Viewing CMP Certificate Statistics and Errors

The ACLI show security certificates command includes the cmp argument that you can use to retrieve traffic statistics and error information that applies to CMP certificate operations.

Note:

When a certificate is marked as untrusted, making the certificate-record invalid, the SBC does not retain its status or statistics. If the same certificate is later marked as trusted, the SBC treats it as a new record, with status and statistics set to their default values.

You enter this command using show security certificates cmp as the prefix to the applicable commands:

Enter the command show security certificates cmp statistics followed by a space to display system-wide CMP statistics. You can refine the output by including an argument for a server, certificate, or realm name, which displays statistics from those objects only. The example below shows statistics applicable to a CMP server named cmpserver1.

ORACLE# show security certificates cmp statistics cmp-server cmpserver1

CMP server Address :192.168.20.92
 
CMP server Statistics               ---- Lifetime ----
                                   Recent Total PerMax
TCP Connection Established            0     0     0
TLS Connection Established            0     0     0
Initialization Request (IR) Sent      0     0     0 
Initialization Response (IP) Rcvd     0     0     0
Certificate Confirmation Sent         0     0     0
Certificate Confirmation Ack Rcvd     0     0     0
IR Transaction Timeout                0     0     0
Polling Request Sent                  0     0     0
Polling Response Rcvd                 0     0     0
Key Update Request Sent               0     0     0
Key Update Response Rcvd              0     0     0
KUR Transaction Timeout               0     0     0
PKI Status Accepted                   0     0     0
PKI Status GrantedWithMods            0     0     0
PKI Status Rejection                  0     0     0
PKI Status Waiting                    0     0     0
PKI Status Revocation Warning         0     0     0
PKI Status Revocation Notification    0     0     0
PKI Status Key Update Warning         0     0     0

Enter the command show security certificates cmp errors followed by a space to display system-wide CMP errors. You can refine the output by including an argument for a server, certificate, or realm name, which displays statistics from those objects only.

If a certificate is rejected for multiple reasons, the statistics only track the first error.

This command shows statistics for PKIFailureInfo errors sent from the CMP server only. It does not include errors from other lower layers, such as HTTP, OpenSSL, or network issues. To debug these issues, check the certd logs (log.certd).

The example below shows system-wide error statistics. In this case, the system is configured with only one cmp-server.

ORACLE# show security certificates cmp errors cmp-server cmpserver1
 
CMP server Address :192.168.20.92
 
CMP server Statistics           ---- Lifetime ----
                                Recent Total PerMax
TCP Connection Failure             0     0     0
TLS Connection Failure             0     0     0
Transaction Timeout                0     0     0
Bad Algorithm                      0     0     0
Bad Message Check                  0     0     0
Bad Request                        0     0     0
Bad Time                           0     0     0
Bad Cert Id                        0     0     0
Bad Data Format                    0     0     0
Wrong Authority                    0     0     0
Incorrect Data                     0     0     0
Missing Timestamp                  0     0     0
Bad POP                            0     0     0
Cert Revoked                       0     0     0
Cert Confirmed                     0     0     0
Wrong Integrity                    0     0     0
Bad Recipient Nonce                0     0     0
Time Not Available                 0     0     0
Unaccepted Policy                  0     0     0
Unaccepted Extension               0     0     0
Add Info Not Available             0     0     0
Bad Sender Nonce                   0     0     0
Bad Cert Template                  0     0     0
Signer Not Trusted                 0     0     0
Transaction ID In Use              0     0     0
Unsupported Version                0     0     0
Not Authorized                     0     0     0
System Unavailable                 0     0     0
System Failure                     0     0     0
Duplicate Cert Req                 0     0     0
Cert Validity Period Unacceptable  0     0     0

You can use the show security certificates detail <certificate-record name> command within the context of CMP to infer whether or not the certificate is updated and whether or not a certificate is present. If there is no certificate present, then the output would be empty.

ORACLE# show security certificates detail localcertCertificate
    certificate-record: localcert
    Certificate:
      Data:
        Version: 3(0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer:
           C=US
           ST=MA
           L=Burlington
           O=Engineering
           CN=Oracle
           emailAddress=user@example.com
        Validity
           Not Before: Mar 28 20:42:34 2024 GMT
           Not After : Mar 28 20:42:34 2029 GMT 
        Subject:
           C=US
           ST=MA
           O=Engineering
           CN=localcert
           X509v3 extensions:
         X509v3 Basic Constraints: 
           CA:FALSE          
        X509v3 Subject Key Identifier:  
           FF:59:A4:33:11:33:AA:C5:BB:67:1F:A5:28:DE:A1:E7:5D:8B:69:B5            
        X509v3 Authority Key Identifier:
           keyid:9D:39:D5:CA:81:FF:83:DA:45:D7:9D:CB:D8:BB:A4:C9:8B:EE:EC:80   
           DirName:/C=US/ST=MA/L=Burlington/O=Engineering/CN=Oracle/emailAddress=user@example.com    
           serial:AC:81:F8:15:F4:EC:F5:C4
        Certificate Management: CMP Managed 
        Certificate Acquisition Type: CMP Newly Enrolled