π Ownership Management
SecTrail Certificate Manager provides the ability to automatically assign ownership to certificates based on server or certificate attributes. This ensures alarms and notifications are directed to the right teams and individuals.
Overviewβ
With the ownership management system, you can:
- Assign ownership based on server IP addresses or certificate attributes
- Automatically update discovery lists with ownership information
- Direct alarms to relevant teams
- Integrate with external inventory systems via API
- Define ownership rules using regex patterns
Ownership Componentsβ
Ownership Groupsβ
Ownership Groups define the teams or individuals responsible for certificates. Each group consists of:
- Group Name: A unique identifier for the group
- Email Addresses: One or more email addresses to receive notifications
Creating an Ownership Groupβ
- Go to the Ownership Groups section
- Click the Create Group button
- Enter the following information:
- Group Name: A descriptive name for the team or group
- E-mail Address: Add one or more email addresses using the "Add More" button
- Click the Submit button to create the group
Ownership Profilesβ
Ownership Profiles define rules that determine which certificates or servers belong to which ownership group. You can create profiles based on the following criteria:
- Network-based discovery (IP addresses)
- Certificate attributes (subject, issuer, SAN, etc.)
Creating an Ownership Profileβ
-
Go to the Ownership Profiles section
-
Click the Create button
-
Configure the following fields:
Basic Information:
- Name: A descriptive name for the profile
- Discover Type: Select either Network or DataPower
- Rule Type: Select the matching method (Regex, Service)
- Type: Select the attribute to match (Subject, IP Address)
- Condition: Select the matching condition (contains, equals)
- Regex: Enter the regex pattern to match. You can add multiple patterns with "Add More"
- Example for certificates:
CN=example.com.tr,OU=Security... - Example for IP addresses:
192.168.1..*
- Example for certificates:
Group Assignment:
- Ownership Groups: Select the ownership group to assign when the rule matches
Use Certificate Email:
- Utilize the email address found in the certificate:
- Enable: Use email addresses found in the certificate
- Disable: Use only ownership group emails
Priority:
- Specify the priority level for this rule (1 = highest priority)
- When multiple rules match, the rule with the highest priority is applied
-
Click the Submit button to create the profile
Ownership Service Profilesβ
If your organization has its own inventory system and stores ownership information in that system, you can integrate SecTrail CM with your own API. With this integration:
- SecTrail CM calls the API you provide to automatically query ownership information for discovered certificates
- Your technical team prepares an API endpoint in your own inventory system
- Ownership information is synchronized with SecTrail CM via the API
- No manual ownership assignment is required
Creating an Ownership Service Profileβ
- Go to the Ownership Service Profiles section
- Click the Create button
- Enter the following integration information:
- Name: A descriptive name for the service profile (e.g., "CMDB API", "Inventory System")
- URL: Your inventory system's API endpoint address (e.g.,
https://cmdb.yourcompany.com/api/ownership) - Username: API authentication username (credential information)
- Password: API authentication password (credential information)
- Click the Submit button to create the service profile
You need to contact your technical team to prepare an API endpoint in your own inventory system that SecTrail CM can query. The API should receive certificate information and return the relevant ownership group.