For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSurfer_152388's avatar
MSurfer_152388
Icon for Nimbostratus rankNimbostratus
Sep 26, 2014

iCALL and Cert expiry dates

Hi, we have a number of LTMs with tons of certificates on them due to huge number of services deployed. How could we "use/set-up" iCALL so that we get alerted ..lets say 40 days in advance of the Cert expiry dates for these services. We are running 11.4.1 HF4 We have looked around on Dev central and F5 site at large but cant seem anything specific to our needs.

 

Many Thanks in advance

 

John

 

application delivery
deployment
iCall
LTM

2 Replies

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Sep 26, 2014

    Hi i'm currently working on it. Need to transform in periodic icall, and create the alerting

    you can trigger the even so far with generate sys icall event MY_EVENT and review logs in tail -f /shared/tmp/scriptd.out

    sys icall handler triggered certificate_handler {
    script monitor_certificate
    subscriptions {
        sub1 {
            event-name MY_EVENT
        }
    }
}
sys icall script monitor_certificate {
    app-service none
    definition {
        set current_date [exec date +%s]
         fake date to test
        set current_date 1634204740
        puts "date: $current_date"
        date offset for 45 days : 45x24x60x60 = 3888000
        set date_offset 3888000
        set certificates [tmsh::get_config sys crypto cert]
        foreach certificate [tmsh::get_config sys crypto cert] {
            set certificate [lindex $certificates 0]
            puts "[lindex [[$certificates 0]0]]"
            set expiration [tmsh::get_field_value $certificate "expiration"]
            puts "expiration: $expiration"
            set exp_unix [exec date --date=$expiration +"%s"]
            puts "exp unix: $exp_unix"
            if { [expr ($exp_unix - $date_offset) < $current_date] }            {
                puts "cert warning"
            } else {
                puts "cert ok"
            }
        }
    }
    description none
    events none
}
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Sep 26, 2014

    Here is the final code. periodic handler is calling the script every day. you can activate the script with "generate sys icall event CHECK_CERT". If cert is close to 45 days, log will be send in /var/log/ltm that you can syslog to you supervision infrastructure.

     

    sys icall handler periodic certificate_periodic_handler {
    first-occurrence 2014-09-26:21:57:49
    interval 86400
    script monitor_certificate
}
sys icall handler triggered certificate_handler {
    script monitor_certificate
    subscriptions {
        sub1 {
            event-name CHECK_CERT
        }
    }
}
sys icall script monitor_certificate {
    app-service none
    definition {
        set current_date [exec date +%s]
        puts "date: $current_date"
        date offset for 45 days : 45x24x60x60 = 3888000
        set date_offset 3888000
        foreach certificate [tmsh::get_config sys crypto cert] {
            set expiration [tmsh::get_field_value $certificate "expiration"]
            puts "expiration: $expiration"
            set exp_unix [exec date --date=$expiration +"%s"]
            puts "exp unix: $exp_unix"
            set cert_name [tmsh::get_name $certificate]
            if { [expr ($exp_unix - $date_offset) < $current_date] }            {
                puts "cert warning: $cert_name close to expiration date"
                exec logger -p local0.notice "Certificate Warning: $cert_name close to expiration date"
            } else {
                puts "cert ok: $cert_name"
            }
        }
    }
    description none
    events none
}