Monitoring SSL certificates using SCOM and PS(.net)
My first blog entry so forgive the formalness, and spelling mistakes =P
So I was visiting a regular customer of mine who was repeating an old story like many of you have heared before, it goes like, our SSL on a web site had expired and we had to experience downtime along with many unhappy customers.
While we were talking a question came up, is'nt is possible to monitor SSL certificates using SCOM? And my first response was yeah sure its possible. Hmmmm.... thats odd... why havent you told us about it and why were'nt did'nt we get any alerts before we started to have problems. And I was sitting there nicking like crazy and thinking why did'nt I do this?
So this started the whole procedure where I started to look at SCOM being a monitoring device for SSL sertificates. Now I see a lot of you guys going BOoooooring.... your going to serve us some shitty idea where you used synthetic transactions or URL monitoring right? NNNNNNoOooo I am not. Lets define the criteria for the requirement before we proceed.
Requirement:
We want to be able to monitor SSL certificates remotely and get informed 15-20 days prior to certificate expiration so that the certificates can be renewed and redestributed before the current certificates expire. We also want to get rid of the XL page where we enter all our certificate information and maintain manually.
Additional requirements? Hmmm we already have SCOM so it would be great to reuse it to generate alerts and notifications.
So now that the criteria has been defined lets get started with the proposed solution shall we?
Solution:
So the idea was to create a Powershell(PS) script which monitors certificates, creates alerts if the certificate is about to expire and if it is expired. The PS script does not creates the alerts, it just creates events in event log which are then caught by SCOM which is responsible for the alert generation.
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SCOM elements:
From SCOM perspective there are to requirements, first one is obvious. You need a working SCOM environment. And the other one is that the RMS or in SCOM 2012, the MS must be able to contact the destination server/client hosting the website over http/https. I shall assume at this point that we are not talking about ports and firewall configuration as you guys already are experts in these fields.
By the way, I created a management pack in the authoring console, where a defined a couple of rules and monitors. I shall be uploading the managment pack as well, but as for now I am just describing the solution and providing the PS script. So, on the Mgmt server, a folder structure is created on the root of system drive. Here a simple CSV file is created which contains site address/URL, port number. Here both URL and ip address can be used, the script also checks the syntax or might rather call it formatting in the CSV file. If there are errors present an alert with line number and data present is shown in the Alert.
As you can see in the script below, I have just choosen some random events starting from 65001 as I never have seen them being used by any application or a bright programmer. You can choose your own, as far as the Filepath and eventSource are concerned they can be also changed as you wish.
The PS script is run as a scheduled task on the Mgmt server. I have added it in the mgmt pack, but it can also be created as a regular scheduled task. The mgmt pack also checks that the script has been run atleast once during the last 24 hours. Feel free to do any changes/improvements in the script and to comment.
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
PS script:
So the script looks something like this
#Define constants
$Filepath = "C:\serverlist\MonitoredServers.csv"
$EventSource = "Certificate_Monitoring"
$Filepath = "C:\serverlist\MonitoredServers.csv"
$EventSource = "Certificate_Monitoring"
# EventID definition:
# EventID 65001 = CSV file not found - Warning (2)
# EventID 65002 = CSV file is empty - Warning (2)
# EventID 65003 = CSV file contains errors (1)
# EventID 65010 = Could not connect to host or find host
# EventID 65020 = Certificate Expired
# EventID 65021 = Certificate about to expire
# EventID 65022 = Certificate OK
# EventID 65030 = Last runtime for this script
#******************************************************************************
function checkCsvFile ##Checks for existence of CSV file
{
Param()
{
Param()
if (!(Test-Path -path $Filepath))
{
$msg = "File not found: " + $Filepath
$bcheckCsvFile = $false
createEventlogObj 2 $msg 65001 #CSV File not found!
}
else
{
$bcheckCsvFile = $true
}
return $bcheckCsvFile
}# function readFromCsv ends here
{
$msg = "File not found: " + $Filepath
$bcheckCsvFile = $false
createEventlogObj 2 $msg 65001 #CSV File not found!
}
else
{
$bcheckCsvFile = $true
}
return $bcheckCsvFile
}# function readFromCsv ends here
function createEventlogObj ##Creates and instance of eventlog and writes to logfiles
{
param ($inputEventType,$OutputMessage,$EventID) #Can be 1 for error and 2 for warning and 3 for information!
#EventSource
{
param ($inputEventType,$OutputMessage,$EventID) #Can be 1 for error and 2 for warning and 3 for information!
#EventSource
#Should take a parameter which assigns Information(3),warning(2) or error(1)
$EventLog=new-object System.Diagnostics.EventLog("Application")
$EventLog.Source= "Script"
$Information=[System.Diagnostics.EventLogEntryType]::Information
$Warning=[System.Diagnostics.EventLogEntryType]::Warning
$Error=[System.Diagnostics.EventLogEntryType]::Error
$EventLog.Source= "Script"
$Information=[System.Diagnostics.EventLogEntryType]::Information
$Warning=[System.Diagnostics.EventLogEntryType]::Warning
$Error=[System.Diagnostics.EventLogEntryType]::Error
if ($inputEventType -eq 1)
{
#$OutputMessage
$Severity = $Error
$EventLog.WriteEntry($OutputMessage,$Severity,$EventID)
}
elseif($inputEventType -eq 2)
{
$Severity = $Warning
$EventLog.WriteEntry($OutputMessage,$Severity,$EventID)
}
elseif($inputEventType -eq 3)
{
$Severity = $Information
$EventLog.WriteEntry($OutputMessage,$Severity,$EventID)
}
.........................
to get the complete script visit https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
to get the complete script visit https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
to get the complete script visit https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
to get the complete script visit https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
#****************************Script ends***********************************
I shall be adding a couple of pictures showing how this script is used in production as well as the MP whcih creates alerts in SCOM. I just need to figure out how to post them. Still my first blog post remember?
MP available at:
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
So here comes the pictures are promised........
The above picture shows the location of files which can be changed in PS script.
Above picture shows contents of the CSV file
Above picture shows alerts that are generated in SCOM console
Above picture shows events that are generated in Application log
I see that People still are visiting this blog and finding it usefull. I do not have the XML file available but I have some screenshots that describe the process for creating the MP. You can also create the MP in SCOM Authoring section, however, I would strongly recommend you installing the SCOM Authoring console. Reason being quite simple, when you create anything within SCOM console and use the Authoring pane, you are creating Objects based on other Objects which inherit Properties of their parent Objects. This is not necessarily what you want or intend to do. Creating the rules in a dedicated management pack, you can start With a base Object and limit the targeting. Anyways, here comes the Write up.
Depending on where you start, I am asuming you are going to the Authoring console, We will be creating Rules and Monitors. Remember the mail difference, a monitor only alerts when there are state changes while the rule will generate an alert each time the rule runs.
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
Great collection of knowledge here in regards to guides. Even though most of the time I tend to get my SSL certificate consultants to do the work for me. Considering how much it costs to get those guys to do my work for me I'd very much like to be able to do it myself, thanks =)
SvarSlettThis blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SlettHi Edwin,
SvarSlettThanks for your comment. It's just like what you are saying, when you already have invested in a product like (in this case) SCOM 2007 or 2012, why bother wasting Money on other products when you can get the same and even better functionallity from your already implemented monitoring infrastructure? Glad that this helped you. I shall also be posting a New post With update management pack so that it just can be downloaded for use. Cheers.
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SlettHi Shan, Thanks for the post. Have you had a chance to update the management pack?
SvarSlettThis blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SlettHi Shan,
SvarSlettThis is what I was looking for as all the certs are on Load Balancer.
Where can i download this MP??
Thanks
Dilip
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SlettHi Shan,
SvarSlettIS it possible to share the MP with since we are also looking for the same solution.
This blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SlettWill try this out today.Thx
SvarSlettThis blog has been moved to https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!
SlettHi guys, thanks for visiting my blog and still using it. I have uploaded the MP to my new blog, where I will be publishing new posts at least twice a month with entire solutions. So please visit
SvarSletthttps://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/ The mentioned MP is available to download along with description. Please visit!