The Avi Load Balancer can be set up to integrate with the Venafi Trust Protection Platform™ for automation of SSL and TLS certificate life-cycle management. All certificates will be protected and controlled through TPP. This process is transparent to the Avi Load Balancer Controllers.
Minimum Venafi release is Trust Protection Platform 16.3.
Configuration
The Venafi Trust Protection Platform leverages the Avi Load Balancer REST API for all communications, including creating and updating SSL certificate and keys. No configuration changes are required on Avi Load Balancer. TPP requires a user name, password, and an IP address of the Controller. If the Controller is configured with a floating Controller cluster IP, this address must be used. If no floating IP is configured, the IP address of any Controller can be used.
For help in configuring Trust Protection Platform, contact the Venafi support team. You can get the latest version of the required driver, along with instructions for TPP configuration from the team.
Workflow
When a new application is created or a new SSL/ TLS certificate is required, use the following workflow.
From the Trust Protection Platform, create a new certificate for the Avi Load Balancer. Behind the scenes, the following happens:
TPP sends the API calls necessary to generate a CSR on Avi Load Balancer and import it.
TPP forwards the CSR to the configured certificate authority.
TPP receives the signed certificate and key from the CA.
TPP pushes the certificate and key to Avi Load Balancer, along with any required chain certificates.
From the Avi Load Balancer, create a new application virtual service, attaching the certificate.
Any subsequent updates to the certificate received by the Controller will automatically and transparently be pushed to Service Engines using the certificate.
TPP will learn the mapping of the virtual service name to the certificate. It will automatically handle certificate and chain certificate renewals.
IP Access
As a best practice, you can lock down the Avi Load Balancer administrative UI to known IP addresses. If this has been done, ensure that you include the source IP addresses of the Trust Protection Platform in the allowed-IP list of Avi Load Balancer for administrative access.
Admin Access
TPP can use any administrator account that has write-access to SSL/ TLS certificates for the required tenants. Best practice is to create a new role for SSL administration, with only write access for SSL/ TLS Certificates enabled. Create a new admin account mapped to this role. This limits the exposure of this account, and provides better audit logs.
Onboard discovery
The Onboard Discovery feature automates the process of importing certificates into Trust Protection Platform from network devices where you can monitor, validate, and provision them.
In case of having virtual services setup on Controller with SSL support and a blank setup or outdated configurations on Venafi TPP, onboard discovery job can be used to generate the corresponding certificate and application objects for the virtual services in Venafi TPP with pre-defined parameter values. This makes provisioning possible immediately after the discovery step. The job can be run automatically at regular intervals of time from Venafi TPP.
Provisioning
Provisioning is the process of pushing attached certificate in Avi Load Balancer Adaptable App in Venafi TPP to the corresponding virtual service under corresponding tenant, based on parameters of the Adaptable App. Provisioning is automatically triggered when a certificate is renewed in Venafi TPP.
The following are the two types of provisioning:
Central
In central provisioning, since Venafi completely takes care of generation of certificate, the certificate is already ready while pushing.
New certificates are uploaded to Controller with the naming convention: <Common Name><Valid To as yyMMMdd><Last 4 of Serial>.
Remote
In remote provisioning, CSR is generated by the Avi Load Balancer and imported to Venafi using API calls, which is then used by Venafi to generate certificate.
New certificates are uploaded to the Controller with the naming convention: <Common Name>RGEN<Current Date/Time as yyMMdd-HHmmss>.
When a new application is created or a new SSL/ TLS certificate is required, use the following workflow.
From the Trust Protection Platform, create a new certificate for Avi Load Balancer. Behind the scenes, the following happens:
TPP sends the API calls necessary to generate a CSR on Avi Load Balancer and import it.
TPP forwards the CSR to the configured certificate authority.
TPP receives the signed certificate and key from the CA.
TPP pushes the certificate and key to the Avi Load Balancer, along with any required chain certificate.
From the Avi Load Balancer, create a new application virtual service, attaching the certificate.
Any subsequent updates to the certificate received by the Controller will automatically and transparently be pushed to Service Engines using the certificate.
TPP will learn the mapping of the virtual service name to the certificate. It will automatically handle certificate and chain certificate renewals.