|
Key Manager Plus integrates with enterprise ticketing systems to automatically create service requests for vulnerable or expiring SSL certificates. The integration ensures that periodic tickets are created in the ticketing system to alert the technicians and take timely action to reduce the security threats posed by expiring or vulnerable SSL certificates. The frequency of service request creation for expiring and vulnerable tickets will be governed by the notification policies set for the same by the user.
Key Manager Plus allows you to set up periodic notifications, in the form of emails or syslog messages, to check for expiring or vulnerable SSL certificates in the repository.
To enable the ticketing system integration, enter the server URL of the machine where the ticketing system is running, in Key Manager Plus and ensure that the ticketing system host is accessible by the Key Manager Plus server.
Once enabled, Key Manager Plus will create tickets in the ticketing environment automatically, whenever the notifications for expiring/vulnerable SSL certificates are triggered during a scheduled or a manual vulnerability check.
Tickets are created in the ticketing environment based on the notification policy set for SSL certificates that are expiring and/or deemed as vulnerable in Key Manager Plus. Click here to learn more about how to set up notifications for the same.
1.1 SSL Expiry
The SSL expiry ticket is created as part of the default expiry notifications sent by Key Manager Plus, as well as the scheduled SSL expiry reports. The notifications are triggered whenever a scheduled expiry report or default expiry notification task is run in Key Manager Plus.
1. You can set up a schedule for notifications regarding expiring SSL tickets in Settings >> Notification >> Expiry. To enable SSL certificate expiry notifications, select the 'Notify about SSL certificates expiring within' checkbox. Choose a value for days. You will be notified about only those certificates whose expiry dates fall within the period (number of days) you enter. Customize the frequency of the notifications as per requirement. Once the schedule is set, Key Manager Plus will collate a list of expiring certificates falling under the specified number of days.
2. For each SSL certificate, Key Manager Plus will check if an expiry ticket is already created in the ticketing environment. If not, a new ticket will be opened. The new ticket will contain details such as the Ticket Number, Status, IP Address, Certificate Serial Number for which the ticket is created locally.
3. If a ticket already exists, the status of the ticket will be checked. If the status of the ticket is Open, In Progress, or On Hold, Key Manager Plus will not create a new ticket. However, if the status is Resolved, Canceled, or Closed, Key Manager Plus will re-open the ticket until the corresponding SSL certificate in renewed and updated in Key Manager Plus repository.
4. Tickets created by Key Manager Plus will be flagged as 'High Priority'.
1.2 SSL Vulnerability
The SSL vulnerability ticket is created as part of the default schedule for vulnerability scan done by Key Manager Plus, as well as manual scans. A ticket will be created for each vulnerability, detected during the vulnerability scan.
1. You can set up a schedule for vulnerability scans in Settings >> SSL >> SSL Vulnerability. Configure the recurrence type to set up the scan to run daily or weekly.
2. First, Key Manager Plus will check if a vulnerability ticket already exists in the ticketing environment using the certificate serial number, Domain Name, and IP Address. If a ticket is already created, the status of the ticket will be retrieved.
3. If the ticket status is Open, In Progress, or On Hold, Key Manager Plus will simply add the latest scan results to the ticket. If the ticket status is Resolved, Canceled, or Closed, but vulnerabilities are still found in the scan results, then Key Manager Plus will reopen the ticket and add the latest scan results to it.
4. If no ticket is corresponding to particular server vulnerability is available in the ticketing environment, Key Manager Plus will create a new ticket.
5. In the ticketing system, a separate ticket is created for each domain - IP vulnerability combination. For example, consider a certificate with common name example.com and SAN namely test.example.com, used for two different IP addresses as follows:
If vulnerabilities found at both locations, then two tickets will be created for example.com@192.168.0.23 and for test.example.com@192.168.205.35. Even though the certificate used is the same, since the servers locations are different, they will be considered as two different vulnerabilities.
6. Tickets created by Key Manager Plus will be flagged as 'High Priority'.
Note: The vulnerability tickets will only contain details of weak ciphers found during the scan i.e., the ticket will not list the health of other ciphers available in that particular server if they are not found to be vulnerable.
Listed below are the ticketing systems currently supported by Key Manager Plus:
Subject: SSL Certificate <common name> expiry
Description:
The SSL Certificate <common name> expiring soon, please take care
Common Name:<common name>
Expiry Date: Feb 25, 2020
Scanned by: Key Manager Plus running at https://<kmpserverurl>:<port>
Subject: Vulnerabilities for <domain name>
Description:
<Domain Name>(this could be the SAN)
<Common Name> (certificate common name)
<IP Address>
Weak ciphers in use, which should be removed
<Names of the ciphers found to be weak>
If any vulnerabilities such as OCSP, CRL, HeartBleed, or Poodle are found, then the corresponding Signature Algorithm and expiry date information will also be added here.
Scan Time
Scanned by: Key Manager Plus running at https://<kmpserverurl>:<port>
If any vulnerabilities such as OCSP, CRL, HeartBleed, or Poodle are found, then the corresponding Signature Algorithm and expiry date information will also be added here.