Skip to Content
Author's profile photo Emmanuel Galindo
Emmanuel Galindo
November 16, 2016 1 minute read

Certificate Expiration Notifications in Single Stack PI/PO

For getting Certificate Expiration Notifications at dual stack , you could get a report with transaction SSF_ALERT_CERTEXPIRE. But in single stack (java only) doesn’t seem to be many options.
Fortunately, on NWA \Configuration\Connectivity\Single Service Administration we can filter for “keystore” and, under WSDLs tab, get the urls couple of useful webservices related to this topic:
http://[host]:[port]/KeystoreService/KeystoreServiceApi
http://[host]:[port]/KeystoreHelp/basic/

Both of them remotely provides you information for each certificate stored at “Certificates and Keys” (/nwa/key-storage) section.
For KeystoreService, following tags

  • startDate, the “not before” attribute from validity section
  • endDate, the “not after” attribute from validity section. This is the one that will help you to identify expiring certificates.
  • viewName, keystore view where the certificate is stored
  • aliasName, the alias provided when it was added
  • serialNumber, arbitrary attribute during certificate issue
  • sigAlgoName, friendly denomitation of the algorithm used

For KeystoreHelp, it provides

  • keystoreView, the same as viewName as above.
  • keystoreAlias, again the same the other webservice. Along with viewName, it can be issues to join both endpoints results, and aggregate each other.
  • keystoreIssuerDN, the trust chain
  • keystoreSubjectDN, CN and org info.
  • isKey, boolean (true|false) reflecting if this is a x509 or a p12.

To get the notifications, KeystoreService is enough. My approach to consume this, in a VERY restricted unix box (w/out even libxml2):

$ curl -X POST -H "Content-Type: text/xml" -H "Cache-Control: no-cache" -d '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:api="http://sap.com/aii/tpm/internal/api/">
     <soapenv:Header/>
     <soapenv:Body>
        <api:GetKeystoreCertificates>
        </api:GetKeystoreCertificates>
     </soapenv:Body>
  </soapenv:Envelope>' http://[host]:[port]/KeystoreService/KeystoreServiceApi > ./tmp.xml
$  echo "cat //KeystoreCertsList[ number(translate(substring( ./endDate, 0, 11), '-', '')) < $(date +"%Y%m%d" -d "+31 days") ]" | xmllint --shell ./tmp.xml | mailx -s "Certs expiring in 31 days" email@address.com

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Emmanuel,

       

      Great blog! Very Informative.

      I was trying to configure something similar in my system, however I noticed that I could see only the KeystoreView entry and not KeystoreService entry, any other settings that we need to do for KeystoreService to be displayed and used? Checked in some other systems too but it was the same, it had just KeystoreView.

       

      Thanks,

      Ridhima

      Author's profile photo Juan Pascuet
      Juan Pascuet

      Hi Emmanuel.

       

      I work with PI 7.1 but I don't find KeystoreServiceApi, just KeystoreHelp. Can you help me to find this service and download the wsdl?

       

      Regards