Skip to Content

TLS Certificates Discovery

 

Important
Starting with TKU May 2025, certificates are modeled as a Certificate node instead of Details nodes. All the attributes remain unchanged from earlier TKU versions.

Transport Layer Security (TLS) is a type of cryptographic protocol that uses certificates to provide authentication and data encryption between servers, devices, and applications operating over the network. An everyday use of TLS is to secure connections from a web server to a user's browser. BMC Helix Discovery collects information about the used certificates and represents them as Certificate nodes.

The following figure shows an example of the Certificate node modeling:

CertWebsite.png

Supported node types

Software instances

Prerequisites

To be able to model SoftwareInstances, ensure that the Secure Socket Layer (SSL) socket information is available. To do so, verify if the listen_ssl_tcp_sockets attribute is populated.

TLS Certificates can be modeled for the following SoftwareInstances:

  • Apache NiFi
  • Apache NiFi Registry
  • Apache Tomcat Application Server
  • BEA WebLogic Application Server
  • Cloudera NiFi
  • Cloudera NiFi Registry
  • Control-M/Agent Listener
  • Control-M/Server
  • HP OpenView Operations Agent
  • HP Operations Agent
  • IBM Sterling B2B Integrator
  • IBM WebSphere Application Server
  • Oracle GlassFish Server
  • Oracle GlassFish Server Domain Administration Server
  • Oracle WebLogic Server
  • Red Hat JBoss Application Server
  • Software AG webMethods Integration Server
  • WildFly

The following table shows the attributes and visualization of the SoftwareInstance node:

Attributes

TLS certificate view 

SI node view

Expected attributes:

  • common_name
  • expiry_date
  • issuer
  • key
  • name
  • organization
  • organization_unit
  • self_signed
  • serial
  • sha_256_fingerprint
  • short_name
  • start_date
  • subject
  • subject_alternative_name
  • type = "TLS Certificate"

Optional attributes:

  • authority_key_id
  • ca
  • public_key_algorithm
  • public_key_size
  • signature_algorithm
  • subject_key_id

CertSI1.png

CertSI.png

Webserver Software Instances

Prerequisites

To be able to model Webserver SoftwareInstances, ensure the following:

  • Website Software Component is modeled for such an SI.
  • The Secure Socket Layer (SSL) socket information is available. To do so, verify if the listen_ssl_tcp_sockets attribute is populated.

TLS Certificates can be modeled for the following Webserver Software Instances:

  • Apache Webserver
  • Apache HTTPD-based Webserver
  • IBM HTTP Server
  • JBoss Core Services Apache HTTP Server
  • Microsoft IIS Webserver
  • Nginx Webserver
  • Oracle HTTP Server
  • HP Apache-based Web Server
  • HP HP-UX Apache-based Web Server
  • Red Hat JBoss Enterprise Web Server

The following table shows the attributes and visualization of the Webserver SoftwareInstance node:

Attributes

TLS certificate view

Webserver SoftwareInstance view

Expected attributes:

  • expiry_date
  • common_name
  • issuer
  • key
  • name
  • organization
  • organization_unit
  • self_signed
  • serial
  • sha_256_fingerprint
  • short_name
  • start_date
  • subject
  • subject_alternative_name
  • type = "TLS Certificate"

Optional attributes:

  • authority_key_id
  • ca
  • public_key_algorithm
  • public_key_size
  • signature_algorithm
  • subject_key_id

CertWebsite.png

CertWebsite1.png

LoadBalancer services    

Prerequisites

To be able to model LoadBalancer (LB) services, ensure the following:

  1. SNMP credentials are enabled for F5 LB. For more information, see TLS Certificate Discovery for F5.
  2. SSL sockets information or .pem file location is obtained for each LB Service for HAProxy LB.

TLS Certificates can be modeled for the following  LoadBalancer services:

  • Citrix NetScaler Load Balancer Service
  • F5 Load Balancer Service
  • HAProxy Load Balancer Service

Attributes

TLS certificate view 

LoadBalancer service view

Expected attributes:

  • common_name
  • expiry_date
  • issuer
  • key
  • name
  • organization
  • organization_unit
  • self_signed
  • serial
  • sha_256_fingerprint
  • short_name
  • start_date
  • subject
  • subject_alternative_name
  • type = "TLS Certificate"

Optional attributes:

  • authority_key_id
  • ca
  • public_key_algorithm
  • public_key_size
  • signature_algorithm
  • subject_key_id

CertLB1.png

CertLB.png

Hosts

Windows hosts

Prerequisites

To be able to model Windows hosts, ensure the following: 

  1. Windows-like operating system.
  2. The host should have access to BMC Discovery, hence it should not be applicable for Autonomous Digital Enterprise (ADE) or API discovered host nodes.
  3. The approach is valid only for Certificates located in the \LocalMachine\My storage. These are Local Machine certificates as follows:
  • Navigate to the storage location : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates.
  • Through certmgr.msc,  navigate to the Personal folder of the Local Computer.

Windows Certificates can be modeled for Windows hosts.

Attributes

Windows certificate view

Host node view

Expected attributes:

  • common_name
  • expiry_date
  • friendly_name
  • has_private_key = True/False
  • issuer
  • key
  • name     
  • organization
  • organization_unit
  • self_signed
  • serial
  • short_name
  • start_date
  • subject
  • subject_alternative_names
  • thumbprint
  • type  = "Windows Certificate"

Extensions:

  • application_policies
  • certificate_template_information
  • key_usage
  • subject_key_id

CertHost1.png

certHost.png

Linux hosts

Prerequisites

To be able to model Windows hosts, ensure the following:

  • Linux-based operating system.
  • The host should have access to BMC Discovery, hence it should not be applicable for Autonomous ADE or API discovered host nodes.
  • The approach is valid only for IPsec certificates.

IPsec Certificates can be modeled for Linux hosts.

Expected attributes

IPsec certificate view

Host node view

  • authority_key_id
  • ca
  • common_name
  • expiry_date
  • fingerprint
  • issuer
  • key         
  • name
  • organization
  • organization_unit
  • public_key_algorithm
  • public_key_size
  • serial         
  • sha_256_fingerprint
  • short_name
  • signature_algorithm
  • start_date
  • subject
  • subject_alternative_names
  • subject_key_id
  • type  = "IPsec Certificate"

DetailNode.png

Host.png

ManagementControllers

Prerequisites

  • HP iLO Web API credentials are enabled.
  • SNMP credentials for Dell iDRAC are enabled.

ManagementController certificates can be modeled for the following hosts:

  • (BMC Discovery versions earlier than 22.1) Only HP iLO devices are supported (TLS certificates are discovered by using the Redfish API).
  • (BMC Discovery versions including and later than 22.1) Any ManagementController device with an HTTPS interface is supported (TLS certificates are discovered by using the getCertificate function).

Expected attributes

TLS certificate view

ManagementController node view

  • common_name
  • expiry_date
  • fingerprint
  • key     
  • issuer
  • name
  • organization
  • organization_unit
  • serial
  • short_name      
  • start_date
  • subject
  • type  = "TLS Certificate"             

Screenshot 2022-12-01 at 15.18.29.png

Screenshot 2022-12-01 at 15.20.09.png

Extended certificates discovery

Starting with TKU May 2025, you can run the extended TLS certificates discovery pattern, which relies on discovered listening connections instead of the discovered software. The pattern iterates over a list of ports from the extended TLS discovery configuration and attempts to get a TLS certificate if associated listening TLS sockets are present. By design, the pattern tries not to extract TLS certificates for TLS sockets that are already related to SoftwareInstances or websites. The extended certificates discovery is used to retrieve a certificate when the standard TLS discovery fails for SoftwareInstances or is not supported. All created certificates are linked directly to the related host.

Extended TLS discovery is enabled by default. You can configure the list of TLS ports in the pattern configuration SSLDiscovery.Extended.TLSConfig by changing the default_tls_ports parameter. To disable extended TLS discovery, in the SSLDiscovery.Extended.TLSConfig pattern configuration, set enabled to False.

Discovery methods

Commands

An OpenSSL command, if SSL sockets information can be taken from the listen_tcp_ssl_sockets attribute of the SI or the Website Software Component for the SoftwareInstance or the LoadBalancer Service node:

which openssl > /dev/null 2>&1 && echo | openssl s_client -connect %listen_ssl_tcp_socket% | openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text
  • An OpenSSL command, if the .pem file path value is extracted for the HAProxy LoadBalancer Service:
which openssl > /dev/null 2>&1 && echo | PRIV_RUNCMD openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in %esc_pem_file%

Important
This command does not reveal keys and is executed with sudo. Ensure that Discovery users are included in the sudoers file.

To prevent any unwanted insecure execution of the .pem file command, add the following code to your sudoers file:

Cmnd_Alias LSCERT=\
/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /*,\
!/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /* *,\
!/usr/bin/openssl x509 -inform pem -noout -nameopt oneline -subject -startdate -enddate -issuer -fingerprint -sha256 -serial -text -in /..

DiscoveryUser ALL=(root) NOPASSWD: LSCERT

To obtain certificate information about for Windows hosts, BMC Discovery runs the following PowerShell commands:

  1. To get all Windows certificates:
Get-ChildItem -Path Cert:\LocalMachine\My | ForEach-Object {'Thumbprint : {0}' -f $_.Thumbprint; 'Subject : {0}' -f $_.Subject; 'NotAfter : {0}' -f $_.NotAfter.ToString('yyyy-MM-dd HH:mm:ss'); 'NotBefore : {0}' -f $_.NotBefore.ToString('yyyy-MM-dd HH:mm:ss'); 'Issuer : {0}' -f $_.Issuer; 'HasPrivateKey : {0}' -f $_.HasPrivateKey; 'SerialNumber : {0}' -f $_.SerialNumber; 'FriendlyName : {0}' -f $_.FriendlyName; 'DnsNameList : {0}' -f ($_.DnsNameList -join ', '); 'SplitSection';}

2. To get extensions for each certificate:

Get-ChildItem -Path Cert:\LocalMachine\My | ForEach-Object {'Thumbprint: {0}' -f $_.Thumbprint; ($_.Extensions | ForEach-Object {'FieldsSplit'; 'Ext Field: {0}' -f $_.Oid.FriendlyName; 'Ext Value: {0}' -f $_.Format(1)}); 'SplitSection';}

To obtain a list of IPsec certificates and details on each certificate, BMC Discovery runs the following commands:

certutil -L -d sql:/etc/ipsec.d  
certutil -L -d sql:/var/lib/ipsec/nss
certutil -L -d sql:/etc/ipsec.d -n '%cert_name%' -a | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -inform pem -noout -nameopt oneline -subject -serial -startdate -enddate -issuer -fingerprint -sha256 -text
certutil -L -d sql:/var/lib/ipsec/nss -n '%cert_name%' -a | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -inform pem -noout -nameopt oneline -subject -serial -startdate -enddate -issuer -fingerprint -sha256 -text

discovery.getCertificate function

Warning

Important

This functionality works only if the TLS port of the Discovery target is accessible to BMC Discovery or BMC Outpost.

Starting with version 22.1, BMC Discovery can retrieve TLS certificate information by using the out-of-the-box discovery.getCertificate function. Starting with version 23.1, BMC Discovery can detect the sha_256_fingerprint and used_ssl_version attributes.

A Discovered Certificate node stores information about a TLS certificate retrieved from the target. For more information, see discovery.getCertificate and Discovered Certificate node.

TLSCert1.png

Modeling and CMDB sync

The certificate is modeled as a Certificate node and linked to a related SoftwareInstance, LoadBalancer Service, or Host node. By using a search, you can find the needed Certificate with detailed information.

Generic Search Query example
search Certificate
        show
        key,
        name,
        common_name,
        short_name,
        start_date,
        expiry_date,
        sha_256_fingerprint,
        issuer,
        subject_alternative_name,
        organization,
        organization_unit,
        serial,
        subject,
        self_signed,
#Certificate:Certificate:ElementWithCertificate:SoftwareInstance.name as "SI Name"

The Certificate node is synchronized to the BMC Helix CMDB as a mapping attribute DocumentType: TLS Certificate or Windows Certificate. For more information, see BMC_Document.

The following figure shows an example of the dashboard view: 

CMDBView.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Discovery content reference