Top Secret

We use a centralized certificate manager (Venafi).   Venafi automates certificate provisioning to many of our non-mainframe platforms which reduces manual steps and errors.  We would like to look at ways to automate certificate renewals on the mainframe and reduce some of the manual administrator steps such as generating CSR, logging into Venafi, requesting cert, downloading cert, uploading cert to mainframe, importing and keyringing cert in Top Secret.   Has anyone had experience with integrating Venafi certificate automation or the like with the mainframe or Top Secret?

Greg,
As long as Venafi supports the importing and exporting of  x509 certificate formats, Top Secret will work with Venafi. If it does, Venafi can generate the certificate and signn it, then export it out to TSS for import. Then when the certificate expires, Venafi can renew it, then export the renewed certificate to Top Secret.
Regards,
Joseph Porto - Broadcom Level 1 Support
Original Message:
Sent: Dec 15, 2021 07:24 AM
From: Greg Elspas
Subject: Integrating Venafi Certificate automation with Top Secret

We use a centralized certificate manager (Venafi).   Venafi automates certificate provisioning to many of our non-mainframe platforms which reduces manual steps and errors.  We would like to look at ways to automate certificate renewals on the mainframe and reduce some of the manual administrator steps such as generating CSR, logging into Venafi, requesting cert, downloading cert, uploading cert to mainframe, importing and keyringing cert in Top Secret.   Has anyone had experience with integrating Venafi certificate automation or the like with the mainframe or Top Secret?

Joseph,
Thanks for your response.  We do manually export and import certificates between Venafi and Top Secret today.  And that is the problem because certificate lifespans have grown shorter due to policy changes while at the same time demand for certificates is increasing.  What we are looking for is a method to automate that process to reduce manual steps and errors.  Example; for a non-mainframe host, Venafi cert manager will send an alert that a certificate requires renewal.  With a click, the administrator can install or schedule the install of the renewed certificate to the target host key store without manually exporting and uploading.  Venafi natively supports a large number of host applications and key stores although the mainframe is not one of them.  It does, however, support the development of custom application drivers for interfaces such as REST API which I think is where we may need to look.
Original Message:
Sent: Dec 15, 2021 10:38 AM
From: JOSEPH PORTO
Subject: Integrating Venafi Certificate automation with Top Secret

Greg,
As long as Venafi supports the importing and exporting of  x509 certificate formats, Top Secret will work with Venafi. If it does, Venafi can generate the certificate and signn it, then export it out to TSS for import. Then when the certificate expires, Venafi can renew it, then export the renewed certificate to Top Secret.
Regards,
Joseph Porto - Broadcom Level 1 Support
Original Message:
Sent: Dec 15, 2021 07:24 AM
From: Greg Elspas
Subject: Integrating Venafi Certificate automation with Top Secret

We use a centralized certificate manager (Venafi).   Venafi automates certificate provisioning to many of our non-mainframe platforms which reduces manual steps and errors.  We would like to look at ways to automate certificate renewals on the mainframe and reduce some of the manual administrator steps such as generating CSR, logging into Venafi, requesting cert, downloading cert, uploading cert to mainframe, importing and keyringing cert in Top Secret.   Has anyone had experience with integrating Venafi certificate automation or the like with the mainframe or Top Secret?

Greg,
Currently there is no functionality in TSS to interface with Venafi. Would suggest submitting an idea on Ideation so it can be considered for a future enhancement by the community. If Venafi has some type of exit, a user written program could be written to submit a batch IKJEFT01 job with TSS commands to replace the expired certificate after Venafi has renewed it.
Regards,
Joseph Porto - Broadcom Level 1 Support
Original Message:
Sent: Dec 15, 2021 10:53 AM
From: Greg Elspas
Subject: Integrating Venafi Certificate automation with Top Secret

Joseph,
Thanks for your response.  We do manually export and import certificates between Venafi and Top Secret today.  And that is the problem because certificate lifespans have grown shorter due to policy changes while at the same time demand for certificates is increasing.  What we are looking for is a method to automate that process to reduce manual steps and errors.  Example; for a non-mainframe host, Venafi cert manager will send an alert that a certificate requires renewal.  With a click, the administrator can install or schedule the install of the renewed certificate to the target host key store without manually exporting and uploading.  Venafi natively supports a large number of host applications and key stores although the mainframe is not one of them.  It does, however, support the development of custom application drivers for interfaces such as REST API which I think is where we may need to look.
Original Message:
Sent: Dec 15, 2021 10:38 AM
From: JOSEPH PORTO
Subject: Integrating Venafi Certificate automation with Top Secret

Greg,
As long as Venafi supports the importing and exporting of  x509 certificate formats, Top Secret will work with Venafi. If it does, Venafi can generate the certificate and signn it, then export it out to TSS for import. Then when the certificate expires, Venafi can renew it, then export the renewed certificate to Top Secret.
Regards,
Joseph Porto - Broadcom Level 1 Support
Original Message:
Sent: Dec 15, 2021 07:24 AM
From: Greg Elspas
Subject: Integrating Venafi Certificate automation with Top Secret

We use a centralized certificate manager (Venafi).   Venafi automates certificate provisioning to many of our non-mainframe platforms which reduces manual steps and errors.  We would like to look at ways to automate certificate renewals on the mainframe and reduce some of the manual administrator steps such as generating CSR, logging into Venafi, requesting cert, downloading cert, uploading cert to mainframe, importing and keyringing cert in Top Secret.   Has anyone had experience with integrating Venafi certificate automation or the like with the mainframe or Top Secret?