- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 12-30-2021 06:01 AM
Scenario:
We installed Certificate Inventory Management plugin in our instance and started discovering Certificates for the URL's using URL based discovery. We also enabled the certificate renewal process for these certificates which are getting discovered. Renewal Tasks are getting generated and assigned to the support group which we mentioned in the certificates. The process is working fine, but when renewal task is completed (that mean the expiring certificate is renewed), a new certificate with new attributes like serial number is getting created. This new renewed certificate is getting discovered in next discovery run and a new entry is getting created in the CMDB inventory.
Now the issue is old certificate stays in the CMDB inventory and it follows the renewal process. So support groups receive renewal task for this invalid certificate.
Solution:
We did not find any OOB scripts which are handling the lifecycle management of the certificates. So we came up with couple of custom ways to update the certificate which was renewed recently.
1. Using Business rule which runs when the state of the renewal task is closed completed. The below script checks the certificate which is getting renewed and update the renewal flag to none.
var cert = new GlideRecord("cmdb_ci_certificate");
cert.addEncodedQuery("sys_id="+current.cmdb_ci);
cert.query();
if(cert.next()){
cert.renewal_tracking = "none";
cert.update();
}
2. Another way to handle these invalid certificates is by using "Most Recent Discovery" field on the certificates and updating the flag if they are not discovered after certain amount of days.
var gr = new GlideRecord("cmdb_ci_certificate");
//Checking certificates which are not discovered in last 30 days.
gr.addEncodedQuery("last_discovered<javascript:gs.beginningOfLast30Days()");
gr.query();
while(gr.next()){
gr.renewal_tracking = "none";
gr.update();
}
Let me know in comments in there are some OOB ways to approach this situation.
- 1,366 Views
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Great share!
I made a small addition to help train the users.
// Add your code here
var cert = new GlideRecord("cmdb_ci_certificate");
cert.addEncodedQuery("sys_id=" + current.cmdb_ci);
cert.query();
if (cert.next()) {
cert.renewal_tracking = "none";
cert.update();
gs.addInfoMessage('Certificate Tracking is now removed from this replaced certificate '+ current.cmdb_ci.getDisplayValue() + '. When a certificate is renewed the expiry is not updated on the current record. A new certificate record is created with a new serial number and that is now the record to be tracked.');
}
