Managing SSH/SSL Schedules

Create scheduled tasks to automatically carry out operations such as SSH resources and SSL certificates discovery, key rotation, and report generation at periodic intervals.

  1. Add Schedules
  2. Edit Schedules
  3. Enable/Disable Schedules
  4. Delete Schedules

1. Add Schedules

Follow the below steps to add a schedule:

  1. Navigate to the Schedule tab in the GUI and click Add Schedule.
  2. Enter the Schedule Name.
  3. In the Type drop-down, select the type of schedule. The following are the types of schedules available.

i. Key Rotation

Schedule the rotation of SSH keys assigned to user accounts.

Choose between Specific Keys or Key Group or User Group and select the keys that are to be scheduled for rotation. If keys are not assigned but are scheduled to rotate, schedule rotation will fail and an error message will be displayed in the Schedule audit and the Audit tabs in the GUI.

You can automatically push the key files (private key, public key or both the private and public keys) onto its associated users by enabling the 'Push private key file to remote user account' and/or 'Push public key file to remote user account' option, instead of pushing the key files manually after every scheduled rotation. Here, you can also select to Use keyname as filename.

ii. SSH Discovery

Schedule the discovery of SSH resources using this option. You can Discover your certificates by IP Address or Subnet or From File. If you choose to Discover by IP address, specify the Start and End IP addresses of the resources to be discovered. You can also mention the IP Addressed that are to be excluded. Also specify the Port used by the end terminals for SSH communication.

iii. SSL Discovery

Schedule the discovery of SSL certificates using this option.

  1. If you select Agent, you can choose between the available agents. Select Discover by IP Address Range to specify the StartIP and End IP addresses. 
  2. Select Subnet to mention the IP Address and the ports to be checked for deployed SSL certificates. You can also select From file to upload a schedule.
  3. If you select Load Balancer, enter the Server Name, Port, User Name, Credential Type, Password, and Path. Choose the required load balancer from the Type drop-down: General, BIG-IP F5, Citrix, or FortiGate Firewall. To perform Citrix discovery using the Citrix REST API commands, select the checkbox Use REST API (By default KMP uses CLI commands for discovery and fetching certificates).
  4. Select the Bypass Proxy Settings checkbox to bypass proxy server settings during the discovery operation. This option is applicable for the IP Address Range, Subnet, and From File modes, as well as for the Type - Citrix discovery when the Use REST API (By default, KMP uses CLI commands for discovery and fetching certificates) option is selected and FortiGate Firewall.
  5. Choose the Shared Path - Windows/Linux/MacOS option to schedule a discovery operation for a specific directory path.
  6. Select the Agent checkbox to schedule an SSL discovery through the Key Manager Plus agent. You can perform two modes of discovery through the agent: IP Address Range and Shared Path - Windows/Linux/Mac OS.

iv. AD User Certificate Discovery

Schedule the discovery of SSL certificates from active directory - basically, the certificates belonging to various users in Active Directory could be fetched into KMP using this option.

  1. Select the Domain Name or click New Domain to add a New Domain Name.
  2. Mention the Primary and Secondary Domain Controller.
  3. Select the Connection Mode (No SSL / SSL) and enter the user credentials.
  4. Click Fetch Groups & OUs and select the required user accounts / OUs in which certificate discovery has to be performed.

v. MS Certificate Store Discovery

Schedule the discovery of SSL certificates from Microsoft Certificate Store and certificates issued by Microsoft Certificate Authority and Certificate Store using this option.

1. Choose a type from the drop-down:
i. Microsoft Certificate Authority: Mention the server credenials. Alternatively, select an Agent to select the required agent from the list of available agents.
ii. Certificate Store: You can schedule discovery of certificates issued by the Certificate Store in three ways: using Server Name, using the IP Address Range, from a text file containing a list of IP Addresses/Hostnames.

a. Using Server Name - Enter the name of the Server where you require Key Manager Plus to scan for certificates.

b. Using IP Address Range - Enter the Start and End IP addresses to scan the IP range specified.

c. From File - Click Browse and import a text file with a list of hostnames/IP addresses. To achieve this, upload a text file (in the .txt format) with the hostnames or IP addresses of the devices to be scanned. Ensure that the hostnames/IP addresses are listed line-by-line as shown below:

242.209.75.62
123.243.229.41

2. Enter the User credentials or select the checkbox to Use Key Manager Plus service account credentials for authentication.

3. For certificates issued by Microsoft Certificate Authority, you can fine tune your discovery based on certificate issue date, certificate revocation / expiration statuses, and certificate templates. You can select upto five certificate templates for your discovery operation.

vi. SSL Vulnerability

Schedule periodic vulnerability scan on selected or all SSL certificates in Key Manager Plus repository.

  1. Select Specific Certificates or Certifiate Groups on which the vulnerability scan is to be performed at regular intervals of time, and specify an e-mail id to which notification is to be sent after every scan.
  2. Select the checkboxes Include SAN and Only Deployed Servers to perform vulnerability scan for SAN and the deployed servers available in Key Manager Plus also.

vii. SSL Expiry

Schedule expiry alert notifications for SSL certificates.

  1. Select the Specific SSL certificates or Certificate Groups that are to be tracked for expiry.
  2. Schedule the scan at required intervals of time and specify the number of Days to expiry before which the email notification should be sent. 
  3. Choose to receive notifications either Daily or Customize your notifications. 
  4. If you choose to Customize, set the Interval (in days) to notify about the to-be-expired certificates
  5. Select the Email certificates on every schedule if expiry is less than option if you want to receive notifications on all schedules irrespective of the above-set interval.

viii. Reports

Schedule the reports to be generated and sent to the email address specified. All the reports generated by Key Manager Plus can be scheduled to be sent to email addresses using this option. You can Select Specific Certificates or Certificate groups and move the required certificates to the Selected Certificates column using the arrow keys to generate reports for selected certificates.

  1. Select the recurrence type as - hourly, daily, weekly, monthly, or once only. Set the starting time, date, or day, corresponding to the option chosen.
  2. Enter the email addresses of the users to be notified. The server authentication settings can be specified in the Settings >> Mail Server Settings tab in the GUI.
  3. Customize the notification emails by adding an email subject of your choice. To tailor the body of the email further, add custom email content, and a unique signature.

For SSL Expiry schedules, select the following options to tailor the scan results that are sent in email. The following preferences are saved only for email and will not change how scheduled scan results appear in the Audit

  1. Include auto-renewal certificates in email notification - Certificates that will be auto renewed will be included in the email notifications.     
  2. Exclude expired certificates from email notifications - Certificates that are already expired in the repository will be excluded from the email notifications.
  3. Include multiple servers list for certificates - Enabling this option will includes the multiple server lists of the SSL certificates in the notification email of the SSL expiry schedule.
  4. Send a separate email per certificate - Every expired certificate will be sent as a separate email with a unique subject.

Select the Report Format as desired: PDF, CSV or HTML.

Click Save. Now, you have successfully added a new schedule. 

To execute a schedule, click the execute schedule icon beside the respective schedule.

Note: The result of the schedule execution will get updated in the Schedule audit and also in the respective operation audits.


2. Edit Schedules

To edit a schedule:

  1. Navigate to the Schedule tab in the GUI.
  2. Click the name of the schedule you would like to edit.
  3. You will be redirected to the Edit Schedule window. You can edit all the details of the schedule except its name and type.
  4. Click the Update button to save any modifications.

3. Enable/Disable Schedules

The schedules can be enabled or disabled anytime. Use the disable option to stop the execution of a schedule temporarily without deleting it. When re-enabled, the schedule again starts its periodic execution.

To enable or disable a schedule execution:

  1. Navigate to the Schedule tab in the GUI.
  2. Select the schedules and click the Enable Schedule or Disable Schedule button. You will get a confirmation that the schedule has been enabled or disabled successfully.

Note: The schedules set to run only once cannot be enabled if they have already been executed. Modify the schedule to enable it.


4. Delete Schedules

To delete a schedule:

  1. Navigate to the Schedule tab in the GUI.
  2. Select the schedules to be deleted.
  3. Click the Delete Schedule button.
  4. Click Ok in the confirmation pop-up window.

You will get confirmation that the schedules have been deleted successfully.
Top
Home »