Certificate Automation Reporting
You can generate reports for certificate automation using the ACLI and SNMP.
The SBC provides ACLI commands and SNMP MIBOIDs to troubleshoot and evaluate status on certificate automation. ACLI commands include extensions to the show security certificates, show dns, show queues, show processes, and clear-cache commands. CMP-related SNMP structures, tables and MIBOIDs are included in the ap-security.mib to provide traffic and error details as well as traps to help you troubleshoot CMP server connection issues.
Note:
When a certificate is marked as untrusted, making the certificate-record invalid, the SBC does not retain its status or statistics. If the same certificate is later marked as trusted, the SBC treats it as a new record, with status and statistics set to their default values.ACLI Commands for Reporting
Using the cmp argument on the show security certificates ACLI command provides reporting for CMP. The cmp argument subsequently supports the following arguments:
- errors: Displays CMP errors. Without an argument, this command displays a summary of errors for all CMP servers in different realms. Subsequent arguments include:
- cmp-server <cmp-server-name>: Show statistics for a particular CMP server.
- realm <realm-name>: Show statistics summary of CMP servers in a specific realm.
- certificate <certificate-record-name>: Show statistics for a particular certificate record.
If a certificate is rejected for multiple reasons, only the first error is considered.
This command shows statistics for PKIFailureInfo errors sent from the CMP server only. It does not include errors from other lower layers, such as HTTP, OpenSSL, or network issues. For example, there are no corresponding statistics for scenarios where a CMP server sends a response that is rejected due to missing protection, or a CMP server is configured with a correct server address but incorrect path (resulting in successful TCP and TLS connection but a HTTP 404 Path Not Found error). To debug these and similar issues, check the certd logs (log.certd).
You can see examples of this commands' output in the Viewing CMP Certificate Statistics and Errors section in the Performance Management chapter of Maintenance and Troubleshooting Guide.
- no-certs: Displays a list of certificate records that don't have certificate content.
- pkistatus: Displays a list of certificate
records with the specified PKI status. This command operates with a subsequent
argument that enumerates the PKI status type you want to display. When you enter
the command without the argument, the system presents this enumeration:
- 0 (accepted)
- 1 (grantedWithMods)
- 2 (rejection)
- 3 (waiting)
- 4 (revocationWarning)
- 5 (revocationNotification)
- 6 (keyUpdateWarning)
When you enter the command with the argument you choose, the system displays the number of certificates currently in that PKI status.
- reset: This command resets CMP certificate traffic and error statistics to zero. Without an argument this command resets all. Subsequent arguments include:
- cmp-server <cmp-server-name>: Reset statistics for a particular CMP server.
- realm <realm-name>: Reset statistics for a specific realm.
- certificate <certificate-record-name>: Reset statistics for a particular certificate record.
- statistics: Displays CMP statistics. Without an argument, this command displays a statistics summary of all CMP servers in different realms. Subsequent arguments include:
- cmp-server <cmp-server-name>: Show statistics for a particular cmp-server
- realm <realm-name>: Show statistics summary of cmp servers in a specific realm
- certificate <certificate-record-name>: Show statistics for a particular certificate-record.
Timeout statistics at the certificate level include both message timeouts and cases where the retry-count is exhausted.
You can see examples of this commands' output in the Viewing CMP Certificate Statistics and Errors section in the in the Performance Management chapter of the Maintenance and Troubleshooting Guide.
- status: Displays configuration pending
status. This command supports the <certificate-record name>
argument.
When issued without an argument, the output would appear similar to the below.
ORACLE# show security certificates cmp status Configuration Update Pending: 0When issued with a certificate-record-name, the output would appear similar to the below.
ORACLE# show security certificates cmp status certificate myCert1 CMP Certificate Status: Save-Active Complete
The show security certificates detail <certificate name> command also displays CMP-related information, including:
- The certificate's validity window
- How the system manages the certificate. Values include Manual, Partially Managed or CMP Managed.
- How the system acquired the Certificate Acquisition Type. Values include Manual, CMP Newly Enrolled or CMP Renewed
You can see examples of this commands' output in the Viewing CMP Certificate Statistics and Errors section in the Performance Management chapter of the Maintenance and Troubleshooting Guide.
Viewing CMP Queues and Processes
- Initialization Request (IR): For requests to acquire new certificates
- Key Update Request (KUR): For requests to renew existing certificates
You can use the show processes command with the certd argument to see details about the certd process.
Viewing DNS statistics associated with CMP Certificates
The SBC also supports arguments to the show dns command that provide statistics and controls on CMP-related DNS operations, including:
- show dns stats-cmp <realm_id/interface>: Displays information about DNS traffic related to CMP certificate processes.
- show dns cache-entry-cmp <realm_id> <cache_record_key>: Displays information about DNS cache entries related to CMP servers.
- clear-cache dns-cmp <realm_id> <cache_record_key>: Clears DNS cache entries related to CMP servers.
- reset dns-cmp: Resets all DNS-related CMP certificate statistics to zero.
You can see examples of these commands' output within the Viewing DNS Information on CMP Certificates section in the Performance Management chapter of the Maintenance and Troubleshooting Guide.
SNMP Statistics and Error Reporting
The SBC can provide statistics for CMP CA server that you can retrieve by realm or by CMP server using SNMP. In addition, the SBC can provide statistics, such as error counts on its operation with CMP servers and automated certificate management in general. You can retrieve this data using standard SNMP walk tasks.
The objects used for this data are enumerated using nested tables and indices residing within the ap-security.mib. Applicable objects include:
- apSecurityCmpServerMIBObjects
- apSecurityCmpRealmMIBObjects
- apSecurityCmpMessageFailureCause
- apSecurityCmpCertificateEnrollmentFailureNotification
You can see tables of the applicable SNMP objects within the Security MIB (ap-security.mib) section in the Enterprise SNMP GET Requests chapter of the MIB Guide. That documentation enumerates:
- MIB objects
- notifications
- notification groups
- capability objects
Traps and Alarms
The SBC issues the existing traps and alarms, which are triggered by your local-cert-exp-warn-period and local-cert-exp-trap-int, configured within the security-config, to inform you of certificate expiry . For both parameters, a value of 0 disables the trap and alarm.
Applicable traps include:
- apSecurityCertExpireSoonNotification (1.3.6.1.4.1.9148.3.9.3.6.0.2): The system raises this trap if it finds a locally installed certificate will soon expire. This trap is sent fifteen days, seven days, and one day before expiration, and you can optionally specify an additional number of days in the local-cert-exp-warn-period parameter.
- apSecurityCertExpiredNotification (1.3.6.1.4.1.9148.3.9.3.6.0.1): The system raises this trap periodically if a locally installed certificate has expired. The interval of minutes between this trap being generated is configured in the local-cert-exp-trap-int parameter.
- apSecurityCmpCertificateEnrollmentFailureNotification (1.3.6.1.4.1.9148.3.9.3.12.0.1): The system raises this trap if it fails to enroll or renew a certificate using CMP. This trap includes the applicable apSecurityCmpMessageFailureCause value, which informs you why the certificate operation failed.
The SBC also generates corresponding alarms when the certificate of a tls-profile is about to expire or has expired. The value of local-cert-exp-warn-period determines the number of days before a certificate expires, after which the SBC generates a warning alarm.
- APP_ALARM_CERT_EXPIRED: Minor, Alarm ID 327730
- APP_ALARM_CERT_EXPIRE_SOON: Minor, Alarm ID 327731
- APP_ALARM_CERT_EXPIRE_SOON_1: Minor, Alarm ID 327761
- APP_ALARM_CERT_EXPIRE_SOON_2: Major, Alarm ID 327762
- APP_ALARM_CERT_EXPIRE_SOON_3: Critical, Alarm ID 327763
An example of the APP_ALARM_CERT_EXPIRE_SOON alarm is shown below.
ORACLE# display-alarms
1 alarms to show
ID Task Severity First Occurred Last Occurred
327731 3386 6 2019-01-29 21:47:55 2019-01-29 21:47:55
Count Description
1 Certificate: tempCert expiring on Jan 30 20:58:29 2019 GMT,done
ORACLE#The severity of the 'expiring soon' alarms and traps change based on the amount of time left before the certificate expires:
- Warning alarm when there are more than 15 days before certificate expiry, but less than or equal to the number of days in local-cert-exp-warn-period.
- Minor alarm when there are 15 days before certificate expiry.
- Major alarm every day starting 7 days before certificate expiry.
- Critical alarm 1 day before certificate expiry.
An example of the APP_ALARM_CERT_EXPIRED alarm is shown below.
ORACLE# display-alarms
1 alarms to show
ID Task Severity First Occurred Last Occurred
327730 3386 6 2019-02-01 16:20:45 2019-02-01 16:20:45
Count Description
1 Certificate: tempCert expired on Jan 30 20:58:29 2019 GMT,
done
ORACLE#See the Alarms Table appendix in the SBC MIB Guide for full details about the alarms.