Certificate Expiration Notifications in Single Stack PI/PO
For getting Certificate Expiration Notifications at dual stack , you could get a report with transaction SSF_ALERT_CERTEXPIRE. But in single stack (java only) doesn’t seem to be many options.
Fortunately, on NWA \Configuration\Connectivity\Single Service Administration we can filter for “keystore” and, under WSDLs tab, get the urls couple of useful webservices related to this topic:
Both of them remotely provides you information for each certificate stored at “Certificates and Keys” (/nwa/key-storage) section.
For KeystoreService, following tags
- startDate, the “not before” attribute from validity section
- endDate, the “not after” attribute from validity section. This is the one that will help you to identify expiring certificates.
- viewName, keystore view where the certificate is stored
- aliasName, the alias provided when it was added
- serialNumber, arbitrary attribute during certificate issue
- sigAlgoName, friendly denomitation of the algorithm used
For KeystoreHelp, it provides
- keystoreView, the same as viewName as above.
- keystoreAlias, again the same the other webservice. Along with viewName, it can be issues to join both endpoints results, and aggregate each other.
- keystoreIssuerDN, the trust chain
- keystoreSubjectDN, CN and org info.
- isKey, boolean (true|false) reflecting if this is a x509 or a p12.
To get the notifications, KeystoreService is enough. My approach to consume this, in a VERY restricted unix box (w/out even libxml2):
$ curl -X POST -H "Content-Type: text/xml" -H "Cache-Control: no-cache" -d '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:api="http://sap.com/aii/tpm/internal/api/"> <soapenv:Header/> <soapenv:Body> <api:GetKeystoreCertificates> </api:GetKeystoreCertificates> </soapenv:Body> </soapenv:Envelope>' http://[host]:[port]/KeystoreService/KeystoreServiceApi > ./tmp.xml $ echo "cat //KeystoreCertsList[ number(translate(substring( ./endDate, 0, 11), '-', '')) < $(date +"%Y%m%d" -d "+31 days") ]" | xmllint --shell ./tmp.xml | mailx -s "Certs expiring in 31 days" email@example.com