The NSX Advanced Load Balancer can be set up to integrate with the Venafi Trust Protection Platform™ for automation of SSL and TLS certificate life-cycle management.  All certificates will be protected and controlled through TPP.  This process is transparent to the NSX Advanced Load Balancer Controllers.

Note:

Minimum Venafi release is Trust Protection Platform 16.3.

Configuration

 The Venafi Trust Protection Platform leverages the NSX Advanced Load Balancer REST API for all communications, including creating and updating SSL certificate and keys.  No configuration changes are required on NSX Advanced Load Balancer. TPP requires a user name, password, and an IP address of the Controller.  If the Controller is configured with a floating Controller cluster IP, this address must be used.  If no floating IP is configured, the IP address of any Controller can be used.

For help in configuring Trust Protection Platform, contact the Venafi support team. You can get the latest version of the required driver, along with instructions for TPP configuration from the team.

Workflow

When a new application is created or a new SSL/ TLS certificate is required, use the following workflow.

  • From the Trust Protection Platform, create a new certificate for the NSX Advanced Load Balancer. Behind the scenes, the following happens:

    • TPP sends the API calls necessary to generate a CSR on NSX Advanced Load Balancer and import it.

    • TPP forwards the CSR to the configured certificate authority.

    • TPP receives the signed certificate and key from the CA.

    • TPP pushes the certificate and key to NSX Advanced Load Balancer, along with any required chain certificates.

  • From the NSX Advanced Load Balancer, create a new application virtual service, attaching the certificate.

  • Any subsequent updates to the certificate received by the  Controller will automatically and transparently be pushed to Service Engines using the certificate.

  • TPP will learn the mapping of the virtual service name to the certificate.  It will automatically handle certificate and chain certificate renewals.

IP Access

As a best practice, you can lock down the NSX Advanced Load Balancer administrative UI to known IP addresses. If this has been done, ensure that you include the source IP addresses of the Trust Protection Platform in the allowed-IP list of NSX Advanced Load Balancer for administrative access.

Admin Access



TPP can use any administrator account that has write-access to SSL/ TLS certificates for the required tenants.  Best practice is to create a new role for SSL administration, with only write access for SSL/ TLS Certificates enabled.  Create a new admin account mapped to this role.  This limits the exposure of this account, and provides better audit logs.

Onboard discovery

The Onboard Discovery feature automates the process of importing certificates into Trust Protection Platform from network devices where you can monitor, validate, and provision them.

In case of having virtual services setup on Controller with SSL support and a blank setup or outdated configurations on Venafi TPP, onboard discovery job can be used to generate the corresponding certificate and application objects for the virtual services in Venafi TPP with pre-defined parameter values. This makes provisioning possible immediately after the discovery step. The job can be run automatically at regular intervals of time from Venafi TPP.

Provisioning

Provisioning is the process of pushing attached certificate in NSX Advanced Load Balancer Adaptable App in Venafi TPP to the corresponding virtual service under corresponding tenant, based on parameters of the Adaptable App. Provisioning is automatically triggered when a certificate is renewed in Venafi TPP.

The following are the two types of provisioning:

  • Central

    • In central provisioning, since Venafi completely takes care of generation of certificate, the certificate is already ready while pushing.

    • New certificates are uploaded to Controller with the naming convention: <Common Name><Valid To as yyMMMdd><Last 4 of Serial>.

  • Remote

    • In remote provisioning, CSR is generated by the NSX Advanced Load Balancer and imported to Venafi using API calls, which is then used by Venafi to generate certificate.

    • New certificates are uploaded to the Controller with the naming convention: <Common Name>RGEN<Current Date/Time as yyMMdd-HHmmss>.

When a new application is created or a new SSL/ TLS certificate is required, use the following workflow.

  • From the Trust Protection Platform, create a new certificate for NSX Advanced Load Balancer. Behind the scenes, the following happens:

    • TPP sends the API calls necessary to generate a CSR on NSX Advanced Load Balancer and import it.

    • TPP forwards the CSR to the configured certificate authority.

    • TPP receives the signed certificate and key from the CA.

    • TPP pushes the certificate and key to the NSX Advanced Load Balancer, along with any required chain certificate.

  • From the NSX Advanced Load Balancer, create a new application virtual service, attaching the certificate.

  • Any subsequent updates to the certificate received by the Controller will automatically and transparently be pushed to Service Engines using the certificate.

  • TPP will learn the mapping of the virtual service name to the certificate. It will automatically handle certificate and chain certificate renewals.