Dashboard, vRealize Operations, vROps

Checking SSL/TLS Certificate Validity Period using vRealize Operations Application Monitoring Agents

| by Thomas Kopton

In my 2019 article “Checking SSL/TLS Certificate Validity Period using vRealize Operations and End Point Operations Agent” on VMware Cloud Management Blog (https://blogs.vmware.com/management/2019/05/checking-ssl-tls-certificate-validity-period-using-vrealize-operations-and-end-point-operations-agent.html) I have described how to check the remaining validity of SSL/TLS certificates.

The method back then was to utilize the End Point Operations Agents.

Since vRealize Operations 7.5 new Application Monitoring capabilities have been introduced including a new Telegraf-based agent.

In this blog post I will describe how to use the new agent to implement an easy solution to continuously check the validity of SSL/TLS certificates. The remaining days until expiration will be displayed as a simple dashboards in vROps.

Application Monitoring – Agent Configuration

After deploying the Application Remote Collector (ARC) vRealize Operations is ready to install agents on monitored virtual machines.

Figure 1: Installing Application Monitoring agent

Once the agent has been installed and is running, the actual configuration of the agent becomes available.

The agent is basically doing two jobs. The agent:

  • discovers supported applications and can be configured to monitor those applications
  • provide the ability to run remote check, like ICMP or TCP tests
  • provide the ability to run custom scripts locally

The ability to run scripts and report the integer output as metric back to vROps is exactly what we need to run certificate checks.

The actual script is fairly easy and available, together with the vROps dashboard, via VMware Code:

https://code.vmware.com/samples?id=7464

To let the agent run the script and provide a metric, we configure the agent with few options.

Figure 2: Configure Custom Script

The script itself expects two parameters, the endpoint to check and the port number.

Figure 3: Custom Script options

One agent can run multiple instances of the same script with different options or completely different scripts.

All scripts need to be placed in /opt/vmware and the arcuser (as per default configuration) needs the execute permissions.

Dashboard

The running custom scripts provide a metric per script. The values can be used to populate dashboards or views or serve as metrics for symptoms and alert definitions.

Figure 4: Custom Scripts as metrics

The dashboard showing is very simple but with the color coding if the widget it is easy to spot endpoints with expiring SSL/TLS certificates and take appropriate actions.

Figure 5: SSL/TLS Certificate Validity dashboard

You will need to adjust the widget settings to include your metrics.

Figure 6: Widget configuration

Stay safe.

Thomas – https://twitter.com/ThomasKopton

Leave a Reply

Your email address will not be published. Required fields are marked *