posted

0 Comments

Almost every website and every API endpoint are nowadays accessible via HTTPS and SSL/TLS certificates are used to establish a secure connection with the server.

SSL/TLS certificates are usually valid for a certain period of time and needs to be renewed (replaced) early enough to avoid service disruption.

To maintain a broad overview of any SSL/TLS certificate in your environment vRealize Operations and End Point Operations Agents can be used to collect and display that information in an automated way.

 

In this post I will show you how to leverage the script monitoring feature available with the End Point Operations Agent to monitor SSL/TLS certificate validity period.

 

Ingredients

 

To accomplish our task we will need:

  • vRealize Operations, in this post I am using the newest and greatest version 7.5
  • End Point Operations Agent, again, in this scenario I run the newest version 7.5 on my Linux Ubuntu box
  • A Shell script doing the certificate check

This solution relies on a Shell script which means you will need a Linux machine, but it can be easily rewritten to run as a PowerShell script on Windows as well.

NOTE: Script and dashboard can be found on VMware Code:

 

Implementation – Ep Ops Agent

 

First, we need to make sure that our Ep Ops Agent is properly running and sending data to vRealize Operations. For End Point Operations Agent installation and configuration documentation please see:

https://docs.vmware.com/en/vRealize-Operations-Manager/7.5/com.vmware.vcom.core.doc/GUID-44080717-078F-401A-B99C-F220D03D144C.html

End Point Operations Agent overview page

 

Implementation – Shell Script

 

After checking the functionality of our agent we copy the script to a folder on the machine equipped with the End Point Operations Agent, in this case I have created a scripts folder in the agent path:

root@ubuntu:/opt/vmware/epops# ls -al
total 692
drwx------ 9 root root   4096 Apr 13 05:53 .
drwxr-xr-x 3 root root   4096 Apr 13 04:36 ..
-rw-r--r-- 1 root root      5 Apr 13 04:40 0
drwx------ 2 root root   4096 Mar 29 04:13 bin
drwx------ 3 root root   4096 Mar 29 04:13 bundles
drwx------ 2 root root   4096 Apr 13 04:37 conf
-rw------- 1 root root  35846 Mar 29 04:12 COPYING.txt
drwx------ 2 root root   4096 Apr 13 04:37 data
-rw------- 1 root root  30389 Mar 29 04:13 EULA.txt
drwx------ 3 root root   4096 Apr 19 00:07 log
-rw------- 1 root root 592629 Mar 29 04:13 open_source_licenses.txt
-rw------- 1 root root   3570 Mar 29 04:12 README.txt
drwxr-xr-x 2 root root   4096 Apr 13 05:57 scripts
drwx------ 4 root root   4096 Apr 13 04:37 wrapper

The script requires OpenSSL in a certain version, in my example I am suing OpenSSL 1.0.2d 9 Jul 2015 on a Ubuntu box.

Please note that OpenSSL 0.9.8j-fips 07 Jan 2009 will not work.

To enable execution of the script, please ensure that the x flag is properly set and the user running the End Point agent can access the file.

In the scripts folder I have placed the shell script checking the validity period of any given certificate backing a HTTPS connection:

root@ubuntu:/opt/vmware/epops/scripts# ls -al
total 16
drwxr-xr-x 2 root root 4096 Apr 13 05:57 .
drwx------ 9 root root 4096 Apr 13 05:53 ..
-rw------- 1 root root    5 Apr 19 05:38 0
-rwxr-xr-x 1 root root  748 Apr 13 04:39 getSSLRemainigDays.sh

The script itself expects two options, the FQDN and the TCP port number of the endpoint you wish to check:

root@ubuntu:/opt/vmware/epops/scripts# ./getSSLRemainigDays.sh
This script must be run with ....

Usage:
./getSSLRemainigDays.sh FQDN TCP-Port

For example, given we have internet access from the machine running the script:

root@ubuntu:/opt/vmware/epops/scripts# ./getSSLRemainigDays.sh www.vmware.com 443
65

The script tells us, that the SSL/TLS certificate used to secure the HTTPS access to www.vmware.com will expire in 65 days.

 

 

Implementation – Ep Ops Monitor Script

 

For every endpoint secured by SSL/TLS certificate we wish to check in vRealize Operations we need to create a Monitor Script as child object of the operating system object related to our End Point Operations agent as depicted in the following figure.

Adding a Monitor Script in End Point Agent

 

The parameters:

  • Script name including the entire path
  • Arguments including the FQDN and TCP port of the endpoint

The following picture shows a sample configuration to monitor the certificate used by my vIDM instance.

Configuring the Monitor Script

 

After the Monitor Script has been configured correctly and some collection cycle have been completed we should see the remaining days until the certificate expiries as “UTILIZATION | Result Value”.

Metrics returned by the monitoring script

 

Dashboard

 

Creating an appropriate dashboard has never been easier. vRealize Operations 7.5 comes with plenty new features. One of these is a re-worked scoreboard widget which allows us for example creating dashboards without the need of creating custom groups.

See both examples on how group internal and external certificates.

Creating the dashboard – step 1

 

Creating the dashboard – step 2

 

Creating the dashboard – step 3

 

A very simple dashboard created that way might be enough to visualize the status of your SSL/TLS certificates helping you order new certificates on time.

SSL/TLS Certificate vRealize Operations

SSL/TLS validity dashboard

 

As usual, you can create thresholds to color code the scoreboards to be alerted early enough to not end up with expired certificates.

 

Alert

 

Using the metric provided by the script, related symptoms can be created and used in alerts.

This is an example including a symptom set to be at warning level when the validity breaches 91 days.

<?xml version="1.0" encoding="UTF-8"?><alertContent>
    <AlertDefinitions>
        <AlertDefinition adapterKind="EP Ops Adapter" id="AlertDefinition-eca7b93f-fb84-47ba-a694-6ae1ca132e42" name="tkopton - Certificate expring" resourceKind="Script" subType="18" type="15">
            <State severity="automatic">
                <SymptomSet applyOn="self" operator="and" ref="SymptomDefinition-252cb3fa-0b28-47c4-86bc-65c2d87245e0"/>
                <Impact key="risk" type="badge"/>
            </State>
        </AlertDefinition>
    </AlertDefinitions>
    <SymptomDefinitions>
        <SymptomDefinition adapterKind="EP Ops Adapter" id="SymptomDefinition-252cb3fa-0b28-47c4-86bc-65c2d87245e0" name="tkopton-certificate expiring" resourceKind="Script">
            <State severity="warning">
                <Condition key="UTILIZATION|ResultValue" operator="&lt;" thresholdType="static" type="metric" value="91.0" valueType="numeric"/>
            </State>
        </SymptomDefinition>
    </SymptomDefinitions>
</alertContent>

 

Dashboard, Alert definition and the script can be found on VMware Code.