TLS Certificates Discovery
TLS (Transport Layer Security) is a type of cryptographic protocol that uses certificates to provide authentication and data encryption between servers, devices, and applications operating over the network. An everyday use of TLS is to secure connections from a web server to a user browser. Discovery collects information about the used certificates and represents them as Detail nodes.
An example of the Detail node modeling:
Supported node types
Software instances
| Before you begin |
|---|
Make sure that the following is available: SSL sockets information is available. (listen_ssl_tcp_sockets attribute populated) |
TLS Certificates can be modeled for the following Software Instances:
- Apache Tomcat Application Server
- Oracle GlassFish Server Domain Administration Server
- Oracle GlassFish Server
- Oracle WebLogic Server
- BEA WebLogic Application Server
- HP OpenView Operations Agent
- HP Operations Agent
- IBM WebSphere Application Server
- Red Hat JBoss Application Server
- WildFly
- Apache NiFi
- Cloudera NiFi
- Apache NiFi Registry
- Cloudera NiFi Registry
- Control-M/Server
- Control-M/Agent Listener
Expected attributes | TLS Certificate view | SI node view |
|---|---|---|
Optional attributes:
|
|
|
Webserver Software Instances
| Before you begin |
|---|
Make sure that the following is available:
|
TLS Certificates can be modeled for the following Software Instances:
- Apache Webserver
- IBM HTTP Server
- Oracle HTTP Server
- HP Apache-based Web Server
- HP HP-UX Apache-based Web Server
- Red Hat JBoss Enterprise Web Server
- Apache HTTPD-based Webserver
- JBoss Core Services Apache HTTP Server
- Microsoft IIS Webserver
- Nginx Webserver
Expected attributes | TLS Certificate view | Webserver Software Instance view |
|---|---|---|
Optional attributes:
|
|
|
Load balancer services
| Before you begin |
|---|
Make sure that the following is available:
|
TLS Certificates can be modeled for the following Load Balancer Services:
- F5 Load Balancer Service
- HAProxy Load Balancer Service
Expected attributes | TLS Certificate view | Load Balancer service view |
|---|---|---|
Optional attributes:
|
|
|
Hosts
Windows Hosts
| Before you begin |
|---|
Make sure that the following is available:
|
Windows Certificates can be modeled for the following Hosts:
- Windows Hosts
Expected attributes | Windows certificate view | Host node view |
|---|---|---|
Extensions:
etc. |
|
|
Linux Hosts
| Before you begin |
|---|
Make sure that the following is available:
|
IPsec Certificates can be modeled for the following Hosts:
- Linux Hosts
Expected attributes | IPsec certificate view | Host node view |
|---|---|---|
|
|
|
Management Controllers
| Before you begin |
|---|
Make sure that the following is available:
|
ManagementController Certificates can be modeled for the following Hosts:
- For ADDM versions prior to 22.1: only HP iLO devices are supported (TLS certificates are discovered using the Redfish API).
- Newer ADDM versions support any ManagementController device with an HTTPS interface (TLS certificates are discovered using getCertificate function).
Expected attributes | TLS Certificate view | ManagementController node view |
|---|---|---|
|
|
|
Discovery methods
This paragraph describes methods used by Discovery to get Certificate information. Discovery runs an OpenSSL command to the open SSL socket, taken from the listen_tcp_ssl_sockets attribute of the SI or the Website Software Component. Also, the OpenSSL command may take the .pem file location (obtained from the configuration file) to get certificates. This approach is used for HAProxy LB Services.
Commands
In case SSL sockets information is available for Software Instance or Load Balancer Service node the following command is executed:
which openssl > /dev/null 2>&1 && echo | openssl s_client -connect %listen_ssl_tcp_socket% | openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -textIf the . pem file path value is extracted for HAProxy Load Balancer Service, the following command will be executed to read the certificate file:
which openssl > /dev/null 2>&1 && echo | PRIV_RUNCMD openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in %esc_pem_file%Please note that the second command doesn't reveal keys and will be executed with sudo. Hence Discovery users should be included in the sudoers file.
To avoid any unwanted insecure execution of the pem-file-command the following code may be added to your sudoers file:
Cmnd_Alias LSCERT=\
/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /*,\
!/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /* *,\
!/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /..
DiscoveryUser ALL=(root) NOPASSWD: LSCERTFor Windows Hosts the following PowerShell commands will be executed:
- To get all Windows Certificates:
Get-ChildItem -Path Cert:\LocalMachine\My | ForEach-Object {'Thumbprint : {0}' -f $_.Thumbprint; 'Subject : {0}' -f $_.Subject; 'NotAfter : {0}' -f $_.NotAfter.ToString('yyyy-MM-dd HH:mm:ss'); 'NotBefore : {0}' -f $_.NotBefore.ToString('yyyy-MM-dd HH:mm:ss'); 'Issuer : {0}' -f $_.Issuer; 'HasPrivateKey : {0}' -f $_.HasPrivateKey; 'SerialNumber : {0}' -f $_.SerialNumber; 'FriendlyName : {0}' -f $_.FriendlyName; 'DnsNameList : {0}' -f ($_.DnsNameList -join ', '); 'SplitSection';}2. To Get extensions for each Certificate:
Get-ChildItem -Path Cert:\LocalMachine\My | ForEach-Object {'Thumbprint: {0}' -f $_.Thumbprint; ($_.Extensions | ForEach-Object {'FieldsSplit'; 'Ext Field: {0}' -f $_.Oid.FriendlyName; 'Ext Value: {0}' -f $_.Format(1)}); 'SplitSection';}To get a list of IPsec certificates and details on each certificate the following commands will be executed:
1. certutil -L -d sql:/etc/ipsec.d
2. certutil -L -d sql:/etc/ipsec.d -n '%cert_name%' -a | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -inform pem -noout -nameopt oneline -subject -serial -startdate -enddate -issuer -fingerprint -sha256 -textdiscovery.getCertificate
TLS Certificate information may be retrieved using the built-in discovery.getCertificate function. This function has been introduced for Discovery v12.4 (22.1).
New sha_256_fingeprint and used_ssl_version attributes have been introduced for Discovery v23.1.
A Discovered Certificate node stores information about a TLS certificate retrieved from a target. For more information, see discovery.getCertificate and Discovered Certificate node.
Modeling and CMDB sync
The certificate is modeled as a Detail node and linked to a related Software Instance, Load Balancer Service, or Host node. Using a search, you may find the needed Certificate with detailed information.
search Detail
where
type="TLS Certificate"
show
key,
name,
common_name,
short_name,
start_date,
expiry_date,
sha_256_fingerprint,
issuer,
subject_alternative_name,
organization,
organization_unit,
serial,
subject,
self_signed,
#Detail:Detail:ElementWithDetail:SoftwareInstance.name as "SI Name"The certificate Detail node is synchronized to the CMDB OOB as a mapping attribute DocumentType "TLS Certificate" or "Windows Certificate". For more information, see BMC_Document.
An example of the dashboard view:
Comments
Log in or register to comment.