SSL Discovery
SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. network discovery and monitoring is used to survey designated internet-facing or internal IP addresses and ports to locate and import certificates, as well as alert certificate owners when the certificates are nearing expiration or are not found. Discovery jobs scan network segments to locate certificates at TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. endpoints; whereas, monitoring jobs inspect certificates for health and expiration and notify recipients regarding the status of the certificates. With the introduction of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers., SSL discovery can scan TLS 1.3 endpoints using any of the 5 ciphersuites referenced in appendix B.4 of RFC 8446.
SSL network discovery and monitoring scanning is performed by orchestrators that are assigned to orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. pools. An orchestrator pool contains orchestrators that support SSL discovery and monitoring capabilities for its networks. Orchestrator architecture allows for a pool of orchestrators to work in parallel to execute scan jobs. Based on defined schedules, Keyfactor Command creates discovery or monitoring scan jobs. Several scan jobs may be created from one large request. Orchestrators poll the Keyfactor Command Service to determine if scan jobs are available. Scan jobs are then executed by available orchestrators. Keyfactor Command automatically distributes the scanning load across the orchestrators in the pool by generating and managing individual scan jobs. Additionally, the orchestrator that discovers the certificate can be different than the orchestrator that monitors the certificate.
The orchestrator SSL scanning process will attempt to scan with and without server name indication Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target. (SNI Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target.) for endpoints specified by host name The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). during discovery scans and only use SNI during a monitoring scan if the endpoint An endpoint is a URL that enables the API to gain access to resources on a server. has an SNI name from the discovery scan. Whenever an endpoint is defined to scan by its host name, the orchestrator will try to scan that endpoint twice, one normal scan against the endpoint and one using the supplied host name as the SNI extension.
Keyfactor Command is installed with a Default Orchestrator Pool that holds all the orchestrators that have been configured for SSL network discovery and monitoring. Custom orchestrator pools can be created as needed.
SSL network discovery and monitoring is divided into three areas:
-
Network Definitions
Network definitions are used to define a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). of networks that will be scanned by the designated orchestrator pool. Networks are defined using IP addresses, ports and hostnames. Within this option, you can schedule discovery and/or monitoring tasks. You can also configure networks to automatically tag a discovered endpoint with a certificate for monitoring.
-
Orchestrator Pools Definition
On the orchestrator pools definition tab you define a group of available orchestrators that support the SSL discovery and monitoring capabilities. For each orchestrator added to the orchestrator pool, you can select discover and/or monitor option(s).
-
Results
The results tab shows the results of endpoints that have been scanned, including both positive (true, a certificate was found) or negative (false, a certificate was not found) results. If a response was received from an endpoint during a scan, it is included in the results; negative results are hidden by default. The Monitor Status (True/False) and Reviewed Status (True/False) of an endpoint are included in the results tab.
The SSL network discovery and monitoring features can only be used if at least one compatible (see Compatibility Matrix) instance of the Keyfactor Universal Orchestrator is running in the environment and the orchestrator has been approved in the Management Portal. Keyfactor recommends that the orchestrator(s) used for SSL network discovery and monitoring be installed on a server other than the primary Keyfactor Command server(s) due to the resource requirements of the scanning process when scanning large network segments.