShell script reference.
Script Execution Timeout (seconds)
Set the amount of time, in seconds, the server should wait for the script to process before it aborts.
Script Parameters
Service Address
Identifies the endpoint (URL, host, port, etc.) of the calling Adaptable Flow object.
Username Credential
Use to select the primary credential (username and password combination) to pass to the script.
NOTE If you're connecting to the Venafi Web SDK, leave both credential files empty since you'll be specifying a credential in the WebSDK OAuth Token Configuration settings.
Certificate Credential:
Secondary Credential
Use to select a secondary credential to pass to the script, for example, to authenticate to the remote system.
Conditions
If Stage is
Applies the workflow actions at the designated stage of the object lifecycle.
For more details on certificate workflow stage codes, see Workflow object settings.
WebSDK OAuth Token Configuration
NOTE If your application doesn't connect to the Web SDK, leave all of these fields blank.
OAuth Token Application ID
Enter the application ID of the API application integration you should have created previously, as described in Adaptable Log Channel prerequisites.
OAuth Token Credential
Select the username credential of the service account that has been granted access to the Client ID of the API Application. See Adaptable Log Channel prerequisites.
In this context, the username credential identifies the user (identity) for whom the token is being requested. It also verifies whether you have the required permissions within your organization to enable the script to authenticate as the selected user. This security measure prevents users from impersonating another user.
OAuth Token Scope
(Optional) Enter one or more of the scopes assigned to your API application. For example, Certificates: Manage. Leave this field blank if you want to include all defined scopes.
To learn more about scopes and restrictions, see Scopes for token.
NOTE If you have specified custom fields in the PowerShell script, they will also be visible on this screen. Custom fields support macros that will be evaluated and the results will be passed to the PowerShell script. For example, the
$SelfDN$
macro will resolve to the DN of the certificate or application being processed for approval. For more information on Macros, see Macro overview . For more information on Configuration Macros, see Configuration macros. -
Click Save.
What's Next?
You can create as many adaptable actions as needed for a single SSH certificate issuance flow, so if you need more, repeat these steps, starting with step 6.
Once you have the adaptable actions you need, you are done configuring the Adaptable Flow for SSH Certificate issuance feature. You can now use this Flow when creating or modifying an SSH certificate issuance template. See Working with issuance templates.