DevOps Engineers Require Access to VA Venafi TLS Certificate Manager

[olivereri]

Description

VA’s PKI uses a self-service TLS certificate management system called Venafi Aperture which is hosted internally at https://vaww.certmgr.va.gov/Aperture/. Once you gain access, you can create and renew certificates immediately without having to create a SNOW ticket (the old way, soon to be deprecated). You need to go through a one-time process to gain access which can be completed in as quick as 48 hours if you follow the instructions in this document.

Acceptance Criteria

• CMS Team members requiring access to create and renew certificates are identified.
• CMS Team members register for Venafi access.
• Venafi access is tested and confirmed.

Implementation Details

• Venafi access procedures

Team

Please check the team(s) that will do this work.

• CMS Team
• Public Websites
• Facilities
• User support

[BerniXiongA6]

FYI: @EWashb will be talking to Clint about this issue to try to get unblocked -- let us know if you have questions in the mean time @ariperez @teeshe

[EWashb]

@little-oddball I shared the confluence docs you gave me with the team for this. They mentioned they need a requestor role to complete the workflow in the doc and the process is only showing installer roles. Can you help get us in the right direction?

[little-oddball]

I asked if @flooose can weigh in... he has a lot more hands-on with Venafi than I do.

[little-oddball]

@little-oddball I shared the confluence docs you gave me with the team for this. They mentioned they need a requestor role to complete the workflow in the doc and the process is only showing installer roles. Can you help get us in the right direction?

Spoke w/ @flooose about some of the investigation he did. He believes that the "requester" role is not mandatory but instead optional. He indicated that he believe when he filled out that form he recalled having some support from @mchelen and is not sure how/what might have been filled in there.

Sorry I don't have more and will see what else I can find but maybe those are enough to get moving.

[EWashb]

Thank you @little-oddball. I'll sync up with @mchelen about this. I can also let you know what we find out so we can document it going forward. @BerniXiongA6 please see Clint's comment above.

[EWashb]

Also @edmund-dunn please see above comment about the requester role not being mandatory. cc: @ndouglas

[flooose]

To be clear, I'm not positive about it being optional, but in lieu of concrete documentation about the roles, I think this could be a good opportunity to see if, and how much, these roles overlap.

In my Venafi profile, I wasn't able to see which role I was assigned to, but I was able to create and renew certificates, which fulfilled my needs. If the "installer" role was also the only thing available for @mchelen when he filled out the request for me, then that means the "installer" role overlaps with the "requestor" role in this regard (most likely, based on the names of these two roles).

[BerniXiongA6]

@edmund-dunn will sync with @EWashb when she returns to pick this back up

[BerniXiongA6]

@ariperez -- did you wanna finish up this one for Sprint 101? cc: @maortiz-27-80