PowerShell script reference for Adaptable Workflow
Similar to other Venafi Adaptable solutions, the Adaptable Workflow utilizes a PowerShell script that contains functions you can use to integrate with third-party change management approval systems, or to perform automatic approvals and rejections of requests based on specific criteria.
TIP When creating new PowerShell scripts for use with the Adaptable Workflow (or other Venafi Adaptable solutions), keep in mind that the file name is used to identify your script from within the associated object in Trust Protection Platform. Using logical names can help you and other administrators recognize the purpose and intent of each script.
This section documents all available PowerShell functions for use with the Adaptable Workflow driver. PowerShell scripts are stored in the \Venafi\Scripts\Adaptable
The input parameters and response format for each function is predefined. All functions receive a set of general parameters, whereas those parameters that are specific to the function are only passed to it.
DID YOU KNOW? To prevent vulnerabilities, the PowerShell scripts are stored on the Trust Protection Platform server. While it might have been more convenient to allow downloading the script, storing the scripts on the Trust Protection Platform server prevents potentially harmful scripts from affecting the server. Only privileged users on your Trust Protection Platform server can access scripts.
You must ensure the same version of all your Adaptable Workflow scripts are on all servers in the cluster that have the WebConsole component installed. For this reason, it is wise to include a script version number in the file name, so you can easily check to see that the same version of the script is installed on all servers in the cluster.
NOTE To work effectively with any Venafi adaptable solution, you must have some working knowledge of PowerShell scripting, or you must have equivalent experience with a scripting language similar to PowerShell.
Sample scripts are provided in the \Venafi\Scripts\AdaptableWorkflow\Samples
folder. Only files that are in the main \Venafi\Scripts\AdaptableWorkflow\
folder can be selected in an Adaptable Workflow object in Policy Tree. Files in all sub-folders are ignored.
A sample script is provided in the \Venafi\Scripts\AdaptableSSHCertificateIssuanceFlow\Samples
folder. Only files that are in the main \Venafi\Scripts\AdaptableSSHCertificateIssuanceFlow\
folder can be selected in an Adaptable Flow object in Policy Tree. Files in all sub-folders are ignored.
A sample script is provided in the \Venafi\Scripts\AdaptableSSHManagement\Samples
folder. Only files that are in the main \Venafi\Scripts\AdaptableSSHManagement\
folder can be selected in an Adaptable SSH Key Discovery object in Policy Tree. Files in all sub-folders are ignored.
Data is passed to the functions using hash tables (key-value pairs). Using hash tables enables the addition of new functions in future releases.
BEST PRACTICE When customizing (or creating a new) PowerShell script, keep the following security best practices in mind:
- Avoid hard-coding credentials into your PowerShell scripts.
- Only include code in functions that relate to the task they are designated to perform.
- Scripts should not do anything that could alter the integrity or availability of the local Windows system (the system hosting Trust Protection Platform).
About debug logging
When a user has requested debug logging by checking Enable Debug Logging for Adaptable FlowAdaptable WorkflowAdaptable SSH Key Discovery, the driver sets a global variable called $DEBUG_FILE whenever it executes a PowerShell function. So your PowerShell script should reference the value of the $DEBUG_FILE variable to decide whether or not to log information for troubleshooting purposes. The value the driver assigns to the $DEBUG_FILE variable is a recommended file path name on the Trust Protection Platform server for use when logging events to a file. The file name is designed to be unique to the instance of the Adaptable component so as to avoid conflicts when multiple scripts are running at the same time and writing to the log file. If the recommended file name is used, the resulting log file appears in the <Venafi Home>\Logs
directory by default (e.g. C:\Program Files\Venafi\Logs
).
For information about where Enable Debug Logging is configured for Adaptable FlowAdaptable Workflow, see