Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate Expiration Notifications in Single Stack PI/PO

former_member294677
Discoverer
‎11-16-2016 12:35 PM
For getting Certificate Expiration Notifications at dual stack , you could get a report with transaction SSF_ALERT_CERTEXPIRE. But in single stack (java only) doesn't seem to be many options.
Fortunately, on NWA \Configuration\Connectivity\Single Service Administration we can filter for "keystore" and, under WSDLs tab, get the urls couple of useful webservices related to this topic:
http://[host]:[port]/KeystoreService/KeystoreServiceApi
http://[host]:[port]/KeystoreHelp/basic/

Both of them remotely provides you information for each certificate stored at "Certificates and Keys" (/nwa/key-storage) section.
For KeystoreService, following tags

  • startDate, the "not before" attribute from validity section

  • endDate, the "not after" attribute from validity section. This is the one that will help you to identify expiring certificates.

  • viewName, keystore view where the certificate is stored

  • aliasName, the alias provided when it was added

  • serialNumber, arbitrary attribute during certificate issue

  • sigAlgoName, friendly denomitation of the algorithm used


For KeystoreHelp, it provides

  • keystoreView, the same as viewName as above.

  • keystoreAlias, again the same the other webservice. Along with viewName, it can be issues to join both endpoints results, and aggregate each other.

  • keystoreIssuerDN, the trust chain

  • keystoreSubjectDN, CN and org info.

  • isKey, boolean (true|false) reflecting if this is a x509 or a p12.


To get the notifications, KeystoreService is enough. My approach to consume this, in a VERY restricted unix box (w/out even libxml2):
$ curl -X POST -H "Content-Type: text/xml" -H "Cache-Control: no-cache" -d '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:api="http://sap.com/aii/tpm/internal/api/">

     <soapenv:Header/>

     <soapenv:Body>

        <api:GetKeystoreCertificates>

        </api:GetKeystoreCertificates>

     </soapenv:Body>

  </soapenv:Envelope>' http://[host]:[port]/KeystoreService/KeystoreServiceApi > ./tmp.xml

$  echo "cat //KeystoreCertsList[ number(translate(substring( ./endDate, 0, 11), '-', '')) < $(date +"%Y%m%d" -d "+31 days") ]" | xmllint --shell ./tmp.xml | mailx -s "Certs expiring in 31 days" email@address.com
2 Comments
Labels in this area
Popular Blog Posts