Ticketing System Integration for SSL Certificates

Password Manager Pro integrates with enterprise ticketing systems to automatically create service requests for vulnerable or expiring SSL certificates. The integration ensures that periodic tickets are created in the ticketing system to alert the technicians and take timely action to reduce the security threats posed by expiring or vulnerable SSL certificates. The frequency of service request creation for expiring and vulnerable tickets will be governed by the notification policies set for the same by the user.

  1. How does the Ticketing System Integration for SSL Certificates work?

    1.1 SSL Expiry

    1.2 SSL Vulnerability

  2. Steps to integrate ticketing systems with Password Manager Pro

    2.1 ServiceDesk Plus

    2.2 ServiceNow

1. How does the Ticketing System Integration for SSL Certificates Work?

Password Manager Pro allows you to set up periodic notifications, in the form of emails or syslog messages, to check for expiring or vulnerable SSL certificates in the repository.

To enable the ticketing system for SSL certificates, enter the server URL of the machine where the ticketing system is running in Password Manager Pro and ensure that the ticketing system host is accessible by the Password Manager Pro server.
Once ticketing system for SSL certificates is enabled, Password Manager Pro will create tickets in the ticketing environment automatically, whenever the notifications for expiring/vulnerable SSL certificates are triggered during a scheduled or a manual vulnerability check.

Prerequisite

Tickets are created in the ticketing environment based on the notification policy set for SSL certificates that are expiring and/or deemed as vulnerable in Password Manager Pro. Click here to learn more about how to set up notifications for the same.

1.1 SSL Expiry

The SSL expiry ticket is created as part of the default expiry notifications sent by Password Manager Pro, as well as the scheduled SSL expiry reports. The notifications are triggered whenever a scheduled expiry report or default expiry notification task is run in Password Manager Pro.

  1. You can set up a schedule for notifications regarding expiring SSL tickets in Admin >> SSH/SSL Config >> Notification Settings. To enable SSL certificate expiry notifications, select the 'Notify about SSL certificates expiring within' checkbox. Choose a value for days. You will be notified about only those certificates whose expiry dates fall within the period (number of days) you enter. Customize the frequency of the notifications as per requirement. Once the schedule is set, Password Manager Pro will collate a list of expiring certificates falling under the specified number of days.
  2. For each SSL certificate, Password Manager Pro will check if an expiry ticket is already created in the ticketing environment. If not, a new ticket will be opened. The new ticket will contain details such as the Ticket Number, Status, IP Address, Certificate Serial Number for which the ticket is created locally.
  3. If a ticket already exists, the status of the ticket will be checked. If the status of the ticket is Open, In Progress, or On Hold, Password Manager Pro will not create a new ticket. However, if the status is Resolved, Canceled, or Closed, Password Manager Pro will re-open the ticket until the corresponding SSL certificate in renewed and updated in the Password Manager Pro repository.
  4. Tickets created by Password Manager Pro will be flagged as 'High Priority'.

1.2 SSL Vulnerability

The SSL vulnerability ticket is created as part of the default schedule for vulnerability scan done by Password Manager Pro, as well as manual scans. A ticket will be created for each vulnerability, detected during the vulnerability scan.

  1. You can set up a schedule for vulnerability scans in Admin >> SSL Certificates >> SSL VulnerabilityConfigure the recurrence type to set up the scan to run daily or weekly.
  2. First, Password Manager Pro will check if a vulnerability ticket already exists in the ticketing environment using the certificate serial number, Domain Name, and IP Address. If a ticket is already created, the status of the ticket will be retrieved.
  3. If the ticket status is Open, In Progress, or On Hold, Password Manager Pro will simply add the latest scan results to the ticket. If the ticket status is Resolved, Canceled, or Closed, but vulnerabilities are still found in the scan results, then Password Manager Pro will reopen the ticket and add the latest scan results to it. 
  4. If no ticket is corresponding to particular server vulnerability is available in the ticketing environment, Password Manager Pro will create a new ticket.
  5. In the ticketing system, a separate ticket is created for each domain - IP vulnerability combination. For example, consider a certificate with common name example.com and SAN namely test.example.com, used for two different IP addresses as follows:
    • example.com at IP location 192.168.0.23
    • test.example.com at IP location 192.168.205.35

    If vulnerabilities found at both locations, then two tickets will be created for example.com@192.168.0.23 and for test.example.com@192.168.205.35. Even though the certificate used is the same, since the servers locations are different, they will be considered as two different vulnerabilities.

  6. Tickets created by Password Manager Pro will be flagged as High Priority.

  7. Note: The vulnerability tickets will only contain details of weak ciphers found during the scan i.e., the ticket will not list the health of other ciphers available in that particular server if they are not found to be vulnerable.

2. Steps to Integrate Ticketing Systems with Password Manager Pro

Listed below are the ticketing systems currently supported by Password Manager Pro:

  1. ServiceDesk Plus (on-premise)
  2. ServiceNow

2.1 ServiceDesk Plus

  1. Navigate to Admin>> SSH/SSL Config >> Tickets and choose Enable.
  2. Under Help Desks, click ServiceDesk Plus.
  3. Enter the ServiceDesk Plus Technician Key (API Token) and Server URL where the ServiceDesk Plus host is running.
  4. Under Create Tickets, select Create ticket for SSL certificate expiry or Create ticket for SSL vulnerabilities or both, based on your requirement. Click Save.

2.1.i Format for SSL Expiry tickets in ServiceDesk Plus

Subject: SSL Certificate <common name> expiry

Description:

The SSL Certificate <common name> expiring soon, please take care
Common Name: <common name>
Expiry Date: Jul 23, 2020
Scanned by: Password Manager Pro running at https://<PMP server-url>:<port>

2.1.ii Format for SSL Vulnerability tickets in ServiceDesk Plus

Subject: Vulnerabilities for <domain name>

Description:

<Domain Name> (this could be the SAN)
<Common Name> (certificate common name)
<IP Address>
Weak ciphers in use, which should be removed 
<Names of the ciphers found to be weak>

If any vulnerabilities such as OCSP, CRL, HeartBleed, or Poodle are found, then the corresponding Signature Algorithm and expiry date information will also be added here.

Scan Time

Scanned by: Password Manager Pro running at https://<PMP server-url>:<port>

2.2 ServiceNow

  1. Navigate to Admin>> SSH/SSL Config >> Tickets and choose Enable.
  2. Under Help Desks, click ServiceNow.
  3. Enter the ServiceNow User NamePasswordServer URL where the ServiceNow host is running.
  4. Under Create Tickets, select Create ticket for SSL certificate expiry or Create ticket for SSL vulnerabilities or both, based on your requirement. Click Save.

2.2.i Format for SSL Vulnerability tickets in ServiceNow

Short Description: SSL Certificate <common name> expiry

Additional Comments:

The SSL Certificate <common name> expiring soon, please take care
Common Name: <common name>
Expiry Date: Jul 23, 2020
Scanned by: Password Manager Pro running at https://<PMP server-url>:<port>

2.2.ii Format for SSL Vulnerability tickets in ServiceNow

Short Description: Vulnerabilities for <domain name>

Additional Comments:

<Domain Name>(this could be the SAN)
<Common Name> (certificate common name)
<IP Address>
Weak ciphers in use, which should be removed 
<Names of the ciphers found to be weak>

If any vulnerabilities such as OCSP, CRL, HeartBleed, or Poodle are found, then the corresponding Signature Algorithm and expiry date information will also be added here.

Scan Time

Scanned by: Password Manager Pro running at https://<PMP server-url>:<port>

Top