See www.zabbix.com for the official Zabbix site.

Java Keystore certificate monitoring

From Zabbix.org
Jump to: navigation, search


Note: Draft status


Summary

This template in connection with its user parameters can be used to monitor certificates in Java Keystores. It allows to query different attributes like Subject's Common name, Issuer's email address as well as validity or expiry information. Time left until expiry is calculated in a short interval based on the expiry date thus no real check has to happen frequently. Since the previously mentioned calculated item is used for most triggers, actions can take place at an early stage.

Certificates are discovered via Low-Level discovery. The number of discoverable certificates is limited by a configurable parameter. The discovery function returns not more than this number of the earliest expiring certificates. In case an Java Keystore alias has more than one certificate assigned (certificate chain), then the top most is considered.

This implementation uses one LLD rule per Java Keystore. To support multiple Java Keystores per host or template an optional ID can be passed. This makes the LLD rule itself unique and by that rule returnded LLD macros are extended by that ID as well to achieve uniqueness on LLD prototypes too. The provided XML configuration file consists only of one discovery rule for one Java Keystore. To add another keystore the following strings have to be replaced in the XML configuration file before import:

s/,1/,2/g
s/JKS1/JKS2/g
s/ALIAS1/ALIAS2/g
s/FILE1/FILE2/g
s/Jks1/Jks2/g
s/LIMIT1/LIMIT2/g
s/Keystore 1/Keystore 2/g
Note: This implementation was originally thought to cover multiple JKS by one LLD rule thus exists a LLD macro for the Java Keystore file. This approach took too long (exceeding the default timeout of 3 seconds) on multiple files with a lot of certificates. This will possibly be improved in the future. Currently it's probably still needed for the calculated item due to ZBX-2866

XML configuration file

File:Template Java Keystore certificate monitoring.xml

Preview

User macros

Java Keystore certificate UserMacros.png

Latest data
Note: Limit is set to 3, so not more than three certificates have been discovered

Java Keystore certificate LatestData.png

Triggers

Java Keystore certificate TriggerPrototypes.png

User parameters

#
# Zabbix User parameters for monitoring X509 certificates in JKS format
#

# Get subject attribute
# Key: x509.jks.subject[<keytool_path>,<jks_file>,<alias>,<attribute>]
#
# Example
#  Key: x509.jks.subject[/usr/java/default/bin,/opt/app/keystore.jks,exampleCert,CN]
#  Value: [t|www.example.com]
#
UserParameter=x509.jks.subject[*],'$1/keytool' -list -keystore '$2' -alias '$3' -rfc < /dev/null 2> /dev/null | /usr/bin/openssl x509 -noout -subject | /bin/sed -n 's%.*$4=\([^/]*\).*%\1%p'

# Get issuer attribute
# Key: x509.jks.issuer[<keytool_path>,<jks_file>,<alias>,<attribute>]
#
# Example
#  Key: x509.jks.issuer[/usr/java/default/bin,/opt/app/keystore.jks,exampleCert,OU]
#  Value: [t|Secure Server Certification Authority]
#
UserParameter=x509.jks.issuer[*],'$1/keytool' -list -keystore '$2' -alias '$3' -rfc < /dev/null 2> /dev/null | /usr/bin/openssl x509 -noout -issuer | /bin/sed -n 's%.*$4=\([^/]*\).*%\1%p'

# Get validity date
# Key: x509.jks.startdate[<keytool_path>,<jks_file>,<alias>]
#
# Example
#  Key: x509.jks.startdate[/usr/java/default/bin,/opt/app/keystore.jks,exampleCert]
#  Value: [u|1351148715]
#
UserParameter=x509.jks.startdate[*],D="$('$1/keytool' -list -keystore '$2' -alias '$3' -rfc < /dev/null 2> /dev/null | /usr/bin/openssl x509 -noout -startdate | /bin/cut -d= -f2)"; [[ "$D" ]] && /bin/date -ud "${D##*=}" +%s || echo 0

# Get expiration date
# Key: x509.jks.enddate[<keytool_path>,<jks_file>,<alias>]
#
# Example
#  Key: x509.jks.enddate[/usr/java/default/bin,/opt/app/keystore.jks,exampleCert]
#  Value: [u|1445771800]
#
UserParameter=x509.jks.enddate[*],D="$('$1/keytool' -list -keystore '$2' -alias '$3' -rfc < /dev/null 2> /dev/null | /usr/bin/openssl x509 -noout -enddate | /bin/cut -d= -f2)"; [[ "$D" ]] && /bin/date -ud "${D##*=}" +%s || echo 0

# Certificate discovery
# Key: x509.jks.discovery[<keytool_path>,<jks_file>,<limit>,<id>]
#
# Example
#  Key: x509.jks.discovery[/usr/java/default/bin,/opt/app/keystore.jks,1,3]
#  Value: [t|{"data":[{"{#FILE3}":"/opt/app/keystore.jks","{#ALIAS3}":"exampleCert"}]}]
#
UserParameter=x509.jks.discovery[*],'$1/keytool' -list -keystore '$2' --rfc < /dev/null 2> /dev/null | /usr/bin/awk -F ': ' '/^Alias/{n=$$2}/^-+BEGIN/,/^-+END/{x=x"\n"$$0}/^-+END/{"/usr/bin/openssl x509 -noout -enddate << _\n"x"\n_\n"|getline d;sub(".*=","",d);"/bin/date +%s -d\""d"\""|getline u;a[u,n]=n;x=""}END{asorti(a,s);printf "{\"data\":[";for(i=0;i<$3;){if(a[s[++i]]){printf c"{\"{#FILE$4}\":\"$2\",\"{#ALIAS$4}\":\""a[s[i]]"\"}";c=","}};printf "]}"}'