NimbostratusHi, we have a number of LTMs with tons of certificates on them due to huge number of services deployed. How could we "use/set-up" iCALL so that we get alerted ..lets say 40 days in advance of the Cert expiry dates for these services. We are running 11.4.1 HF4 We have looked around on Dev central and F5 site at large but cant seem anything specific to our needs.
Many Thanks in advance
John
EmployeeHi i'm currently working on it. Need to transform in periodic icall, and create the alerting
you can trigger the even so far with generate sys icall event MY_EVENT and review logs in tail -f /shared/tmp/scriptd.out
sys icall handler triggered certificate_handler {
script monitor_certificate
subscriptions {
sub1 {
event-name MY_EVENT
}
}
}
sys icall script monitor_certificate {
app-service none
definition {
set current_date [exec date +%s]
fake date to test
set current_date 1634204740
puts "date: $current_date"
date offset for 45 days : 45x24x60x60 = 3888000
set date_offset 3888000
set certificates [tmsh::get_config sys crypto cert]
foreach certificate [tmsh::get_config sys crypto cert] {
set certificate [lindex $certificates 0]
puts "[lindex [[$certificates 0]0]]"
set expiration [tmsh::get_field_value $certificate "expiration"]
puts "expiration: $expiration"
set exp_unix [exec date --date=$expiration +"%s"]
puts "exp unix: $exp_unix"
if { [expr ($exp_unix - $date_offset) < $current_date] } {
puts "cert warning"
} else {
puts "cert ok"
}
}
}
description none
events none
}
Here is the final code. periodic handler is calling the script every day. you can activate the script with "generate sys icall event CHECK_CERT". If cert is close to 45 days, log will be send in /var/log/ltm that you can syslog to you supervision infrastructure.
sys icall handler periodic certificate_periodic_handler {
first-occurrence 2014-09-26:21:57:49
interval 86400
script monitor_certificate
}
sys icall handler triggered certificate_handler {
script monitor_certificate
subscriptions {
sub1 {
event-name CHECK_CERT
}
}
}
sys icall script monitor_certificate {
app-service none
definition {
set current_date [exec date +%s]
puts "date: $current_date"
date offset for 45 days : 45x24x60x60 = 3888000
set date_offset 3888000
foreach certificate [tmsh::get_config sys crypto cert] {
set expiration [tmsh::get_field_value $certificate "expiration"]
puts "expiration: $expiration"
set exp_unix [exec date --date=$expiration +"%s"]
puts "exp unix: $exp_unix"
set cert_name [tmsh::get_name $certificate]
if { [expr ($exp_unix - $date_offset) < $current_date] } {
puts "cert warning: $cert_name close to expiration date"
exec logger -p local0.notice "Certificate Warning: $cert_name close to expiration date"
} else {
puts "cert ok: $cert_name"
}
}
}
description none
events none
}