cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1661
Views
0
Helpful
12
Replies
Highlighted
Beginner

eem / snmp / certificate end date

hi,

I created a webpage to monitor all my routers. It works well but it misses informations about certificates installed on each router. There is a new MIB called PKI... but still not integrated :-( and should not be in old ones.

 

I would like to get "certificate end date" in querying by snmp my routers but I don't know if it is possible to mix eem and snmp data ? I don't want to use snmp trap or made ssh access on all routers, I just want a kind of snmpwalk to get these informations. Is there an easy solution ?

I would like to catch "show crypto pki certificate" from my routers.

What could be the better idea ?

Thanks

 

NIko

12 REPLIES 12
Highlighted
Hall of Fame Cisco Employee

You could use an EEM policy such as https://supportforums.cisco.com/document/77026/cli-value-2-snmp-expr-mib to extract the specific value of the certificate expiry time from "show crypto pki cert" and insert that into the EXPRESSION-MIB as an octet string object.  That would allow you to query it in your NMS.

Highlighted

hi Joseph,

Thanks for your reply, sounds interesting.

Do you know if it's available on all routers ? because I could be interested to integrate it on 881/1841/1941/3825/3925/3925e.

 

thanks

 

Niko

Highlighted
Hall of Fame Cisco Employee

Yes, this solution can be made to work on all of those routers given IOS of 12.4(11)T or higher.

Highlighted

ok, just tried on one of my 881 IOS 15.4(M7) and when I poll

=> iso.3.6.1.4.1.9.10.22.1.3.1.1.1 = No Such Object available on this agent at this OID


can you help me to get it working ? I just need the first "end date" value from a "sh crypto pki cert | inc end"

in the script I changed only command in tcl with only my "sh crypto...", other than that in eem on router, I changed IP used (the 10.10.10.1) in putting the inside ip address of router

thanks

 

Nicolas

 

PS : I added debug when I entered "event manager policy CliValueToSnmpExpressionMib.tcl" command

Highlighted
Hall of Fame Cisco Employee

In newer IOS we now support the DISMAN-EXPRESSION-MIB.  The OID starts with

1.3.6.1.2.1.90

 

But the logic changes a bit as well.  That is, the objects one needs to set change.  That said, you may have CLI to do this, which can help simplify things.  The commands "snmp mib expression owner ..." can be used to configure the EXPRESSION-MIB without needing to use SNMP.

Highlighted

sorry I'm a bit lost, can you provide me with a full example on how to use that to get an oid which gives me "end date" of certificate ?

maybe I could get what I want in a different way ? I mean by example in logging the "end date", and after maybe I could send an snmp request to CISCO-SYSLOG-MIB ? do you think it is possible ? and how to do it ?

 

thanks

 

Niko
 

Highlighted

hi Joseph,

I found a solution but I wanted your opinion :

logging history size 50

logging history 7

event manager applet getcert
 event timer cron cron-entry "0 8 * * *"
 action 1.0 cli command "sh crypto pki cert | i end"
 action 2.0 cli command "send log $_cli_result"

I tried with an "action 2.0 syslog...", but I did not catch it after in MIB, no idea why

 

I have just a small problem with the script, when I launch it, router sends me, but I think it works :

EEM policy getcert not registered with event none Event Detector ???

In querying in snmp MIB-SYSLOG => 1.3.6.1.4.1.9.9.41.1.2.3, I can get the result.

Thanks

 

NIko

Highlighted
Hall of Fame Cisco Employee

Sorry for the delay.  Interesting approach.  If that works for you, great!  It's a much simpler tack.

Highlighted

Hi nvanhaute,

I have some problems with your solution, perhaps you can help me.
I want to get the enddate of the certificate too, so your example fits to my situation.

I tried your solution...

event manager applet getcert
 event timer cron cron-entry "0 8 * * *"
 action 1.0 cli command "sh crypto pki cert | i end"
 action 2.0 cli command "send log $_cli_result"

but I dont get any log messages in my syslog. I also tried the send command directly from cli and this works.

As a workarround I also tried this..


action 1.0 cli command "sh crypto pki cert | redirect tftp://Ip-addres/filename"

Same result. If I use this command on cli it works but not dont over eem.

My router is a 3925 with version 15.3(3)M5

kind regrets

Highlighted

hi,

I think it's because in newer IOS you have to switch in enable mode to send command

can you try in adding an action command ("enable") before the "sh crypto..." ?

=>

event manager applet getcert
 event timer cron cron-entry "0 8 * * *"

 action 1.0 cli command "ena"
 action 2.0 cli command "sh crypto pki cert | i end"
 action 3.0 cli command "send log $_cli_result"

Highlighted

Great! It works... sometimes its such easy...

Thank you for your quick response!! 
And sorry for double posting...

kind regrets

Highlighted

Hi nvanhaute,

 

 

I have some problems with your solution, perhaps you can help me.

I want to get the enddate of the certificate too, so your example fits to my situation.

I tried your solution...

 

event manager applet getcert

event timer cron cron-entry "0 8 * * *"

action 1.0 cli command "sh crypto pki cert | i end"

action 2.0 cli command "send log $_cli_result"

 

 

but I dont get any log messages in my syslog. I also tried the send command directly from cli and this works.

 

As a workarround I also tried this..

 

 

action 1.0 cli command "sh crypto pki cert | redirect tftp://Ip-addres/filename"

 

Same result. If I use this command on cli it works but not dont over eem.

 

 

 

My router is a 3925 with version 15.3(3)M5

 

kind regrets

Content for Community-Ad