Topic
  • 7 replies
  • Latest Post - ‏2014-01-23T10:48:33Z by HarshaJ
RubenRandall
RubenRandall
88 Posts

Pinned topic Certificate Monitoring

‏2013-07-10T22:44:29Z |

Hi,

 

I am trying to figure out a way by which I can monitor certificates effectively, I have tried default certificate monitoring technique  and along with which i was also able to develop a service that can fetches all cert details of the particular domain and sends it as a soap message but, my requirement is I have several domains on the device and all the cerificates are stored in cert:// directory of that corresponding domain. The style sheet solution requires me to develop service in each domain and that is a challenge for me . could you please help me out in giving one solution to monitor certificates in multiple domains effectively.

 

Thanks,

Ruben   

Updated on 2013-07-10T22:48:19Z at 2013-07-10T22:48:19Z by RubenRandall
  • HermannSW
    HermannSW
    4657 Posts

    Re: Certificate Monitoring

    ‏2013-07-11T10:02:14Z  

    Hi Ruben,

    sorry, there is no other way.

    I did create a WSP that gets a certname and then returns the cert details.

    Since WSP is the only service type being able to share FSH port, I thought importing the same WSP in each domain and just changing the endpoint ("/certdetails/default", "/certdetails/cert-test", ...) might work.

    What I had to lear this way is, that WSPs can share the the FSH if and only if they belong to the same application domain.

    So the only way seems to be:

    • top level service in default domain
    • get-cert-details services in each application domain (loopback XML FW), each on a different port
    • top level service receives request with domain and cert name
    • looks up small XML table mapping domains to ports (domPort)
    • calls get-cert-details service in requested domain by  http://127.0.0.1:domPort  "backend"
    • returns the details to client

     

    Please add yourself to the RFE Pradeep created in the other related thread:
    https://www.ibm.com/developerworks/community/forums/html/topic?id=e2d1b0aa-55aa-4687-b9e3-3397a0aec9cc#dad6de38-df61-40a3-94a6-c0a1c0aab60e

     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

     

    P.S:
    adding the WSP service files, all-in-one WSDL, sample request and stylesheet with skip-backside

    Updated on 2013-07-11T15:16:05Z at 2013-07-11T15:16:05Z by HermannSW
  • RubenRandall
    RubenRandall
    88 Posts

    Re: Certificate Monitoring

    ‏2013-07-11T14:06:27Z  
    • HermannSW
    • ‏2013-07-11T10:02:14Z

    Hi Ruben,

    sorry, there is no other way.

    I did create a WSP that gets a certname and then returns the cert details.

    Since WSP is the only service type being able to share FSH port, I thought importing the same WSP in each domain and just changing the endpoint ("/certdetails/default", "/certdetails/cert-test", ...) might work.

    What I had to lear this way is, that WSPs can share the the FSH if and only if they belong to the same application domain.

    So the only way seems to be:

    • top level service in default domain
    • get-cert-details services in each application domain (loopback XML FW), each on a different port
    • top level service receives request with domain and cert name
    • looks up small XML table mapping domains to ports (domPort)
    • calls get-cert-details service in requested domain by  http://127.0.0.1:domPort  "backend"
    • returns the details to client

     

    Please add yourself to the RFE Pradeep created in the other related thread:
    https://www.ibm.com/developerworks/community/forums/html/topic?id=e2d1b0aa-55aa-4687-b9e3-3397a0aec9cc#dad6de38-df61-40a3-94a6-c0a1c0aab60e

     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

     

    P.S:
    adding the WSP service files, all-in-one WSDL, sample request and stylesheet with skip-backside

    Hi Hermann,

     

    Thanks  for the reply , could you please suggest me any third party tool that i could use to integrate with datapower to monitor certificates

     

    Thanks,

    Ruben

  • kenhygh
    kenhygh
    1523 Posts

    Re: Certificate Monitoring

    ‏2013-07-11T14:33:59Z  

    Hi Hermann,

     

    Thanks  for the reply , could you please suggest me any third party tool that i could use to integrate with datapower to monitor certificates

     

    Thanks,

    Ruben

    can't you use the same tool you use for all your other servers?

  • RubenRandall
    RubenRandall
    88 Posts

    Re: Certificate Monitoring

    ‏2013-07-11T15:05:38Z  
    • kenhygh
    • ‏2013-07-11T14:33:59Z

    can't you use the same tool you use for all your other servers?

    Hi Ken,

     

    We aren't using any third party tool, could you please suggest me one that can be integrated with datapower and canmonitor certificates

     

    Thanks,

    Ruben

  • HermannSW
    HermannSW
    4657 Posts

    Re: Certificate Monitoring

    ‏2013-07-11T15:15:41Z  

    Hi Ken,

     

    We aren't using any third party tool, could you please suggest me one that can be integrated with datapower and canmonitor certificates

     

    Thanks,

    Ruben

    Any third-party tool would have to use either dp:get-cet-details(), SOMA, TELNET/SSH or SNMP to interface with DataPower, sorry.

     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • JTQK_Sunny_Goel
    JTQK_Sunny_Goel
    10 Posts

    Re: Certificate Monitoring

    ‏2013-07-23T21:42:49Z  

    Hello Ruben,

    Do you want to track all the certs on box which are about to expire or has been expired already? If yes, then "Crypto certificate Monitor" scnas all the certificate on box after a specified time interval(Polling Interval) .. You can hook up syslog servers on your box . It will write records on syslog server and then you can use ITCAM to monitor it.

    Thanks

     


     

     

  • HarshaJ
    HarshaJ
    0 Posts

    Re: Certificate Monitoring

    ‏2014-01-23T10:48:33Z  

    Hello Ruben,

    Do you want to track all the certs on box which are about to expire or has been expired already? If yes, then "Crypto certificate Monitor" scnas all the certificate on box after a specified time interval(Polling Interval) .. You can hook up syslog servers on your box . It will write records on syslog server and then you can use ITCAM to monitor it.

    Thanks

     


     

     

    Crypto Certificate Monitor is good tool. But the limitation is that it will give certificate object name and not the CN name of the object which is going to expire or expired objects. we need to login to the box, open the expired object and get the CN name. This is tedious task if we have many certificates which are expired across different domains.

    Updated on 2014-01-23T10:50:19Z at 2014-01-23T10:50:19Z by HarshaJ