Workflow object settings
The following table describes the certificate workflow object settings.
Field |
Description |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Conditions |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
If Stage Is |
Applies the workflow actions at the designated stage of the object lifecycle. The default lifecycle stages are as follows. Individual stages may vary per application. For information on certificate lifecycle stages for each application, see Protecting server platforms and keystores. If the private key and CSR are locally generated on the server, stages 0-700 are performed by the default X.509 Certificate Application driver. Stages 0-700 are only performed by the certificate’s consumer Application driver if the private key and CSR are remotely generated on the certificate’s consumer application. NOTE The private key and CSR are remotely generated on the certificate’s consumer applications if the Generate Key/CSR on Application option is enabled in the Certificate object. Certificate Stage Codes
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
If Application or Trust Store Is |
Applies the workflow actions only to certificates installed on a specific type of application. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Actions |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Inject Commands |
Under the designated conditions, Trust Protection Platform executes the defined commands on the certificate’s consumer application. Trust Protection Platform is able to run local SSH commands against the following applications:
Trust Protection Platform is able to run PowerShell commands over WinRM for the CAPI application. After Trust Protection Platform executes the command, the application driver logs an Inject Command Success or Inject Command Failure event so you can determine if the command successfully executed on the target application. The Inject Command Success event returns a value of zero (0) in the event’s Value2 field. An Inject Command Failure event returns a non-zero numeric value in the Value2 field. To provide automatic notification for Inject Command Failure events, you can create a Notification Rule that triggers on a value greater than zero in the event’s Value2 field. For more information, see Creating notification rule objects. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Request Approval From |
Under the designated conditions, Trust Protection Platform submits an approval request to the workflow approver. You can request approvals for certificate renewals or workflow injection commands. The following options allow you to define the workflow approver. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Defines a dynamic approver for the current Workflow object. Depending on which stage of the certificate lifecycle triggers the Workflow, Trust Protection Platform reads the workflow approvers from the certificate’s Certificate object or consumer Application object or from the Certificate or Application tab of the certificate’s parent Policy object. The rules for where Trust Protection Platform reads the workflow approver are as follows:
The private key and CSR are remotely generated on the certificate’s consumer applications if the Generate Key/CSR on Application option is enabled in the Certificate object. For example, if the Workflow object is triggered at stage 100 of the certificate lifecycle and the private key and CSR are centrally generated, Trust Protection Platform reads the approver from the certificate’s associated Certificate object. If the Workflow object is triggered at stage 800 of the certificate lifecycle, Trust Protection Platform reads the approver from the certificate’s consumer Application objects. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Specified Approver |
Defines a static approver for the current Workflow object. To select the workflow approvers:
NOTE If you change the approver for an item that is pending approval, the update may take up to four hours to complete. Changing this setting can adversely affect performance of the system. If you need to change this setting contact Venafi Support. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Specify approver via macro |
Allows you to enter a macro to dynamically select the workflow approver when the workflow is triggered. For more information on the Trust Protection Platform macro language, see the Venafi Trust Protection Platform Macro Guide. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Reason Code you want to include with the notification that is sent to the workflow approver. The maximum Approval Reason Code value is 999. IMPORTANT This option is required if you select Request Approval From. Approval Reason Codes also accompany customized explanations or instructions for workflow approvers. The drop-down list displays the Reason Codes defined in the Workflow tree. For more information, see Defining reason codes for certificate approvals. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General Tab |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Log |
Provides a view of all events triggered for the current object. An administrator must have a minimum of the Read permission to view this tab. For more information on the Log tab options, see General configuration options. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Permissions |
On the object permissions tab, you select the users or groups you want to have permissions to the current object, then you select which permissions you want the users or groups to have. You can also manage object permissions via parent objects, including folder.If you configure Permissions in a parent object, those permissions are inherited by all subordinate objects. |