Creating a new Onboard Discovery job

When configuring onboard discovery jobs, you can select any number of device objects from the Policy tree. Alternatively, you can choose to recursively search a folder for device objects to add before any job begins the actual process of scanning.

TIP  Before you create your onboard discovery job, make sure that you've carefully reviewed Onboard Discovery prerequisites.

To create a new Onboard Discovery job

  1. From the TLS Protect menu bar, click ConfigurationJobs.

    (Optional) To filter the Jobs list by one or more specific job types, use the Job Type filter. See Filtering the Jobs list by job type.

  2. Click + Create New Job to start the Create New Job wizard.

  3. On the Create New Job page, click Onboard Discovery, and then click Start.

  1. Under Job Details, in the Name field of the New Onboard Discovery Job page, type a name for your new onboard discovery job.

  2. (Optional) In the Description field, type a description that describes the purpose for your new job.

    A strong description can be useful in helping other administrators better understand the purpose of your new object (such as certificates, jobs, credentials, devices, trust stores, etc.), or to remind yourself later why you created it.

  3. (Optional)In the Contacts field, begin typing the name a user name to specify one or more contacts for your new job.

    To add multiple contact names, press Enter after finding each name.

  4. From the Installation Type list, select one of the available types.

    Continue by viewing the configuration details for the installation type you chose:

    • (Optional) If you want to enhance troubleshooting capabilities of your Adaptable Onboard DiscoveryAdaptable Flow, select the Enable Debug Logging check box.

      For information about how enabling this option works with the PowerShell script, see About debug logging in the Adaptable ApplicationAdaptable Flow PowerShell script reference.

      For the Adaptable installation type, if you want to enhance troubleshooting capabilities of your Adaptable Log Channel implementation, select the Enable Debug Logging check box.

      You should have already created your PowerShell script and placed it in the correct folder. If you haven't done that yet, stop here and review Specific requirements and Adaptable Onboard Discovery sample script.

    • If you selected Amazon Web Services, then from the Amazon Credentials field, select an Amazon Credential.

      If you don't see your credential in the list, type the first few characters of the credential's name.

      For information about creating your credential, see About Amazon credentials.

      (Optional) Select Do not discover binding targets (ELB, ALB, CloudFront) if you want Trust Protection Platform to skip the discovery of binding targets such as Elastic Load Balancers, Application Load Balancers, and Cloud Front.

      NOTE Only load balancers with 'Load Balancer Protocol' set to HTTPS will be discovered.

    • If you selected Azure Key Vault, do the following: 

      • Click the Azure Certificate Credential field to select an Azure credential.

        If you don't see your credential in the list, type the first few characters of the credential's name.

        TIP  If you're not sure about your Azure Key Vault credential, you might have missed that step.

      • Copy and paste your application ID into the Azure Application ID field.

    • If you selected CAPI (IIS Bindings) as the application type, then using the fields that appear when you selected this type, do the following:

      • In the WinRM Port field, type the WinRM port number.

        The default setting is 5986.

      • (Optional) Select Extract private keys with certificates when possible if you want Trust Protection Platform to attempt to extract private keys from the device along with certificates and store them with the same object.

        When this option is enabled, a warning event is logged whenever a private key cannot be extracted.

        NOTE  Private keys can only be extracted if they are not stored inside a hardware security module (HSM) and are exportable.

        TIP  If you intend keys to be generated remotely on the device—and therefore not accessible by Trust Protection Platform users—then you don't likely need this option.

        DID YOU KNOW?  During an onboard discovery, Trust Protection Platform only imports the private keys for certificates that do not already exist in the Policy folder. In cases where you need to extract the private key for a certificate that already exists in the Policy folder, then delete the existing certificate from that folder and re-run the onboard discovery job.

    • Citrix NetScaler

      If you selected Citrix NetScaler as the profile type, then using the fields that appear when you selected this type, do the following:

      • From the Certificates to Import list, select the certificate types to import (Only Virtual Servers, Only Gateway Virtual Servers, Only Services and Groups, or All).

        DID YOU KNOW?  Trust Protection Platform22.2 added support for discovery of virtual servers, services, and service groups in admin partitions.

      • In the Keystore and Private Key Credentials field, select the password credentials required for any PFX files that might be encountered.

        This option is also used to decrypt password-encrypted private keys when they're encountered, if you also enable Extract private keys with certificates when possible option.

      • (Optional) Select Extract private keys with certificates when possible if you want Trust Protection Platform to attempt to extract private keys from the device along with certificates and store them with the same object.

        When this option is enabled, a warning event is logged whenever a private key cannot be extracted.

        NOTE  Private keys can only be extracted if they are not password encrypted, can be decrypted using one of the passwords assigned to Keystore and Private Key Credentials of the job, or not stored inside a hardware security module (HSM).

        TIP  If you intend keys to be generated remotely on the device—and therefore not accessible by Trust Protection Platform users—then you don't likely need this option.

        DID YOU KNOW?  During an onboard discovery, Trust Protection Platform only imports the private keys for certificates that do not already exist in the Policy folder. In cases where you need to extract the private key for a certificate that already exists in the Policy folder, then delete the existing certificate from that folder and re-run the onboard discovery job.

    • If you selected F5 LTM Advanced, then using the fields that appear when you selected this type, do the following:

      • From the Certificates to Import list, select the certificate types to import (server, client, or both).

      • In the Port field, type the port number.

        The default setting is 443.

      • (Optional) Select Extract private keys with certificates when possible if you want Trust Protection Platform to attempt to extract private keys from the device along with certificates and store them with the same object.

        When this option is enabled, a warning event is logged whenever a private key cannot be extracted.

        NOTE  Private keys can only be extracted if they are not password encrypted nor stored inside a hardware security module (HSM).

        TIP  If you intend keys to be generated remotely on the device—and therefore not accessible by Trust Protection Platform users—then you don't likely need this option.

        DID YOU KNOW?  During an onboard discovery, Trust Protection Platform only imports the private keys for certificates that do not already exist in the Policy folder. In cases where you need to extract the private key for a certificate that already exists in the Policy folder, then delete the existing certificate from that folder and re-run the onboard discovery job.

      • (Optional) Select Disable certificate installations not in use so when the next F5 onboard discovery job runs, it will disable and make obsolete the previously-discovered certificate installation, which no longer corresponds with the newly-discovered F5 configuration. The certificate installations are renamed and still exist in Trust Protection Platform.

        Use case: An example for using this option is when you have a discovery on certificate installations, and another team responsible for F5 management manually switches an SSL profile associated with a virtual server to a different virtual server. On the next discovery, the F5 Discovery Job discovers the new SSL profile and certificate. If this option is left unchecked, Trust Protection Platform maintains the previous certificate installation, which no longer exists in the F5 environment. If the prior certificate is then auto-renewed, it will be provisioned to the F5 environment, updated, and configured on the virtual server. This action will effectively reverse the change made by the F5 team.

    • If you selected IBM WebSphere DataPower as the profile type, then using the fields that appear when you selected this type, do the following:

      • From the Configurations to Import list, select the configuration types to import (TLS Client Profile, TLS Proxy Profile, TLS Server Profile, or Crypto Identification Credentials).

      • In the REST Port field, type the port that Trust Protection Platform should use to communicate with your appliance.

        The default HTTPS/REST port assignment is port 5554, which applies to the REST API.

  5. Click Next.

  6. Depending on which installation type you selected, then on the Targets page, do one of the following:

    1. (Conditional) If you selected any installation type other than Amazon Web Services or Azure Key Vault, then in the Devices to Scan field, select the devices that you want scanned, and then continue to the next step.
    2. (Conditional) If you selected Amazon Web Services as the installation type, then in the Account IDs to scan field, type (or copy in) one or more AWS account IDs, press Enter after each ID, and then skip down to the Placement Rules step.
    3. (Conditional) If you selected Azure Key Vault as the installation type, type your tenant ID in the Azure Tenant ID field, and then skip down to the Placement Rules step.

  7. (Conditional) If you haven't yet created device objects, click Create New Devices and then do one of the following:

    1. If you already have the required credential, click Create New Device Only and do the following:

      1. In the Device Addresses filed, type one or more new device addresses.

        TIP  When working with many devices, you can copy and paste all of the addresses into this field at once, provided that you include commas between each address.

      2. In the Device Folder field, begin typing the name of the folder where you want the devices placed and select a folder.
      3. In the Credential field, begin typing the name of the credential to use and then select it.
      4. When you're finished, click Save.
    2. If you haven't yet created devices or credentials, click Create New Device and New Credentials, and then do the following:
      1. In the Device Addresses filed, type one or more new device addresses.
      2. In the Device Folder field, begin typing the name of the folder where you want the devices placed and select the folder.
      3. In the Credential Name field, type a unique name for your new credential.
      4. In the Credential Folder field, begin typing the name of the folder where you want the devices placed and select the folder.
      5. In the Password fields, type a password twice to confirm, and then click Save.

  8. (Optional)(Conditional) If you have a specific folder where all of your devices are located, then select a folder from the Scan all devices located in this folder (and its subfolders) field.

    All sub-folders of the folder you select are also scanned.

  9. Click Next.
  10. Under Placement Rules, do one of the following:

    • (Conditional) If you selected Amazon Web Services or Azure Key Vault, select the folder where you want discovered certificates and applications to be placed, and then click Next.

      IMPORTANT  If a certificate is assigned to a web application but there is no Azure Key Vault available, the Azure Key Vault name value of the associated application object is left empty. In this case, in order to provision successfully after onboard discovery job runs, you'll need to set that value manually.

    • (Conditional) If you're configuring any other installation types besides Amazon Web Services or Azure Key Vault select one of the following methods for placing newly discovered certificates:
      • Select With this device if you want all newly discovered certificates placed in the same folder where the device is located.
      • Select In this folder if you want to select an existing folder where Trust Protection Platform should place all newly discovered certificates.
    • If you're configuring for Amazon Web Services, placement targets must be unique for each AWS Onboard Discovery job that runs concurrently in the Amazon Web Services section.
  11. On the Occurrence page, specify when you want the new job to run, and then either click Create & Run to save your changes and run the job immediately, or click Create Job if you plan to run the job at a later time (or have scheduled it to run later).
  12. Click Save.

Related Topics Link IconRelated Topics