Alarm on certificate expiration for an F5 LB model using a watch
search cancel

Alarm on certificate expiration for an F5 LB model using a watch

book

Article ID: 273070

calendar_today

Updated On:

Products

DX NetOps

Issue/Introduction

We have a BigIP F5 Load Balancer model which has an attribute (sysCertificateFileObjectExpirationDate) that contains the expiration date for the certificates used in the device.

The idea is getting notified 30 days before the expiration date of any of the certificates. 

How we can do that using a watch?

Environment

Release : 22.2

Cause

sysCertificateFileObjectExpirationDate attribute contains the expiration date as an Unix epoch time, and sysCertificateFileObjectName attribute contains the path to the certificate which can be more useful than just including the instance ID in the event

Using the watch TIME function and the sysCertificateFileObjectExpirationDate it is possible to get the amount of days before the certificate expires.

As the attribute and the TIME function are both expressed in Unix epoch format, to convert it from seconds to days it will be required to divide them by 60*60*24=86400

To include the path to the certificate instead of just the instance ID in the event, it will be required to apply the suggested on next knowledge document

How to add additional instance information to an event created from an instance SpectroWatch in CA Spectrum

 

Resolution

1. Create the Watch as follow:

The threshold will be violated if the subtraction is less or equal to 30 days, and it will be reset if it is greater than that.

Two events are required, one for when the threshold is violated, and a second one for when the threshold is reset

If you just need an alarm if any of the certificates is violated, what you can do is stop here, and instead of selecting "Generate Events(s)" above, select the "Generate Alarm"

The alarm you would get when any of the certificates is soon to expire or already expired would look as follow:

 

 

2. If you opt for "Generate Event(s)" instead of "Generate Alarm", the next step is creating the events.
    As the  sysCertificateFileObjectExpirationDate  contains the instance for each certificate, and the name of the certificate is stored in sysCertificateFileObjectName, you can apply the solution described in next knowledge document

    The three events required will look as follow:

0xfff00000 E 0 P " CreateEventWithAttributes( { C CURRENT_MODEL }, { H 0xfff00001 }, SetEventAttribute( GetEventAttributeList(), { U 20 }, ReadAttributeInstance( { C CURRENT_MODEL }, { H 0x3b7250a }, GetEventAttribute( { U 8 } ))))"
0xfff00001 E 0 A 3,0xfff00001,U
0xfff00002 C 0xfff00001

The Event Message for 0xfff00001 would be as follow:

The threshold of instance {S 20} of watch {S 2} has been violated on behalf of model {m}.  The watch source value {S 7} {S 11}{S 6} the threshold reference value of {S 4}.

And the Type (Alarm Title) as follow

The {S 20} certificate will expire in < 30 days 

0xfff00002 is the clear event, so you need to make sure this event clears the event 0xfff00001

The events id used in the above example may vary and probably will be different in your environment.

The alarm and event you will get using the above configuration will look as follow:

 

IMPORTANT!!!

After modifying the Events, through event configuration or directly editing the $SPECROOT/custom/EventDisp file, please make sure to update the Event Configuration.
VNM model > Information tab > SpectroSERVER Control, and click "Update Event Configuration" button.

Additional Information