Using Subnet Option

To discover keys with the subnet option:

  1. Go to (Menu) icon > SSH+ > Discovery > Network Scan > Subnet.
    The Discover page is displayed.
  2. Enter the following details:
    Table 1. Field description for Discover Subnet section
    Field Description
    Discover By
    *Select Select one of the options:
    • Instant: To discover the keys immediately. By default, the Instant option is selected.
    • Scheduled: To schedule the discovery of keys on a specific date and time.
    Scheduler (This section appears only if you have selected the Discovery option as Scheduled)
    *Schedule Name Enter a unique name. This helps you identify it easily.
    Description Enter the details pertaining to the scheduling discovery purpose.
    *Starts On Under the Starts On, set the time to start the run. You can customize the date, month, year, and time by clicking the Calendar icon.
    *Repeat Every Scheduled discovery can be set to repeat discovery after every 5 minutes or can be customized per your requirement.
    *End Date Select one of the options to end the scheduled discovery:
    • Never: To keep the scheduled discovery going.
    • On: To select the end date when the scheduled discovery has to stop.
    • After: To stop the scheduled discovery after a certain number of occurrences.
    Discover SSH Keys
    *Discovery Name This field appears on selecting the Instant discovery option.

    Enter a unique name.

    Description This field appears on selecting the Instant discovery option.

    Enter the details pertaining to the discovery stating the purpose.

    *Network Enter the IP address of the network. For example, 192.168.1.1/24
    *Subnets Per Batch Of Discovery Select a value from the dropdown list. Based on this value, the subnet provided is split into multiple batches for the discovery process.
    *Ports By default, the port is 22. You can enter a port number from where the keys have to be discovered.
    *Access Type Select Key or Certificate.
    Note: The Certificate option can be disabled or enabled by configuring the Enable User CA Trust and Host Certificate toggle button under Advanced Settings.
    *DataCenter Select a datacenter to connect to the host(s).
    *Credential Type Select one of the options:
    • Manual entry: Enter the username and password.
    • Credential List: Select the credential details that are already stored in the credential inventory page.
    *Credential Name This field appears only if you have selected Credential Type as Credential List.
    *Login Type Select one of the options:
    • Password: Enter username and password.
    • Identity Key: Click Upload and the Upload SSH Private Key window opens. Browse for the key file and fill out all the fields. Enter passphrase.
    Sudoer User Enable this checkbox if you want:
    • privileges to perform actions on discovery, provisioning, and remediation.
    • to discover keys for all users configured in the host.
    *Access Elevation This field appears only on selection of Sudoer User.
    *Discover Select one or both of the options:
    • User Keys: To discover user keys.
    • Host Keys: To discover host keys.
    *Application Infra Access Group Groups with RW permission will be visible in the Application Infra Access Group field.

    Select the Application Infra Access Group(s) to which you want to map the onboarded host.

    Key Compliance Group Groups with RW permission will be visible in the Key Compliance Group field.

    Select the required Key Compliance Group to which you want to map the discovered user keys. The discovered keys are associated with the selected Key Compliance Group.

    Note: The key group selection simplifies the grouping of the discovered keys and checks the discovered keys for key compliance. The keys are checked for compliance based on the policy of the key group it is associated with.
    *Scan Type Select one of the options:
    • Default: The system scans the default ssh folders.
    • Full: The system scans the entire location. You can enter the files name/path that you want to exclude from the discovery for non-standard location. Make sure to select the Sudoer User checkbox.
    • Directory: The system performs default scan along with directory scan in the specified directory. Enter the file name/path you want to exclude/include for non-standard location.
    Note: Changing the scan type clears the File Path table.
    Recursive Scan This field is enabled if you select Default or Directory as your Scan Type and is applicable for file path.
    • For Default scan type, enable this toggle to perform a recursive scan of all user home directories.
    • For Directory scan type, by default, this toggle button is disabled, and only the specified top-level folder is scanned—nested directories are skipped. When enabled, the system recursively scans all subdirectories within the specified folder path for keys. This is applicable for file path.
    File Path This field is enabled only if you select Full or Directory as your Scan Type.

    Enter the file/s name/path that you want to exclude/include scan (only for directory scan) from the discovery for non-standard location.

    File path should always start with /.
    Operation This field is enabled only if you select Full or Directory as your Scan Type.
    Select one of the options:
    • Exclude: Disables the scan in the file/s name/path location entered in File Path.
    • Include: Enables the scan only in the file/s name/path location entered in File Path.
    Note: Multiple folder/path entries can be entered for scan, which are displayed in the consecutive table with respect to File Path and Operation.
    Note: Fields indicated with red asterisk (*) symbol are mandatory.
  3. For Full or Directory scan type, click Add.
    The File Path table is populated with the operation.
  4. If required, enable Intensive Scan to scan the content of each and every file.
    Note: For the Default scan type, Intensive Scan can only be enabled if Recursive Scan is also enabled.
  5. In Inventory Action, select one of the options:
    • Do Not Move: To avoid the movement of newly discovered keys in the inventory.
    • Manage: To allow the system to manage the newly discovered keys, which are moved to the inventory with Managed status.
    • Monitor: To allow the system to monitor the newly discovered keys, which are moved to the inventory with Monitored status.
  6. Click Discover.

    The discovery runs per the settings and the key scan instance is added to the discovery inventory with the Status as In Progress until the discovery is completed. The Status in the discovery inventory changes to Successful or Failed depending on the outcome of the scan.

    Note: Only live IPs (hosts) discovered from the subnet will be reflected in the discovery summary.