Skip to Content

SAP Cloud Platform Integration – Automated Notification of Keystore Entries Reaching Expiry

Introduction

CPI Keystore Monitor allows a tenant administrator to manage the tenant keystore and its entries. A keystore contains entries uniquely identified by an alias where each entry has its own lifecycle. Renewal of an entry is important task to be done before expiry, else it will lead to message failure for productive scenarios using specific certificates/key-pairs entries. The tenant administrator can be notified for those entries which are about to expire, so that he can take in-time actions for renewal of the same.

Within keystore monitor, expired keys and certificates are highlighted showing expiration date. In addition, an Integration Flow can be modeled to get notifications via mail for entries reaching their expiry. This document provides steps to model a scenario triggered via scheduler which looks across all entries of the tenant keystore and sends a mail with information about those entries reaching their expiry.

Scenario Description

Cloud Integration provides various REST APIs with technical protocol as Open Data Protocol (OData) with which you can access data. These APIs can be consumed via https://<tmnUrl>/api/v1 where <tmn> is the address of the tenant management node. Here we will use API for accessing keystore entries via https://<tmnUrl>/api/v1/KeystoreEntries .Overall scenario looks as below:

Create an integration flow with Start Timer Event. Using Request-Reply step call OData APIs to fetch details of the tenant keystore entries via OData receiver channel. Fetch Alias Name and ValidNotAfter for entity KeystoreEntries. Below find the configuration of OData Receiver channel:

Make sure the Page Size field value is null since entries in a keystore are not so many in numbers.

The response of the OData call will be a file containing all keystore entries with their Alias & Validity date. Now add a General Splitter step to split using XPath /KeystoreEntries/KeystoreEntry and pass split entries to a Local Integration Process.

In Local Integration Process, define a Content Modifier and store the values of keystore entry Alias and Validity Time in a header.

Additionally, add a message containing Alias & Validity Time information about keystore entry in body of Content Modifier. This message will be send via mail notification. You can choose to customize this information as per your need.

Now add a script to fetch Validity Time from header and compare with current date. Output of script shall be number of days left for Keystore entry to expire. You can find a sample code below:

     def map = message.getHeaders();

     String getCertExpirydate = map.get(“CertExpiryDate”);

     Date CertExpirydate = new SimpleDateFormat(“yyyy-MM-dd“).parse(getCertExpirydate);

     Date dateNow = new Date(System.currentTimeMillis());

     long dateDiff = CertExpirydate.getTime() – dateNow.getTime();

     def daysToExpire = TimeUnit.DAYS.convert(dateDiff, TimeUnit.MILLISECONDS);

     message.setHeader(“daysToExpire”, daysToExpire);

Add a router step to route those entries whose expiry is in less than defined number of days (e.g. daysToExpire < 4) and send an email to specific participants informing them about the expiry.

21 Comments
You must be Logged on to comment or reply to a post.
  • Hello
    Thanks a lot for your blog. it’s perfect.
    I have created the package, deploy.. and everything is green.. But I don’t receive any email with the alert…
    How can I verify in which part is not working properly?

  • Hello Amar

    Thanks for you helping.
    I have obtained the error in Content Modifier

    Error Details
    org.apache.camel.CamelExecutionException: Exception occurred during execution on the exchange: Exchange[ID-vsa5107462-40927-1541369381630-22-5], cause: org.apache.camel.language.simple.types.SimpleParserException: expected symbol functionEnd but was eol

    What does it mean?. any idea?
    Thanks

    •  

      Hello Toni

      Seems some issue with conversion. Can you recheck Header configuration in Content Modifier step and you are using right Type for Header defined as well as body is correct.

       

      Thanks

      Amar

  • Hello Amar,

    Now, I have problems with script:

    Error Details
    javax.script.ScriptException: org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed: script__Script.groovy: 5: unable to resolve class SimpleDateFormat @ line 5, column 28. Date CertExpirydate = new SimpleDateFormat(���yyyy-MM-dd���).parse(getCertExpirydate)
    Somehting is wrong
    Thanks
    • Hello Toni

      Kindly confirm if you copied the script code from above blog and pasted it. If this is the case, copy/paste sometime changes format for special characters and they are no more recognized during runtime when corresponding jars are created.

      Kindly write that specific line of code and recheck.

       

      Thanks

      Amar

       

  • Hello Amar,

     

    No I have obtained an other error, in my script:

    javax.script.ScriptException: groovy.lang.MissingPropertyException: No such property: message for class: new__Script, cause: groovy.lang.MissingPropertyException: No such property: message for class: new__Script

     

    What does it means?

    Thanks

    Best regards

    •  

      Hello Hilmar

      Do you mean any Where-Used list for certificates/Keystore entires from the entire set. In case yes, this is not possible as of now.

      Feel free to file your request to Mandy Krimmel regarding the same.

       

      Warm Regards

      Amar

    • Hello Swati

      The Content Modifier used in Local integration process is to read each Certificate/Keypair and store the same in header/property. In addition use this to create body of the mail being sent to Administrator so that Administrator easily know which entry is reaching expiry and accordingly take appropriate actions for renewal of the same.

       

      Amar

    • Hello Anil

      You would need AuthGroup.Administrator role on the tenant to call the APIs or deploy a credential with a user having this role and then use this credential in your flow.

       

      Thanks

      Amar

  • Hi Amar,

    Thank you for your helpful blog, everything working fine for me. Right now with the above approach i am getting four mails if there are four items expires in same date. I am looking to send only one mail for all four expire items. Can i achieve this with help of Gather with splitter ? or can you suggest what would better approach.

    Thanks,

    Swati

    • Hello Swati

      Straight forward using Gather & Join would not be enough since Gather is meant for collecting data coming from multiple routes.

      Easiest would be store/append certificate in SFTP and then have another flow which pulls data from SFTP and send it collectively to mail receiver.

       

      Thanks

      Amar