Process to Update/Create Certificates from Ports Scan "Shazzam" with no IRE - Support and Troubleshooting

Process to Update/Create Certificates from Ports Scan "Shazzam" with no IRE Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ServiceNow Certificate Discovery has 2 methods

IP Based Discovery, at Phase 1 (Shazzam) if the " tls_ssl_certs " Port is open and captures the Certificate, "cmdb_ci_certificate" table gets CI updated/created. ServiceNow Certificate Inventory and Management The Certificate Inventory and Management updates the CI using the IRE but Certificate Discovery through port scan does not use IRE, this Article is intent to explain the process (Scripts/BusinessRules) IP Based Discovery updating the "cmdb_ci_certificate" table without IRE.

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Any

Instructions .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Certificate Discovery through port scan does not use IRE, it checks if the certificate exists with the same fingerprint in the same sys_domain.

If yes then it updates the certificate. If no match is found with the fingerprint it checks if certificate exists with same subject_distinguished_name, issuer_distinguished_name, valid_to and serial_number. If a match is found with these fields then certificate is updated or a new Record is created Many scripts are used to update the certificate, the logic to decide to update or to create a new record for certificate is located in DiscoveryCertificateManagementUtils script include, getOrCreateCertificate() method,

In PopulateCmdbCiCertificate script include, updateStateAttrIfCertExists() method, it calls getOrCreateCertificate() method and returns true if it is a new record and false for an existing record. Existing records are updated and insert is called on new GlideRecords

Process

Theory Discovery on an IP Executed and Shazzam performs ECC Output Shazzam ECC Input Payload received and observed " tls_ssl_certs " port open and captured the Payload with Unique Certificate The Unique certificate in the Payload would store in the Certificate History table ( sn_disco_certmgmt_certificate_history ).

https:// .service-now.com/sn_disco_certmgmt_certificate_history_list.do

Once the Data populated to " sn_disco_certmgmt_certificate_history " depending on the data received the Sys Event Script " Discovery-CerrtificateCaptured " to action the Payload.

https:// .service-now.com/nav_to.do?uri=sysevent_script_action.do?sys_id=948c4c9777123300b5bd1c3faa106112

The Payload now processed and calls the " PopulateCmdbCiCertificate " Script Include to process the Attributes

https:// .service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=a4d8ecef77923300b5bd1c3faa1061e8

The Processed attributes under " PopulateCmdbCiCertificate " calls the CertificateUtil " DiscoveryCertificateManagementUtils " to review the data and take the decision to Update/Create the CI.

https:// .service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=84a4d5646722330022646c706785ef5d

Primary Identification :

Secondary Identification :

Match Not Found = YES >> Create the CI Match Not Found = NO >>>Update the CI