In my 2019 article “Checking SSL/TLS Certificate Validity Period using vRealize Operations and End Point Operations Agent” on VMware Cloud Management Blog (https://blogs.vmware.com/management/2019/05/checking-ssl-tls-certificate-validity-period-using-vrealize-operations-and-end-point-operations-agent.html) I have described how to check the remaining validity of SSL/TLS certificates.
The method back then was to utilize the End Point Operations Agents.
Since vRealize Operations 7.5 new Application Monitoring capabilities have been introduced including a new Telegraf-based agent.
In this blog post I will describe how to use the new agent to implement an easy solution to continuously check the validity of SSL/TLS certificates. The remaining days until expiration will be displayed as a simple dashboards in vROps.
Application Monitoring – Agent Configuration
After deploying the Application Remote Collector (ARC) vRealize Operations is ready to install agents on monitored virtual machines.
Once the agent has been installed and is running, the actual configuration of the agent becomes available.
The agent is basically doing two jobs. The agent:
- discovers supported applications and can be configured to monitor those applications
- provide the ability to run remote check, like ICMP or TCP tests
- provide the ability to run custom scripts locally
The ability to run scripts and report the integer output as metric back to vROps is exactly what we need to run certificate checks.
The actual script is fairly easy and available, together with the vROps dashboard, via VMware Code:
https://code.vmware.com/samples?id=7464
To let the agent run the script and provide a metric, we configure the agent with few options.
The script itself expects two parameters, the endpoint to check and the port number.
One agent can run multiple instances of the same script with different options or completely different scripts.
All scripts need to be placed in /opt/vmware
and the arcuser
(as per default configuration) needs the execute permissions.
Dashboard
The running custom scripts provide a metric per script. The values can be used to populate dashboards or views or serve as metrics for symptoms and alert definitions.
The dashboard showing is very simple but with the color coding if the widget it is easy to spot endpoints with expiring SSL/TLS certificates and take appropriate actions.
You will need to adjust the widget settings to include your metrics.
Stay safe.
Thomas – https://twitter.com/ThomasKopton