Layer7 API Management

Back to Library

Guidance for Monitoring Expiring Certificates for the API Gateway 

Jun 13, 2019 12:23 PM

The purpose of this article is to provide guidance for monitoring the expiration of certificates and identifying the policies that reference those expiring certificates. Attached is a sample policy that you can implement in your environment. These instructions have been tested on releases 9.2, 9.3 and 9.4.

A) SET UP THE TRUSTEDCERT CLUSTER WIDE PROPERTIES
1. Go to Tasks -> Global Settings -> Manage Cluster-Wide Properties
2. Click [Add]
3. Set the following CWPs as needed: 

    + trustedCert.expiryCheckPeriod

    + trustedCert.expiryFineAge

    + trustedCert.expiryInfoAge (number of days should be less than FINE)

    + trustedCert.expiryWarningAge (number of days should be less than FINE and INFO)

4. Add/Set the audit.detailThreshold CWP to FINE
5. Click [Close]

NOTE: If you are adding any these cluster wide properties for the first time, a restart of the gateway is required.

 

B) CREATE A STORED PASSWORD
1. Go to Tasks -> Certificates,Keys,Secrets -> Managed Stored Password
2. Click [Add]

    Name: cert

    Type: Password

    Password and Confirm Password: Use the gateway user's password

3. Click [OK]

 

C) CREATE A JDBC CONNECTION
1. Go to Tasks -> Data Source -> Manage JDBC Connections
2. Click [Add]

    Connection Name: Certificate Validation

    Driver Class: com.l7tech.jdbc.mysql.MySQLDriver

    JBDC URL: jdbc:l7tech:mysql://localhost:3306;DatabaseName=ssg OR jdbc:mysql://localhost:3306/ssg

    Username: gateway

    Password: ${secpass.cert.plaintext}

 

D) IMPORT THE EXPIRINGCERTS POLICY
1. Create a new policy called ExpiringCerts
2. Import ExpiringCerts.xml
3. On line 36, open the 'Send Email' assertion
    i) Edit the SMTP Properties and Email Properties as required
4. Click [Save and Activate]

 

E) CREATE AN AUDIT SINK POLICY
1. Go to Tasks -> Logging and Auditing -> Manage Log/Audit Sinks
2. Click [Manage Audit Sink]
    i) Check the 'Output audit records via audit sink policy' checkbox
    ii) Click [Configure]

    iii) Select the 'Create Custom Audit Sink and Lookup Policy' radio button
    iv) Click [OK]

3. Open the Internal Audit Sink Policy
    i) Enable the 'Request: Convert Audit Record to XML' assertion
    ii) Disable the 'Stop Processing' assertion
    iii) Add an 'At least one assertion must evaluate to true' folder
    iv) In the folder, add an 'Include Policy Fragment' assertion
    v) Select the ExpiringCerts policy
4. Click [Save and Activate]
NOTE: If you already have an existing Internal Audit Sink Policy, open the policy and start at step 6.

The email for the expiring certificates will look something like this:

##### EXPIRING CERTIFICATES #####

"devgateway,o=devuser,st=ny,c=us" will expire in 202.0 days
"sso.broadcom.com,ou=north america" will expire in 77.2 days
"testexpiry" will expire in 23.9 days
##################################

##### POLICIES WITH EXPIRING CERTS #####

"devgateway,o=devuser,st=ny,c=us" =
"sso.broadcom.com,ou=north america" = Policy for service #189b7e97d39a546681671719a7b39c90, digsign
"testexpiry" = Policy for service #95ca80d0fa249e7c0e64a94ab5042dd5, Echo2
##################################

Statistics
0 Favorited
52 Views
1 Files
0 Shares
37 Downloads
Attachment(s)
xml file
ExpiringCerts.xml   16 KB   1 version
Uploaded - Jun 13, 2019
 
Download

Tags and Keywords

Comments

Jameela Hudson
Jul 02, 2019 10:33 AM

Hi Sekar,

If you don't plan on using setting the trustedCert.expiryFineAge CWP (which is not required), you don't have to adjust the audit.detailThreshold.

This particular policy leverages the audit_sink policy. If you aren't using it, then you cannot implement this solution.

Thanks, Jameela

Sekar Purushothaman
Jun 28, 2019 03:52 PM

​Hello Jameela

Thank you so much for the instructions.  I have one question, do we need to audit threshold to fine,  we have a very high volume gateway, and we have disabled audit logs for performance reasons.  Does this policy we keep the audit disabled.

Jameela Hudson
Jun 27, 2019 03:35 PM

Hi Sekar,

Apologies. I'm not sure what happened but I edited this post and made sure the instructions were visible.

Thanks, Jameela

Sekar Purushothaman
Jun 27, 2019 02:02 PM

​Is there any documentation on how to use this policy, I created an empty api and uploaded the policy from your attachment, not sure how to use.  Please provide any documentation.

Related Entries and Links

No Related Resource entered.