Getting Started with Vendor Application Connection

1.0 Introduction

This article helps you to get started with the Venafi vendor application integration in Fortanix Key Insight.

It also describes:

• How to sign up and log in to Fortanix Key Insight.

• How to set up the Venafi connection (Software-as-a-Service (SaaS) and On-premises) to scan certificates.

• How to manage the vendor application connections on Fortanix Key Insight.

2.0 Terminology References

Refer to Venafi Connection Concepts for the Venafi connection concepts and supported features.

3.0 Log In and Create an Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.

For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to Fortanix Armor – Getting Started.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.

4.0 Configure a Venafi (SaaS) Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a Venafi (SaaS) connection to scan your cryptographic materials.

NOTE

After onboarding the Venafi (SaaS) connection,

• You can switch the region at any time using the region switcher drop down located in the top navigation bar of the connection user interface (UI). When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.

• A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

4.1 Prerequisites

Before setting up a Venafi (SaaS) connection in Fortanix Key Insight, ensure that the Venafi platform is correctly set up and that the necessary access, permissions, and API integration are in place.

4.1.1 Set Up Venafi Identity and Permissions

Perform the following steps to set up Venafi identity and permissions:

1. Log in to the Venafi platform.

2. Set up the service account for Fortanix Key Insight integration by creating an identity with WebSDK access enabled.

   NOTE

   Use the Venafi Username and Password created in this step when configuring the Venafi (SaaS or On-premises) connection in Fortanix Key Insight.

3. Perform the following steps to assign permissions to the service account created in Step 2:

   1. Navigate to Policy Tree.

   2. Select the Root Policy Object.

   3. Click General, and then select Permissions.

   4. Grant the following permissions to the selected service account:

      • View

      • Read

   5. Click Save.

4.1.2 Create Venafi API Integration

Perform the following steps to create an API Integration in Venafi for Fortanix Key Insight:

1. Log in to the Venafi platform.

2. Create a new API Integration. For detailed steps, refer to the Venafi documentation.

   While creating the API Integration, ensure Access Token Authentication is configured with the following settings:

   • Token Refresh is enabled (this is enabled by default).

   • The Username and Password is selected in Allowed Authentication Methods.

   For detailed steps on Access Token authentication, refer to Setting up access token authentication.

3. In the User or team access section of the API Integration, add the service account created in Section 4.1.1: Set Up Venafi Identity and Permissions to run this integration.

   1. Search for the service account and select it.

   2. Click Add.

   For detailed steps, refer to the Venafi documentation on assigning service accounts to an API Integration.

4. Create the API Integration for Fortanix Key Insight by importing the following JSON configuration:

   {
     "id": "fortanix",
     "name": "Fortanix",
     "vendor": "",
     "description": "Fortanix KeyInsight",
     "scope": "certificate:discover,manage;configuration:manage"
   }
   

   NOTE

   The value of the id field (for example, fortanix) is used as the Client ID when configuring the Venafi (SaaS or On-premises) connection in Fortanix Key Insight.

4.1.3 Confirm Venafi Access Details

Before proceeding, ensure you have the following information readily available:

• Venafi URL: The base URL of the Venafi SaaS tenant used to access the Venafi platform.

• Username and Password: Defined in Section 4.1.1: Set Up Venafi Identity and Permissions.

• Client ID of the API Integration: Defined in Section 4.1.2: Create Venafi API Integration.

NOTE

Contact your Venafi administrator if you need help confirming the required access details.

Using these credentials, Fortanix Key Insight makes an API call to Venafi to obtain an access token with the required scopes (certificate:discover,manage;configuration:manage). These scopes authorize Fortanix Key Insight to scan and analyze certificates managed by Venafi.

4.1.4 IP Whitelisting Requirements

To enable secure and reliable communication between Fortanix Key Insight and your Venafi environment, certain network connections may need to be allowed.

If your Venafi deployment enforces IP-based access controls, you may need to whitelist the following Fortanix Key Insight IP addresses:

• 149.14.69.36/32

• 149.14.123.28/32

• 184.104.204.100/32

NOTE

IP whitelisting is not mandatory. It is required only if your Venafi environment restricts inbound API access based on source IP addresses.

4.2 Venafi Authentication Methods

Venafi supports the following authentication mechanisms to control how users and applications authenticate and obtain access to Venafi resources:

• Secret-based authentication: An authentication method in which an application securely stores Venafi (SaaS) connection secrets (Venafi URL, username, password, and client identifier) and uses them to authenticate with Venafi and obtain an access token. This access token is then used to authorize subsequent Venafi API requests.

4.3 Select Connection Type

Perform the following steps to select the Venafi (SaaS) connection type:

1. After you create and select the Fortanix Armor account, you are redirected to the Fortanix Armor Available Solutions page.

   1. Ensure that the appropriate Region is selected. The selected region determines where your data is processed and ensures that all subsequent steps, such as configuring connections and viewing scanned data in the user interface (UI), are displayed correctly for that region.

      For more information on configuring regions, refer to Fortanix Armor – Solutions.

2. Click GO TO KEY INSIGHT.

   

3. On the Let's Set Up Your New Connection page, select the Vendor Applications option. The Venafi (SaaS) vendor application is selected by default.

4. Click NEXT.

4.4 Set Up Authentication

Venafi supports secret-based authentication to control how users and applications obtain credentials to access Venafi certificates.

For definitions of the Venafi authentication methods, refer to Section 4.2: Venafi Authentication Methods.

4.4.1 Secret-Based Authentication

Perform the following steps to add secret-based Venafi authentication:

1. In the Set Up Authentication form,

   1. Enter the Venafi URL.

   2. Enter the Username.

   3. Enter the Password.

   4. Enter the Client ID.

   NOTE

   To obtain the Venafi credentials (Venafi URL, username, password, and client ID), contact your Venafi (CyberArk) administrator.

2. Click NEXT.

4.5 Set Up Connections

In the Set Up Connections form, enter the following details:

1. Enter a Venafi Connection Name. For example, Venafi connection.

2. Click NEXT.

4.6 Add Fortanix Key Insight Policy

The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Additionally, you can:

• Click ADD POLICY to add a new user-defined policy to the policy center.

• Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

Click FINISH to complete the Venafi (SaaS) connection onboarding. After the connection is onboarded, you can access its Overview page and view the discovered certificates.

For more information about the Venafi connection (SaaS and On-premises) overview and related UI components, refer to the Venafi Connection-User Interface Components guide.

5.0 Configure a Venafi (On-premises) Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a Venafi (On-Premises) connection to scan your cryptographic materials.

NOTE

After onboarding the Venafi (On-premises) connection,

• You can switch the region at any time using the region switcher drop down located in the top navigation bar of the connection user interface (UI). When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.

• A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

5.1 Prerequisites

Before configuring a Venafi (On-premises) connection in Fortanix Key Insight, ensure that the required Venafi identity, permissions, API integration, and Fortanix On-premises Scanner prerequisites are ready.

5.1.1 Set Up Venafi Identity and Permissions

Perform the steps described in Section 4.1.1: Set Up Venafi Identity and Permissions.

5.1.2 Create Venafi API Integration

Perform the steps described in Section 4.1.2: Create Venafi API Integration to create an API Integration in Venafi for Fortanix Key Insight.

5.1.3 Fortanix On-premises Scanner Requirements

In addition to the Venafi platform configuration, Venafi (On-premises) connections require the Fortanix On-premises Scanner.

For Fortanix On-premises Scanner prerequisites, refer to Getting Started with On-premises Connection.

5.2 Select Connection Type

Perform the following steps to select the Venafi (On-premises) connection type:

1. After you create and select the Fortanix Armor account, you are redirected to the Fortanix Armor Available Solutions page.

   1. Ensure that the appropriate Region is selected. The selected region determines where your data is processed and ensures that all subsequent steps, such as configuring connections and viewing scanned data in the user interface (UI), are displayed correctly for that region.

      For more information on configuring regions, refer to Fortanix Armor – Solutions.

2. Click GO TO KEY INSIGHT.

   

3. On the Let's Set Up Your New Connection page, select the Vendor Applications option.

4. Select Venafi (On-Premises) vendor application.

5. Click NEXT.

5.3 Add Vendor (On-premises) Connection

In the Add Venafi Connection (On-Premises) form, enter the following details:

1. Enter a Venafi Connection Name. For example, Venafi on-premises connection.

2. Click Fortanix on-premises scanner package to download the Fortanix On-premises Scanner for a Venafi on-premises connection.

   1. After downloading the package, install it depending on your operating system (Linux or Windows).

      • For instructions on how to install the Fortanix On-Premises Scanner package on Linux, refer to On-premises Scanner Configuration - Linux.

      • For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to On-premises Scanner Configuration - Windows.

   2. After installing the package, configure the Venafi on-premises connection using the configuration file.

      For information on Venafi On-premises connection configuration file parameters, refer to On-premises Scanner Configuration File.

   3. After configuration, execute the Fortanix On-premises Scanner package depending on your operating system (Linux or Windows).

      • For instructions on how to execute the Fortanix On-Premises Scanner package on Linux, refer to On-premises Scanner Configuration - Linux.

      • For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to On-premises Scanner Configuration - Windows.

3. After the scanner installation and configuration, enable the I have downloaded and installed the Scanner package check box. This scanner enables Fortanix Key Insight to access and manage certificates from your Venafi on-premises environment.

4. Click NEXT.

5.4 Add Fortanix Key Insight Policy

The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Additionally, you can:

• Click ADD POLICY to add a new user-defined policy to the policy center.

• Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

Perform the following steps:

1. Click ADD SCANNER & GENERATE API KEY.

2. In the API Key Details dialog box, click COPY API KEY to copy the API key value and to complete the Venafi (On-premises) connection onboarding.

   After the connection is onboarded, you can access its Overview page and view the discovered certificates.

   For more information about the Venafi connection (SaaS and On-premises) overview and related UI components, refer to the Venafi Connection-User Interface Components guide.

NOTE

The API Key value is used to authenticate both the Fortanix On-premises Scanner and Fortanix Key Insight.

6.0 Manage Vendor Applications

The Connections page allows you to manage cloud, on-premises, external key source, and vendor application connections added to Fortanix Key Insight.

The VENDOR APPLICATIONS tab on the Connections page shows all the vendor application connections configured for the selected Fortanix Key Insight account.

You can perform the following on the Connections page:

• Use the Search field to find a specific connection by entering its Name.

• Click a connection to navigate to its corresponding Overview page.

• Identify the vendor type from the value in the VENDOR column. For example, Venafi (SaaS).

• Click ADD VENDOR APPLICATION to add a new vendor application connection.

  • For more information on adding a new Venafi (SaaS) connection, refer to Section 4.0: Configure a Venafi (SaaS) Connection.

  • For more information on adding a new Venafi (On-Premises) connection, refer to Section 5.0: Configure a Venafi (On-Premises) Connection.

NOTE

When adding or editing a vendor application,

• On the Key Insight Policy page,

  • You can select any policy you have configured in the Policy Center instead of the default policy.

  • You can add a new user defined policy using ADD POLICY.

  • You can copy and modify any policy using .

  • You can edit the user defined policy using .

    For more information on managing (add, duplicate and modify, edit, and delete) the cryptographic policies, refer to Cryptographic Policy Management.

  If you change or update the policy while adding or editing a cloud connection, you must rescan the cloud connection to apply the new policy.

• For each vendor application connection, you can perform the following:

  • Edit

  • Delete

  • Rescan

  • View Details (Available only for Venafi on-premises connections).

  NOTE

  Only users with the Account Administrator and Group Administrator roles can perform add, edit, delete, and rescan operations.

6.1 Edit the Vendor Application

Use this feature to update the vendor application connection details when required.

Perform the following steps to edit the vendor application connection:

1. Click on the required connection.

2. Select Edit.

3. On the Vendor Application Connections page, update the required details in each step, if required.

4. Click SAVE to update the details.

6.2 Delete the Vendor Application

Use this feature to remove a vendor application connection and its associated information.

Perform the following steps to delete the vendor application connection:

1. Click on the required connection.

2. Select Delete.

3. In the Delete dialog box, read the details and enter the scanner name in the text box.

4. Click CONFIRM.

Warning

Deleting the vendor application connection is irreversible.

After deletion, the vendor application will no longer appear in the list on the Connections page.

6.3 Rescan the Vendor Application

Use this feature to retrieve the latest resources available for the vendor application.

Perform the following steps to rescan a vendor application connection:

1. Click on the required connection.

2. Select Rescan.

   NOTE

   The Rescan option is enabled only when Venafi On-premises connection status is Connected.

3. Click START SCANNING to restart the scan. If the scan is successful, it will update the LAST SCANNED column with the latest scan date and time.

6.4 View the Vendor Application Details

This feature is available only for Vendor applications’ on-premises connections.

Perform the following steps to view the connection details:

1. Click on the required Venafi on-premises connection.

2. Select View Details.

3. On the Venafi On-premises connection details page,

   • Click DOWNLOAD PACKAGE to download the package again in case you changed your machine, your current package has errors or was not installed correctly.

   • Click → Delete to remove the Venafi (On-premises) connection.

   • Click → Edit to update the name of the connection, if required.

   Also, you can view the following sections:

   • Scanner Details: This section provides details about the scanner's connection status, connection ID, last scan, periodic polling interval, and the date and time it was created.

   • Access Type: This section offers details about the API key.

     Perform the following to manage the API keys:

     1. Click MANAGE API KEY to manage the generated API key(s).  

     2. In the Manage API Key dialog box, read the details.

        NOTE

        You can generate a maximum of two API keys for configuring the connection between Fortanix DSM (On-premises) and Fortanix Key Insight.

     3. Click GENERATE ANOTHER API KEY to generate a second key if one already exists.

     4. For each API Key, you can perform the following:

        • Click COPY to copy the API key value.

        • Click DELETE to remove the generated API key.

        WARNING

        Deleting an API key may revoke access for the Venafi On-premises connection, potentially disrupting its functionality. This action is irreversible.

   

7.0 Delete Fortanix Key Insight Account

Deleting a Fortanix Key Insight (KI) account is the same as deleting a Fortanix Armor account, since Fortanix Key Insight is part of the Fortanix Armor platform.

For more information on deleting the Fortanix Key Insight (Fortanix Armor) account, refer to Fortanix Armor - Getting Started.