Almost every website and every API endpoint are nowadays accessible via HTTPS and SSL/TLS certificates are used to establish a secure connection with the server.
SSL/TLS certificates are usually valid for a certain period of time and needs to be renewed (replaced) early enough to avoid service disruption.
To maintain a broad overview of any SSL/TLS certificate in your environment vRealize Operations and End Point Operations Agents can be used to collect and display that information in an automated way.
In this post I will show you how to leverage the script monitoring feature available with the End Point Operations Agent to monitor SSL/TLS certificate validity period.
To accomplish our task we will need:
- vRealize Operations, in this post I am using the newest and greatest version 7.5
- End Point Operations Agent, again, in this scenario I run the newest version 7.5 on my Linux Ubuntu box
- A Shell script doing the certificate check
This solution relies on a Shell script which means you will need a Linux machine, but it can be easily rewritten to run as a PowerShell script on Windows as well.
NOTE: Script and dashboard can be found on VMware Code:
Implementation – Ep Ops Agent
First, we need to make sure that our Ep Ops Agent is properly running and sending data to vRealize Operations. For End Point Operations Agent installation and configuration documentation please see:
Implementation – Shell Script
After checking the functionality of our agent we copy the script to a folder on the machine equipped with the End Point Operations Agent, in this case I have created a scripts folder in the agent path:
root@ubuntu:/opt/vmware/epops# ls -al total 692 drwx------ 9 root root 4096 Apr 13 05:53 . drwxr-xr-x 3 root root 4096 Apr 13 04:36 .. -rw-r--r-- 1 root root 5 Apr 13 04:40 0 drwx------ 2 root root 4096 Mar 29 04:13 bin drwx------ 3 root root 4096 Mar 29 04:13 bundles drwx------ 2 root root 4096 Apr 13 04:37 conf -rw------- 1 root root 35846 Mar 29 04:12 COPYING.txt drwx------ 2 root root 4096 Apr 13 04:37 data -rw------- 1 root root 30389 Mar 29 04:13 EULA.txt drwx------ 3 root root 4096 Apr 19 00:07 log -rw------- 1 root root 592629 Mar 29 04:13 open_source_licenses.txt -rw------- 1 root root 3570 Mar 29 04:12 README.txt drwxr-xr-x 2 root root 4096 Apr 13 05:57 scripts drwx------ 4 root root 4096 Apr 13 04:37 wrapper
The script requires OpenSSL in a certain version, in my example I am suing OpenSSL 1.0.2d 9 Jul 2015 on a Ubuntu box.
Please note that OpenSSL 0.9.8j-fips 07 Jan 2009 will not work.
To enable execution of the script, please ensure that the x flag is properly set and the user running the End Point agent can access the file.
In the scripts folder I have placed the shell script checking the validity period of any given certificate backing a HTTPS connection:
root@ubuntu:/opt/vmware/epops/scripts# ls -al total 16 drwxr-xr-x 2 root root 4096 Apr 13 05:57 . drwx------ 9 root root 4096 Apr 13 05:53 .. -rw------- 1 root root 5 Apr 19 05:38 0 -rwxr-xr-x 1 root root 748 Apr 13 04:39 getSSLRemainigDays.sh
The script itself expects two options, the FQDN and the TCP port number of the endpoint you wish to check:
root@ubuntu:/opt/vmware/epops/scripts# ./getSSLRemainigDays.sh This script must be run with .... Usage: ./getSSLRemainigDays.sh FQDN TCP-Port
For example, given we have internet access from the machine running the script:
root@ubuntu:/opt/vmware/epops/scripts# ./getSSLRemainigDays.sh www.vmware.com 443 65
The script tells us, that the SSL/TLS certificate used to secure the HTTPS access to www.vmware.com will expire in 65 days.
Implementation – Ep Ops Monitor Script
For every endpoint secured by SSL/TLS certificate we wish to check in vRealize Operations we need to create a Monitor Script as child object of the operating system object related to our End Point Operations agent as depicted in the following figure.
- Script name including the entire path
- Arguments including the FQDN and TCP port of the endpoint
The following picture shows a sample configuration to monitor the certificate used by my vIDM instance.
After the Monitor Script has been configured correctly and some collection cycle have been completed we should see the remaining days until the certificate expiries as “UTILIZATION | Result Value”.
Creating an appropriate dashboard has never been easier. vRealize Operations 7.5 comes with plenty new features. One of these is a re-worked scoreboard widget which allows us for example creating dashboards without the need of creating custom groups.
See both examples on how group internal and external certificates.
A very simple dashboard created that way might be enough to visualize the status of your SSL/TLS certificates helping you order new certificates on time.
As usual, you can create thresholds to color code the scoreboards to be alerted early enough to not end up with expired certificates.
Using the metric provided by the script, related symptoms can be created and used in alerts.
This is an example including a symptom set to be at warning level when the validity breaches 91 days.
<?xml version="1.0" encoding="UTF-8"?><alertContent> <AlertDefinitions> <AlertDefinition adapterKind="EP Ops Adapter" id="AlertDefinition-eca7b93f-fb84-47ba-a694-6ae1ca132e42" name="tkopton - Certificate expring" resourceKind="Script" subType="18" type="15"> <State severity="automatic"> <SymptomSet applyOn="self" operator="and" ref="SymptomDefinition-252cb3fa-0b28-47c4-86bc-65c2d87245e0"/> <Impact key="risk" type="badge"/> </State> </AlertDefinition> </AlertDefinitions> <SymptomDefinitions> <SymptomDefinition adapterKind="EP Ops Adapter" id="SymptomDefinition-252cb3fa-0b28-47c4-86bc-65c2d87245e0" name="tkopton-certificate expiring" resourceKind="Script"> <State severity="warning"> <Condition key="UTILIZATION|ResultValue" operator="<" thresholdType="static" type="metric" value="91.0" valueType="numeric"/> </State> </SymptomDefinition> </SymptomDefinitions> </alertContent>
Dashboard, Alert definition and the script can be found on VMware Code.