Skip to Content

For getting Certificate Expiration Notifications at dual stack , you could get a report with transaction SSF_ALERT_CERTEXPIRE. But in single stack (java only) doesn’t seem to be many options.
Fortunately, on NWA \Configuration\Connectivity\Single Service Administration we can filter for “keystore” and, under WSDLs tab, get the urls couple of useful webservices related to this topic:
http://[host]:[port]/KeystoreService/KeystoreServiceApi
http://[host]:[port]/KeystoreHelp/basic/

Both of them remotely provides you information for each certificate stored at “Certificates and Keys” (/nwa/key-storage) section.
For KeystoreService, following tags

  • startDate, the “not before” attribute from validity section
  • endDate, the “not after” attribute from validity section. This is the one that will help you to identify expiring certificates.
  • viewName, keystore view where the certificate is stored
  • aliasName, the alias provided when it was added
  • serialNumber, arbitrary attribute during certificate issue
  • sigAlgoName, friendly denomitation of the algorithm used

For KeystoreHelp, it provides

  • keystoreView, the same as viewName as above.
  • keystoreAlias, again the same the other webservice. Along with viewName, it can be issues to join both endpoints results, and aggregate each other.
  • keystoreIssuerDN, the trust chain
  • keystoreSubjectDN, CN and org info.
  • isKey, boolean (true|false) reflecting if this is a x509 or a p12.

To get the notifications, KeystoreService is enough. My approach to consume this, in a VERY restricted unix box (w/out even libxml2):

$ curl -X POST -H "Content-Type: text/xml" -H "Cache-Control: no-cache" -d '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:api="http://sap.com/aii/tpm/internal/api/">
     <soapenv:Header/>
     <soapenv:Body>
        <api:GetKeystoreCertificates>
        </api:GetKeystoreCertificates>
     </soapenv:Body>
  </soapenv:Envelope>' http://[host]:[port]/KeystoreService/KeystoreServiceApi > ./tmp.xml
$  echo "cat //KeystoreCertsList[ number(translate(substring( ./endDate, 0, 11), '-', '')) < $(date +"%Y%m%d" -d "+31 days") ]" | xmllint --shell ./tmp.xml | mailx -s "Certs expiring in 31 days" email@address.com
To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. ridhima radhakrishnan

    Hi Emmanuel,

     

    Great blog! Very Informative.

    I was trying to configure something similar in my system, however I noticed that I could see only the KeystoreView entry and not KeystoreService entry, any other settings that we need to do for KeystoreService to be displayed and used? Checked in some other systems too but it was the same, it had just KeystoreView.

     

    Thanks,

    Ridhima

    (0) 

Leave a Reply