Monitor expiring trusted certificate with schedule task on API Gateway
search cancel

Monitor expiring trusted certificate with schedule task on API Gateway

book

Article ID: 194152

calendar_today

Updated On:

Products

CA API Gateway API SECURITY

Issue/Introduction

There is a KB article: Generating Email Alerts for Expiring Trusted Certificates

In the article, the alert message is based on the audit message which will not include the CN name of the certificate. It just shows "One or more certificate is going to expire soon".

This is difficult for the system administrator with hundreds of certificates.

Environment

Release : 9.4 CR1 and above

Component : API GATEWAY

Resolution

The new solution will use /restman interface to load all the certificates, and then use look up certificate assertion + extract attributes from certificate assertion to get the expiry date.

  • Sample policy,

The sample policy will list the certs expired, or going to expire in 30 days, with its CN and expire date

It can be used as policy for a service endpoint, or for a schedule task.

  • Sample output:

# curl http://localhost:8080/ccert

-------------------
CN=cert-test.sandbox.google.com,O=Google LLC,L=Mountain View,ST=California,C=US   
2019-10-27T17:31:57.000Z
-------------------
-------------------
CN=tmpkey01   
2020-07-10T04:20:21.000Z
-------------------

To run the policy as a scheduled task:  

Only policy fragments of type "Policy-Backed Service Operation Policy Fragment;" and tag "com.l7tech.objectmodel.polback.BackgroundTask" are displayed in the schedule task policy drop down.  So if policy is going to used in the scheduled task, it need to be created as a fragment with specified type and tag.  Then it can be selected and scheduled to run.

 

Additional Information

https://knowledge.broadcom.com/external/article?articleId=57267

Attachments

1634767263115__certExpiry.xml get_app