Skip to content

Handling Asset Credentials in Asset Links

Credential Handling for Discovery Workflow

Use this workflow to update credentials for discovery workflow in real time.

Prerequisites

To use configuration and credentials for real-time updates, you must modify the asset link. For reference, see the IAH Asset Link SDK.

Discovery Workflow with Credential Management

  1. Get authorization: Ensure the user has the credential_manager role to create or update credential templates and credential instances. This role can be assigned through the Authorization Service API.

  2. Upload asset link template: Upload the asset link configuration template as schema data along with the schema URI using the v2 Credential Management API POST /schemas. Use the asset-link software identifier name and version from the running DCDs on the target gateway as the resourceIdentifier and resourceVersion query parameters. Retrieve the generated schema ID from the response Location header.

    Note: If the same resource identifier and version already exist, the template is not created again.

  3. Create credential instances: Create credential instances from the uploaded schema ID using the v2 Credential Management API POST /instances. Add instance metadata that defines the IP address ranges where each instance should be applied.

  4. Trigger discovery scan: Run a discovery scan with Asset Link on the target gateway so the new credentials and settings are applied.

  5. Instance Selection for Discovery: For new assets, the system selects the three most recent credential instances (by timestamp). For existing assets, the system uses the credential instances already associated with the asset based on matching IP address.


Figure: Discovery Workflow for Credential Management

Credential Handling Workflow for Monitoring

Applications that need to enrich existing assets with additional information through other asset links can use the monitoring workflow using credentials.

Note: In this workflow, monitoring process with asset links must be implemented by the target application.

  1. Get authorization: Ensure the user has the credential_manager role to create or update credential templates and credential instances. This role can be assigned through the Authorization Service API.

  2. Upload asset link template: Upload the target asset-link schema data and schema URI using the v2 Credential Management API POST /schemas. Use the target asset-link software identifier name and version from the running DCDs on the target gateway as the resourceIdentifier and resourceVersion query parameters. Retrieve the generated schema ID from the response Location header.

    Note:
    If the same resource identifier and version already exist, the template is not created again.

  3. Create credential instances: Create credential instances from the uploaded schema ID using the v2 Credential Management API POST /instances. Add instance metadata that defines the IP address ranges where each instance should be applied. Retrieve the created instance ID from the response Location header.

  4. Create instance/communication template: Create a new instance template using the v2 Credential Management API POST /instances-templates. Retrieve the created instance template ID from the response Location header.

  5. Add Instances with Instance Template: Add each created instance and map it to the created instance template using the v2 Credential Management API POST /instances-templates/{instancesTemplateId}/instances/{instanceId}.

  6. Trigger monitoring using instance template: Run the required monitoring scan in the target application by using the instance template for existing assets.

  7. Assign monitored instances with existing assets: Create a copy of the instances used for monitoring and map them to existing assets using the v2 Credential Management API POST /assets/{assetId}/instances/{instanceId}.

  8. Get instances for all the monitored assets: Retrieve all discovery and monitoring credentials used across different Asset links for an asset using the v2 Credential Management API GET /assets/{assetId}/instances.


Figure: Monitoring Workflow for Credential Management

Any questions left?

Ask the community