Configuring SecureApp Settings

Overview

You can manage these general SecureApp settings in the Settings > SecureApp Settings page:

  • Server Name: The name syntax for IP addresses not associated with a server (that were discovered by connection discovery).
  • Connection Management: Sets actions for aborted tickets, external connections, number of days to run connection discovery, and the number of connections to show per page.
  • Ticket Validation Script: SecureApp triggers a customized script, just before opening the ticket, that allows you to resolve errors before tickets are submitted to SecureChange. You create this script with customized validations such as naming conventions, risk, or connection traffic. The script saves you time and identifies potential problems in the ticket before SecureApp submits it to SecureChange.

Set Server Name

You can use this procedure to define for IP addresses that are not associated with a server and were discovered by connection discovery.

  1. In the two text boxes enter the text that is appended before and/or after the IP address.

  2. Select the Use the resolved DNS name, if available option if you want to use the DNS server that is configured in the operating system to resolve the DNS name listed for the IP address.

Configure Connection Management Settings

  • Set these options:

    • Aborted Tickets: Select to allow a user to ignore rejected changes.

    • External Connections: Select to allow external resources to be used in both the source and destination of connections.

    • Connection Discovery: The default duration days to run connection discovery.

    • Connections List Paging: The number of connections shown per page.

Set Trigger Script

You create a script with customized validations such as naming conventions, risk, or connection traffic.

In a SecureApp request, when you click Submit, the script automatically evaluates the ticket. You will see this message: Ticket validation is in progress. You can abort the script evaluation while running.

  • If the script approves the ticket, it is opened in SecureChange.

  • If there is something invalid, the message in the script, which is defined in case of failure, appears. No ticket is opened.

Prerequisites

Create a script. The script must be stored in /opt/tufin/data/securechange/scripts in the sc-server pod. The script must include the following fields:

  • Status: Validation status must be provided with one of the following values: TICKET_VALID, TICKET_INVALID, or ERROR. You can use one or more of these status values in a single script. For example:

    • <status>ticket_invalid</status>

    • <status>ERROR</status>

  • Error Message: A message that describes the validation error, limited to 128 characters.

  • Error Details: Details about the error, limited to 64,000 characters.

By default, the timeout for the script running time is two minutes. If the script is invalid, you will get a message and it will be logged in the SecureChange log.

If you have a URL in the script, it needs to be separated \n before and after.

Example: error details can be found in \n https://www.errorlog.com \n.

Here is a sample script:

#this script prints the args and the input stream into /tmp/script-valid.log
echo "args: $@" >> /tmp/script.log
echo "<result><status>ticket_invalid</status><error_message>ticket Validation failed</error_message><error_details>more info about the validaiton</error_details></result>" >> /tmp/script.log
while IFS='$\n' read -r line; do
    echo "input stream: $line" >> /tmp/script.log
done
sleep 1
echo "<result><status>ticket_invalid</status><error_message> ticket Validation failed</error_message><error_details>you are not allowed to issue the ticket</error_details></result>"
#this script prints the args and the input stream into /tmp/script-valid.log
echo "args: $@" >> /tmp/script.log
echo "<result><status>ticket_invalid</status><error_message>ticket Validation failed</error_message><error_details>more info about the validaiton</error_details></result>" >> /tmp/script. log
while IFS='$\n' read -r line; do
echo "input stream: $line" >> /tmp/script.log
done
sleep 1
echo "<result><status>ticket_invalid</status><error_message> ticket Validation failed</error_message><error_details>you are not allowed to issue the ticket</error_details></result>"

Procedure

  1. Use these fields to define your script:

    • Full path: Enter the full path of the script file. Note that the script must be stored in /opt/tufin/data/securechange/scripts.

    • Arguments: Enter arguments separated by a comma.

  2. Run this command:

    chmod 777 <script.sh>
    chmod 777 <script.sh>

  3. Click Test to confirm that SecureApp can run the script.

  4. Select Enable validation by script to enable the script or clear this check box to disable the script.

  5. Click Save.

If there are insufficient permissions for the script file (accessible to the root user with read and execute permissions), the script does not exist, or the script is incorrect, you will see a message that the script failed to run. In this case, you should contact your Tufin administrator.