Limit discovered Certificates, OR limit certificate tasks

Go to solution
Russell Abbott
Kilo Sage

‎02-13-2023 10:01 PM

We have a requirement to discover certificates. I have this working fine. The only condition I'm looking to include is for Discovery to ignore self-signed certificates.

Is this something that can be done before the certificates are written to cmdb_ci_certificate? I did try to edit the Discovery pattern but was presented with an error on trying to save that.

I also tried adding a statement to the Discovery - Certificate Captured BR located here

 

https://<instance-name>.service-now.com/nav_to.do?uri=sys_script.do?sys_id=6cc7041777123300b5bd1c3fa...

which did not work either.

 

 if (current.is_self_signed == true) {
        // The certificate is self-signed, returning without firing the event
        return;
    }
    gs.info("Business rule got fired, triggering event certificate.captured for " + current.sys_id); 
    gs.eventQueue("sn_disco_certmgmt.certificate.captured", current, current.getTableName(), "");

 

Failing this, is there any way to limit any auto renewal tasks to only fire for non Self Signed certificates?

 

Thanks!

0 Helpfuls
  • 1,115 Views
1 ACCEPTED SOLUTION

Go to solution
Russell Abbott
Kilo Sage
In response to Arpit7

‎02-22-2023 12:19 PM

I found another solution after a Service Now support tech pointed me to the Stack Trace BR. I ran that on update of the cmdb_ci_certificate table to find the script that would run on discovery of a new certificate.

That script include is named 'PopulateCmdbCiCertificate' and is located

 

https://<your-instance>.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=a4d8ecef77923300b...

 

I updated the first section of that script include to NOT create new certificate records. I moved the logic to skip self-signed certificates to the beginning of the 'for' loop.

 

 

var PopulateCmdbCiCertificate = Class.create();
PopulateCmdbCiCertificate.prototype = {
    initialize: function() {},
    populateCmdbCiCertificate: function(certificateCaptured) {
        var certificates = this.parseXMLPayload(certificateCaptured.payload);

        if (certificates.length == 0) {
            logger.error("No certificates found for " + certificateCaptured.sys_id, discoveryStr);
            return;
        }

        logger.info("Populating " + certificates.length + " certificates for " + certificateCaptured.sys_id, discoveryStr);

        var issuer = null;
        var rootIssuer = null;
        var current = null;

        // payload contains certificates in the below order
        // server -> (intermediate)* -> root 
        // As reference to parent CIs are needed populate the certs in reverse order
        for (var i = certificates.length - 1; i >= 0; i--) {
            var currentCert = certificates[i];
            var fingerprint = currentCert['fingerprint'];
            var certGr = new GlideRecord("cmdb_ci_certificate");

            if (currentCert['is_self_signed'] == 'true') {
                logger.info("Skipping self-signed certificate: " + fingerprint, discoveryStr);
                continue;
            }

            if (!this.updateStateAttrIfCertExists(certGr, certificateCaptured, currentCert)) {
                // populate the complete CI
                this.populateCertAttributes(currentCert, certGr);
            }
            certGr.setValue('issuer', issuer);
            certGr.setValue('root_issuer', rootIssuer);
            this.populateCertFile(currentCert, certGr);
            current = this.upsert(certGr, certificateCaptured);
            //Update the cert extension info and attach cert into cert task table, if cert requesting via automated flow
            if (!gs.nil(currentCert['request_cert_via_automated_flow']) && currentCert['request_cert_via_automated_flow'] == 'true')
                this.updateCertExtensionAndTask(currentCert, certGr);

            if (i == certificates.length - 1) {
                rootIssuer = current;
                // add a self reference for the last certificate
                this.updateRootIssuerForRootCert(certGr, current, certificateCaptured);
            }
            issuer = current;
        }
        return current;
    },

 

View solution in original post

0 Helpfuls
2 REPLIES 2

Go to solution
Arpit7
Tera Contributor

‎02-17-2023 08:12 PM

Write a business rule on Unique certificate table and look for records where 

is_self_signed == true

 

As seond step Set "Renewal Tracking" to Do Not create New Tasks. This way No Certificate tasks will be created for Certificate tasks.

 

Now if you do not want any record to be created for

is_self_signed == true

  Write a business rule on this Key attribute and delete the record. This way No record will be created in Unique certificate table.

Go to solution
Russell Abbott
Kilo Sage
In response to Arpit7

‎02-22-2023 12:19 PM

I found another solution after a Service Now support tech pointed me to the Stack Trace BR. I ran that on update of the cmdb_ci_certificate table to find the script that would run on discovery of a new certificate.

That script include is named 'PopulateCmdbCiCertificate' and is located

 

https://<your-instance>.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=a4d8ecef77923300b...

 

I updated the first section of that script include to NOT create new certificate records. I moved the logic to skip self-signed certificates to the beginning of the 'for' loop.

 

 

var PopulateCmdbCiCertificate = Class.create();
PopulateCmdbCiCertificate.prototype = {
    initialize: function() {},
    populateCmdbCiCertificate: function(certificateCaptured) {
        var certificates = this.parseXMLPayload(certificateCaptured.payload);

        if (certificates.length == 0) {
            logger.error("No certificates found for " + certificateCaptured.sys_id, discoveryStr);
            return;
        }

        logger.info("Populating " + certificates.length + " certificates for " + certificateCaptured.sys_id, discoveryStr);

        var issuer = null;
        var rootIssuer = null;
        var current = null;

        // payload contains certificates in the below order
        // server -> (intermediate)* -> root 
        // As reference to parent CIs are needed populate the certs in reverse order
        for (var i = certificates.length - 1; i >= 0; i--) {
            var currentCert = certificates[i];
            var fingerprint = currentCert['fingerprint'];
            var certGr = new GlideRecord("cmdb_ci_certificate");

            if (currentCert['is_self_signed'] == 'true') {
                logger.info("Skipping self-signed certificate: " + fingerprint, discoveryStr);
                continue;
            }

            if (!this.updateStateAttrIfCertExists(certGr, certificateCaptured, currentCert)) {
                // populate the complete CI
                this.populateCertAttributes(currentCert, certGr);
            }
            certGr.setValue('issuer', issuer);
            certGr.setValue('root_issuer', rootIssuer);
            this.populateCertFile(currentCert, certGr);
            current = this.upsert(certGr, certificateCaptured);
            //Update the cert extension info and attach cert into cert task table, if cert requesting via automated flow
            if (!gs.nil(currentCert['request_cert_via_automated_flow']) && currentCert['request_cert_via_automated_flow'] == 'true')
                this.updateCertExtensionAndTask(currentCert, certGr);

            if (i == certificates.length - 1) {
                rootIssuer = current;
                // add a self reference for the last certificate
                this.updateRootIssuerForRootCert(certGr, current, certificateCaptured);
            }
            issuer = current;
        }
        return current;
    },

 

0 Helpfuls