IBM Support

Keeping up with Certificates Expiry

Technical Blog Post


Abstract

Keeping up with Certificates Expiry

Body

Author: Manisha Khond

 

SSL Certificate have a set expiry date and upon the expiry, certificate becomes unusable. The expired certificate can not be used in the web application, in the Adapters/Services. The TLS communication with expired certificates would fail. The use of an expired certificate causes communication loss, sales loss, trust withdrawal, damage to the brand reputation etc.

One may ask, how do I check the certificate expiry?

The certificates used by IBM Sterling B2B Integrator and IBM Sterling File Gateway are stored in System, CA and Trusted store. These certificates can be examined in the Dashboard User Interface on Trading Partner -> Digital Certificates menu.

In order to check the certificate expiry, check the certificate summary and check the valid dates.

 

image

 

Although, you can check the certificate expiry using manual technique above, it would be time consuming if you have large number of certificates to check for near expiry.

 

So, what is the automated way for checking the certificate expiry?

IBM Sterling B2B Integrator has a Service called Check Expire Service.

This service can be used to retrieve information on all certificates that have expired or will expire in a set number of days.

The Check Expire service is included in a predefined business process, Schedule_CheckExpireService.

image

 

The out of the box certificates like OpsDrv, OpsKey, and UIKey etc cannot be checked for expiration because they are used internally by Sterling B2B Integrator. The default Schedule configuration of Check Expire Service has these certificates excluded.

 

image

 

Properties definitions in ui.properties for Check Expire Service.

 

## PROPERTY_START

## PROPERTY_NAME: Check_Expire_Days

## PROPERTY_GROUP: General Properties

## PROPERTY_TYPE: Integer

## PROPERTY_DESCRIPTION

## Number of days before expiration that the

## CheckExpireService generates messages for certificates that

## are about to expire.

## Default value: 14

## (For property value, see PROPERTY_VALUE_ALL section at end of file)

## PROPERTY_END

 

## PROPERTY_START

## PROPERTY_NAME: Check_Expire_Mode

## PROPERTY_GROUP: General Properties

## PROPERTY_TYPE: String

## PROPERTY_DESCRIPTION

## Set CheckExpire behavior.

## Default value: EMAIL

## (For property value, see PROPERTY_VALUE_ALL section at end of file)

## PROPERTY_END

 

## PROPERTY_START

## PROPERTY_NAME: Check_Expire_Email_Addr

## PROPERTY_GROUP: General Properties

## PROPERTY_TYPE: String

## PROPERTY_DESCRIPTION

## Set CheckExpire behavior.

## Default value: SI Admin email address.

## (For property value, see PROPERTY_VALUE_ALL section at end of file)

## PROPERTY_END

 

## PROPERTY_START

## PROPERTY_NAME: Check_Expire_Certs_Exclusion

## PROPERTY_GROUP: CheckExpire

## PROPERTY_TYPE: String

## PROPERTY_DESCRIPTION

## Used to configure certificates to be excluded from the check.

## List certificate names and separate by "," (without any space)

## e.g. Check_Expire_Certs_Exclusion = cert_name_1,cert_name_2,cert_name_3

## (For property value, see PROPERTY_VALUE_ALL section at end of file)

## PROPERTY_END

 

You can customize the properties in customer_overrides.properties.

Example:

Below settings generate email notification to admin@company.com on all expired certificates and the certificates that are going to expire in 30 days. It also excludes the 2 certificates that are mentioned for exclusion.

ui.Check_Expire_Days=30

ui.Check_Expire_Mode-EMAIL

ui.Check_Expire_Email_Addr=admin@company.com

ui.Check_Expire_Certs_Exclusion=systemcertABC, partnercertXYZCompany

 

So what steps should you take on the certificates that are already expired?

Unless the certificates are out of the box certificates provided by the product installation, it is a best practice to delete the expired certificates.

 

What steps should you take for the certificates that are going to expire?

Before the certificate expiration, obtain the renewed certificate or new certificate and install in IBM Sterling B2B Integrator. The new certificate should be referenced in the adapter/services to be used.

 

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11120539