Solution

Background

The Gateway application checks the validity period of all stored trusted certificates. This check occurs each time the Gateway application initializes and every 12 hours after initialization. If a trusted certificate is allowed to expire then the Gateway will be unable to communicate via SSL/TLS with any server that uses that certificate. The Gateway has several increasingly severe audit messages it uses when a trusted certificate is about to expire:

• FINE severity audit
• INFO severity audit
• WARNING severity audit.

By default, these audits will be generated when a certificate is within 30 days, 7 days, or 2 days of expiration, respectively. This allows an administrator to configure the Gateway to use more severe audits as the trusted certificate nears expiration. These three time periods are configured with the following cluster-wide properties:

• trustedCert.expiryFineAge
• trustedCert.expiryInfoAge
• trustedCert.expiryWarningAge

The Gateway's check period (which defaults to 12 hours) can be configured with the trustedCert.expiryCheckPeriod cluster-wide property.

All supported versions of the CA API Gateway

Implementation

Audit messages will be generated when these thresholds are exceeded and these messages can be captured in the internal audit sink policy. By using the audit sink policy, an administrator can configure the Gateway to send an email alert or SNMP trap when a certificate expires.

The sample provided as an attachment to this article should be placed in a manner that will not result in the audit sink policy failing for other audit messages that do not correlated to trusted certificates. Ensure that the audit sink policy is tested extensively prior to deployment. The Send Email Alert assertion should be configured as required and is documented in the Layer 7 Policy Authoring User Manual.

Attachments:

• emailAlertForExpiringCertificates.xml