I want to share a small pattern that discovers SSL Certificates used by "Apache Tomcat Application Server", "Apache Webserver" and "IBM Websphere Application Server" and creates a Detail node linked to the SoftwareInstance (always on the SI, not at the Website SoftwareComponent for Apache Webserver).
A syncmapping is included to sync the created Detail node to BMC_Document.
My Intention for that was to ensure that we can track the start- and expiredate for certificates.
That pattern triggers on created or confirmed Tomcats and WAS that have the listen_ssl_tcp_sockets attribute set and on every Apache Webserver (I'm sorry for that greedy trigger).
It then checks for and uses the openssl binary to get the related information from the certificate.
It tries to get the Common Name, SHA256 Fingerprint, Start Date (notBefore) and End Date (notAfter) from the certificate.
Theoretically that approach should work for every sofware that has its ssl ports discovered.
This is what gets created inside the cmdb:
It creates a BMC_Document CI and a relationship to the related tomcats.
Cases that are already tested:
- Single Certificate used by one Tomcat with one SSL Connector defined
- Single Certificate used by multiple Tomcats with one SSL Connector defined per SI
- Single Certificate used by one/multiple Apache Webservers
- Single Certificate used by one/multiple Websphere Application Servers
Cases that are untested:
- Single/Multiple Certificates used by one Tomcat with multiple SSL Connectors defined
- Single/Multiple Certificates used by multiple Tomcats with multiple SSL Connectors defined per SI
Hopes and Wishes from the Community:
- Everyone who could test that against jboss, nginx, an ldap server providing a ldaps port and much more possible "ssl socket providers" would be great
- Windows support, sadly Windows does not have an easy way to use the "which" or "openssl" command
I hope that we can improve that together.
Feel free to change the name or the tree path inside the tpl as you wishes.
Changes inside the new attachment:
- CTI, Model, Manufacturer added to sync and made configurable
That should make it a lot easier to normalize and reconcile the CIs to the Asset
- Configurable "triggers", SI types may be excluded without editing the patterns
- added support for IBM Websphere Application Server and Apache Webserver
- sync based on Detail type and not SI type
- moved certificate creation to a function and changed the CN regex to be more reliable