Product Demo – Difenda Machine Identity Protection for ServiceNow | Venafi

Product Demo – Difenda Machine Identity Protection for ServiceNow | Venafi


What I’ll do in the next couple of
minutes is just give you an overview of what the app looks like and just walk
through a couple of the transactions or processes that can be carried out
through the app. Now as you’re seeing over here there is a default dashboard
that’s available and this is also configurable – there are other specific
widgets that can be configured and set up, but you know, here’s a technical one
which was, you know, when certificates are expiring over the next couple of weeks
and also for individuals – whether you’re certificate requesters or approvers, a
summary of what’s available in your queue. Are their requests waiting to be
approved for issuance, for installations, for renewals and so on. So the key things
that are – the key processes that are supported through this integration app
is of course to create a new request – a request for a new certificate, or you can
also process renewals through the app and then also be able to revoke a
certificate and then retire a certificate, or in other words, you know,
not monitor that certificate and keep track of it, and
essentially that’s what a retired certificate is. So I just want to do a
quick demo of how to request for a new certificate and we got two things that
you will notice over here is one, when you request for certificate, you’re
always identifying which is the business application that’s consuming the
certificate. So, in my demo environment I’ve kind of, you know, doing this example
where we have an HRIS business application – ultimately it’s that
application and its different system components that’s consuming the
certificate – and the certificate is always going to be mapped back. Now,
you know, we identified this group called as an assignment group, or a support
group or an operational group and different companies will call it
different names, but for us this is the group of users that will be the
certificate custodian. And they will be responsible for
identifying the need for the certificate, making sure that the correct information
is provided and know where it’s going to be installed and so on.
And then there is also an approval group, and that is both a segregation of
duties – when you have an ops group and they have to carry out certain tasks, you
know there is a review and an approval, and finally also a business owner for
this certificate. Now, all of this information in terms of support group,
approval group, business owner, is automatically picked up from an
organization as the MTB when they choose a specific business application,
right? Similar to Venafi, you can also specify how this certificate
should be managed – whether it is just the user make a request and Venafi
issued a certificate, and that’s what enrollment’s about, or do we want to
leverage the automation capabilities of Venafi and have Venafi deploy the
certificate onto a Java key store or Windows IS server or an f5,
which will serve and so on, okay? Again, some other questions in terms of identifying what the certificate’s for, and is it an internal/external
server and then also identifying what kind of a certificate is requested. For
example, information about the certificate, so it can be managed effectively on an ongoing basis. So I’m just going to go ahead and just create a cert, and this is information that you’re typically used to handling when you
create a certificate request, and that’s to provide the name, the OU, the
organization, city, state. Now in one of the previous slides we did look at
how PKI administrators can implement certain policies on the Venafi system,
and we’ve replicated the whole thing over here by adding – making use of organization values and making use of other properties, such as location, and
all of this comes from the CMDB. The other main feature of this integration
app is that it links with your server’s CMDB and you can identify
servers from your list of currently configured servers and, when a server is selected, you know, the IP addressing associated with that,
the location – all of that information is automatically taken and then used for
creating the objects in Venafi. And of course you can also identify what kind
of a key store should be – will be used to deploy the certificate to, and
this is very similar to what we see in Venafi, right? Other properties you have
in terms of key size encryption algorithm – Again these are all things
that we would configure on the basis of a company-wide policy and we don’t have
to have the users worry about those things and they don’t have to
enter that. And the process that typically happens is the certificate requestor would submit this request and then the request would be automatically
sent to whoever’s specified as part of the approval group, and members of the
approval group will then approve the request, assuming that everything is
correct – and then the app will then connect to Venafi and create
the required policies folders, create the device, the application objects and submit it for enrollment. The same capability is also available when
you want to create a certificate, but this time you know because of a special
circumstance, you want to upload a CSR. The key pair is not going to be
created on Venafi. So requesting a certificate using a CSR is also
supported, so all you need to do is indicate that “yes, there’s a CSR that’s going to be submitted” and you have the CSR
available, and upload the CSR and then provide the other information.
And then the rest of the process is to identify which device is
going to go on, what kind of key store it’s going to go on, provide the information
and then submit. So requesting
certificates through CSRs is also submitted. Now once that entire request
is submitted and all of the integration activities happen, the user
will get a notification that the certificate is available for download
and typically will have this download certificate option available. And when we
do the download certificate … even a number of potential formats are
supported and then the certificate is retrieved from Venafi TPP. Now again,
it’s important to note that while carrying out this activity
there’s no information cached anywhere, so a copy of the
certificate and key is not going to be brought over to ServiceNow and stored
there. All of this is within the same session and there is no private
key that’s stored anywhere within within ServiceNow. And so you
see over here that I’m able to download the certificate, and then from a
process perspective the user just needs to check this checkbox to confirm that
they have installed the certificate and then save the request and that will
complete the request. And you also notice that once the request is
completed, that “Download Certificate” option is gone,
so it’s not that a user can come and look up any ServiceNow request and be
able to download certificates and private keys, right? This is available
only at the time of request being in the state of certificate issuance. Other request types that are supported is the provisioning type of request, so I’ve already created a request over here
for a certificate, where I provided the certificate details, provided the SANS
information and, you know in this case I’ve identified that this is the
server that it needs to go on, and this needs to be a Java key store, and
all the information required for Venafi to successfully create and configure that
Java key store has also been provided over here. And then when you submit that,
it will then go and trigger the workflows with in Venafi and then have
that installed. Okay, so this is a request that’s in a stage
where the certificate has been issued, but now it’s pending installation approval. So one of the approvers will then go and approve this certificate for
installation and then the system will then connect to Venafi and approve
the Stage 800 Workflow, for those of you who are familiar with Venafi,
and then proceed to install the certificate. Another
provisioning type of a request, but this time it is for Windows IS server.
In addition to that, the other types of requests that are supported is “Revoke Request”,
so when the certificate needs to be revoked you can select it from the list.
All of the information about that certificate will be populated
and you specify the reason as to why you want to revoke that, and then submit that
request. And this will also go through its approval cycle, and someone from the
certificate approvers group is going to approve the revocation, and then it gets
revoked on ServiceNow. And then we also have the “Retire” so it’s possible to
retire or stop processing a certificate going forward, and
again; select the certificate and provide the reason and then submit that. Okay?
The other point that I quickly make to kind of conclude my demo is, renewals are
also handled, and the way renewals are handled is that Venafi TPP
will identify a certificate that needs to be renewed, and you will have
a request created in this queue. The request will be of a type of certificate
renewal request, so you know the associated approval group or the
custodian group can then look at the certificate, validate all of its properties
and then submit that for renewal. Okay? So that’s a quick overview of all of the major processes that are supported
within the app. That’s great, thank you Jeffrey.
It looks like pretty much everything that a certificate owner would need to
do; request certificates, install, renew, revoke or retire, are all available to
them within ServiceNow. And I know you went through that fairly quickly to show
us a lot of stuff, but it did look pretty straightforward as far as
clicking, using drop-downs, sort of helping folks get guided through the process.

Leave a Reply

Your email address will not be published. Required fields are marked *