Venafi integration getting started↑
Prerequisites↑
- A running Venafi instance.
- Admin access to AQtive Guard.
Venafi setup↑
You’ll need to create:
- A Venafi Application Integration.
- A Venafi API token with the
certificate:discover
scope.
The following steps explain how to generate these. For more information, refer to the Venafi documentation.
- Log in to Venafi Aperture.
- From the grid icon on the top-right, select Platform.
- From the API menu, select Integrations, then Add, and New.
- In the Add an API integration form on the Overview page, enter an appropriate application
name (for example, AQtive Guard) and set the Client ID to
cryptosense-venafi-integration
. - On the Base access page, set the scope to
certificate:discover
. - Configure User or team access according to your preferences, granting access to the users
that will be creating and using tokens. You can select
local:Everyone
for simplicity, or customize it further. - Retrieve a token from the Venafi API. You can use the Swagger interface at
<your venafi base url>/vedsdk
, or send an API request directly usingcurl
or a similar tool. -
Send a
POST
request to the/vedauth/authorize/oauth
endpoint, with a JSON payload that resembles:JSON{ "username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover" }
The user initiating the request must be authorized. (Refer to Step 5).
Make sure the
"client_id"
value here matches the Client ID from the previous step.A complete
curl
command is:Bashcurl -X POST "<your venafi base url>/vedauth/authorize/oauth" \ -H "accept: application/json" -H "Content-Type: application/json" \ -d '{"username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover"}'
The JSON response should resemble:
JSON{ "access_token": "<your access token (base64)>", "refresh_token": "<another base64 token you can use to renew the access token>", "expires_in": <integer>, "expires": <timestamp>, "token_type": "Bearer", "scope": "certificate:discover", "identity": "local:{<some UUID>}", "refresh_until": <another timestamp> }
The initial
access_token
value field is required for configuring the integration in AQtive Guard.
AQtive Guard setup↑
- Log in to the AQtive Guard web interface as an administrator.
- Select Settings from the menu bar, then select Integrations.
- From the integration options, select Venafi, then Configure.
- Enter your Venafi Instance URL and Access Token, then select Save.
- (Optional) Select Test Connection to verify that the link is functional.