How-tos

How to Use Certificate Manager to Avoid Outages Using Callback URLs: Part 2

Share this post:

Configuring Certificate Manager to post alerts to PagerDuty

Certificate Manager is a service that helps you centrally manage SSL/TLS certificates for your apps and services. Certificate Manager keeps track of when your certificates expire, serves as a secure repository for SSL/TLS certificates and keys, and helps you securely deploy certificates to your Cloud apps.

Expired certificates can lead to service outages. To address this problem, Certificate Manager can send you proactive notifications before your certificates expire so that you will remember to renew your certificates on time. In a previous blog, we showed you how to configure Certificate Manager to post notifications to your Slack channel. In another blog, we demonstrated how to use the Certificate Manager callback URL feature to automatically open Github tasks about expiring certificates. We’ve been asked to share an additional sample that shows how to configure Certificate Manager to post alerts to PagerDuty.

In this article, we will discuss how to implement a callback URL to generate PagerDuty alerts for expiring certificates. The callback function is implemented as a Cloud Function using IBM Cloud Functions—an event-driven compute service.

Implementing the flow

Step 1. Create an integration key in PagerDuty for your service

Before we begin with the code, we’ll need to get an integration key for your service from PagerDuty. To create an integration key, follow the steps below:

  1. Log in to your PagerDuty console.
  2. Select the Configuration menu and then select Services.
  3. Search and select your service.
  4. Open the service page.
  5. Select the Integrations tab.
  6.  Click Add New Integration.
  7. Provide a Name for the integration.
  8. Select Integration Type as IBM Bluemix.
  9. Click Add Integration.
  10. Make note of the Integration Key created for the new integration.

Step 2. Create the Cloud Function

We’ll start with creating a Cloud Function. A Cloud Function is a piece of code that runs in response to a trigger so that you don’t have to pay for or maintain servers while they are idle. To create a Cloud Function, go to the Functions dashboard in IBM Cloud, select the Actions tab, click the Create button, and then click Create a new action. Give the action a name, chose the default package, select a Node.js runtime (the sample code in this blog is compatible with Node.js 8), and click the Create button. Now you are ready to add the code to your Cloud Function.

Download the full code here and copy into the cloud function code section (the example code has been updated to use the latest notification format).

See our previous example of working with Certificate Manager callback URL and explanation about four functions in this code.

In our case the main function creates and sends an alert to PagerDuty.

Replace the service_key in the pdparams variable with the integration key generated in Step 1.

Step 3. Create the callback URL

Once the Cloud Function is ready, we need to make it available over the net. Select Endpoints from the left nav of the Cloud Functions UI, check the Enable as Web Function checkbox, and click the Save button. Copy the URL that was added at the bottom of the Web Action section.

Cloud Fucntion WebAction

Step 4: Add notification channel

The last thing left to do is to connect this Web Action to the Certificate Manager notifications mechanism. Open your Certificate Manager dashboard and select Settings from the left nav. Click the Add Notification Channel button, choose callback url from the channel type drop-down, enter the URL we copied from Cloud Functions, and click the Save button.

Once the channel is saved, you will see it in the notification channel list. You can test your setup by clicking the test connection button. This should trigger a PagerDuty alert if everything is set up correctly.

Step 5: Testing the integration—End to End

Create a self-signed certificate that expires in 10 days and import that into Certificate Manager. You can use the below openssl command for the purpose:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -subj "/CN=appdomain.com"  -out server.pem -days 10 -nodes

Import the certificate into your Certificate Manager instance. This will trigger a PagerDuty alert and incident against your service for the certificate expiring in 10 days.

PagerDuty alerts will be triggered from now on for all your certificates nearing expiration.

Executive IT Architect - Cloud Security - Developer Services

IDO HUBARA

Software Developer

CARMEL SCHINDELHAIM

Offering Manager - Cloud Developer Services - Security

More How-tos stories
May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

May 6, 2019

Are You Ready for SAP S/4HANA Running on Cloud?

Our clients tell us SAP applications are central to their success and strategy for cloud, with a deadline to refresh the business processes and move to SAP S/4HANA by 2025. Now is the time to assess, plan and execute the journey to cloud and SAP S/4HANA

Continue reading

May 1, 2019

What’s Included in the IBM Cloud Developer Tools Version 2.2.0

I’m pleased to announce the latest version of IBM Cloud Developer Tools CLI, which contains some exciting new features.

Continue reading