AWS Certificate Manager discovery
-
- UpdatedAug 1, 2024
- 4 minutes to read
- Xanadu
- Discovery
Cloud Discovery uses Patterns to discover certificate data that the Amazon AWS Cloud Certificate Manager (ACM) manages. Discovering this data requires installing and updating Discovery and Service Mapping Patterns and Certificate Inventory and Management.
Request apps on the Store
Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Prerequisites
- Verify the configuration of an AWS account
- For more information, see Exploring Cloud Discovery
- Verify the installation of the plugins
- Certificate Inventory and Management (sn_disco_certmgmt) at least 3.4.0
- Verify that Cloud Discovery has permissions to discover AWS
- Run the following commands with AWS CLI to check the permissions and policies attached to your active IAM role:
- List Certificates
AWS_PAGER='' aws acm list-certificates --region <region> - Describe Certificates
AWS_PAGER='' awsacm describe-certificate --certificate-arnarn:aws:acm:<region>:<accout_id>:certificate/<certificate_id> - Get Certificates
AWS_PAGER='' awsacm get-certificate --certificate-arnarn:aws:acm:<region>:<account_id>:certificate/<certificate_id> - Get tags
AWS_PAGER='' awsresourcegroupstaggingapi get-resources --tags-per-page 100 --resource-type-filters 'acm:certificate'
- List Certificates
- Set the configuration of the system property
- When the system property sn_itom_pattern.issuer_certificate_search_by_idn is set to false, Discovery uses the certificate fingerprints to find issuers and root issuers.
- Verify the MID Server requirements
- The MID Server must have either ALL capability or AWS capability.
- Verify the configuration of Cloud Discovery schedule
- For more information, see Create a discovery schedule in Cloud Discovery Workspace
Verify the REST API Permissions
Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.
Data collected by Discovery during horizontal discovery
| Field | Description |
|---|---|
| Unique Certificates [cmdb_ci_certificate] | |
| Name |
The host name/domain associated with the certificate. For example, *.service-now.com |
| Fingerprint |
The hash value of the certificate. For example, d708c8583c78c176d5df1a4f01aac746294 e390a03038f280b0d8f5efbc8a0f |
| Fingerprint algorithm |
The algorithm that's being used to hash the certificate. For example, Discovery calculates fingerprints by the SHA-256 algorithm, so the value that is populated is: SHA-256 |
| Serial Number | The serial number of the certificate. For example, 70 d8 c9 52 77 1c 2d 54 97 00 0e 21 05 84 dd 76 b5 e8 c1 73 |
| Subject common name |
The host name/domain associated with the certificate. For example, *.service-now.com |
| Subject distinguished name |
The distinguished name of the entity that the certificate is issued to. The subject distinguished name consists of the following
|
| Issuer common name |
The common name of the certificate issuer. For example, Entrust Certification Authority. |
| Issuer distinguished name |
The distinguished name of the certificate issuer. The issuer distinguished name consists of the following
|
| Renewal tracking |
Indicates whether to create any priority 1 or priority 3 tasks for the expiring certificates. Discovery sets Renewal tracking to priority3 when the system property glide.discovery.certs.enable_renewal_task_creation_for_discovered_certificates is set to true. |
| Valid From | The certificate is valid from this date (UTC). For example, 2023-09-25 10:43:03 |
| Valid To |
The expiry date of the certificate (UTC). For example, 2024-09-24 10:43:03 |
| Subject organization |
The organization (O) that the certificate is issued to. |
| Subject organizational unit | The organizational unit (OU) that the certificate is issued to. |
| Subject country | The country (C) of the organization that the certificate is issued to. Populated in a two-letter country code. |
| Subject state | The region, state (ST), or province of the organization that the certificate is issued to. Populated with two-letter code. |
| Subject locality | The city, location (L) of the organization that the certificate is issued to. |
| Subject email | The email address of the organization that the certificate is issued to. |
| Issuer | A reference to the entity that signed and issued the certificate. The reference is available if the issued certificate is a part of the same payload. |
| Root Issuer | A reference to the root certificate. The reference is available if the issued certificate is a part of the same payload. |
| Subject alternative name | The name of the certificate domain record. |
CI relationships
The Amazon AWS - Certificates Manager pattern and Amazon AWS - Collect Certificates Tags shared library support the discovery of the following relationships:
| CI | Relationship | CI |
|---|---|---|
| Unique Certificate [cmdb_ci_certificate] | Hosts::Hosted on | AWS Datacenter [cmdb_ci_aws_datacenter] |
| Unique Certificate [cmdb_ci_certificate] | Hosts::Hosted on | Cloud Service Account [cmdb_ci_cloud_service_account] |
| Key Value [cmdb_key_value] | Reference | Unique Certificate [cmdb_ci_certificate] |