Kwanan nan mun fuskanci aikin sa ido kan lokacin ingancin takaddun shaida akan sabar Windows. To, yadda na tashi bayan takardar shaidar ta zama kabewa sau da yawa, a daidai lokacin da abokin aikin gemu da ke da alhakin sabunta su ke hutu. Bayan haka, ni da shi muna zargin wani abu kuma muka yanke shawarar yin tunani game da shi. Tun da sannu a hankali muke aiwatar da tsarin sa ido na NetXMS, ya zama babba kuma, bisa ƙa'ida, ɗan takara ɗaya tilo don wannan aikin.
A karshe dai an samu sakamakon a cikin tsari mai zuwa:
Kuma tsarin da kansa ya ci gaba.
Tafi Babu wani ginanniyar ƙididdiga don ƙarewar takaddun shaida a cikin NetXMS, don haka kuna buƙatar ƙirƙirar naku kuma kuyi amfani da rubutun don samar masa da bayanai. Tabbas, akan Powershell, wannan shine Windows. Rubutun ya kamata ya karanta duk takaddun shaida a cikin tsarin aiki, ɗauki ranar ƙarewar su cikin kwanaki daga nan kuma aika wannan lambar zuwa NetXMS. Ta hanyar wakilinsa. Daga nan za mu fara.
Zabin daya, mafi sauki. Kawai samun adadin kwanakin har zuwa ranar karewa na takaddun shaida tare da kwanan wata mafi kusa.
Domin sabar NetXMS ta sani game da wanzuwar sigar mu ta al'ada, dole ne ta karɓe ta daga wakilin. In ba haka ba, ba za a iya ƙara wannan siga ba saboda rashinsa. Don haka, a cikin fayil ɗin daidaitawar wakili nxagentd.conf mu ƙara wani waje siga kirtani kira HTTPS.CertificateExpireDateSimple, inda muke yin rajistar ƙaddamar da rubutun:
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"Yin la'akari da cewa an ƙaddamar da rubutun akan hanyar sadarwa, kuna buƙatar tunawa game da , kuma kar a manta da sauran "-NoLogo -NoProfile -NonInteractive", wanda na tsallake don ingantaccen karanta lambar.
Sakamakon haka, saitin wakilin yana kama da wani abu kamar haka:
#
# NetXMS agent configuration file
# Created by agent installer at Thu Jun 13 11:24:43 2019
#
MasterServers = netxms.corp.testcompany.ru
ConfigIncludeDir = C:NetXMSetcnxagentd.conf.d
LogFile = {syslog}
FileStore = C:NetXMSvar
SubAgent = ecs.nsm
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"Bayan wannan, kuna buƙatar adana saitin kuma sake kunna wakili. Kuna iya yin wannan daga na'urar wasan bidiyo na NetXMS: buɗe saitin (Shirya fayil ɗin sanyi na wakili), gyara shi, aiwatar da Ajiye & Aiwatar, sakamakon wanda, a zahiri, abu ɗaya zai faru. Sannan sake karanta tsarin (Poll> Configuration), idan ba ku da ƙarfin jira kwata-kwata. Bayan waɗannan matakan, yakamata ku sami damar ƙara sigar mu ta al'ada.
A cikin NetXMS console je zuwa Kanfigareshan Tarin Bayanai uwar garken gwaji wanda za mu saka idanu kan takaddun shaida kuma ƙirƙirar sabon siga a can (a nan gaba, bayan daidaitawa, yana da ma'ana don canja wurin shi zuwa samfuran). Zaɓi HTTPS.CertificateExpireDateSimple daga lissafin, shigar da Bayani tare da bayyanannen suna, saita nau'in zuwa lamba kuma saita tazarar zabe. Don dalilai na gyara kuskure, yana da ma'ana don sanya shi ya fi guntu, 30 seconds, misali. An shirya komai, ya isa yanzu.
Kuna iya duba... a'a, ya yi da wuri. Yanzu, ba shakka, ba za mu sami wani abu ba. Kawai saboda har yanzu ba a rubuta rubutun ba. Mu gyara wannan kuskuren. Rubutun zai nuna lamba kawai, adadin kwanakin da suka rage har sai takardar shaidar ta ƙare. Mafi ƙarancin duk samuwa. Misali rubutun:
try {
# Получаем все сертификаты из хранилища сертификатов
$lmCertificates = @( Get-ChildItem -Recurse -path 'Cert:LocalMachineMy' -ErrorAction Stop )
# Если сертификатов нет, вернуть "10 лет"
if ($lmCertificates.Count -eq 0) { return 3650 }
# Получаем Expiration Date всех сертификатов
$expirationDates = @( $lmCertificates | ForEach-Object { return $_.NotAfter } )
# Получаем наиболее близкий Expiration Date из всех
$minExpirationDate = ($expirationDates | Measure-Object -Minimum -ErrorAction Stop ).Minimum
# Конвертируем наиболее близкий Expiration Date в количество оставшихся дней с округлением в меньшую сторону
$daysLeft = [Math]::Floor( ($minExpirationDate - [DateTime]::Now).TotalDays )
# Возвращаем значение
return $daysLeft
}
catch {
return -1
}Ya kasance kamar haka:
Kwanaki 723, kusan shekaru biyu ya rage sai satifiket ya kare. Yana da ma'ana, saboda na sake ba da takaddun shaida don bencin gwajin musayar kwanan nan.
Zabi ne mai sauƙi. Wataƙila, wani zai gamsu da wannan, amma mun so ƙarin. Mun sanya wa kanmu aikin samun jerin duk takaddun shaida a kan uwar garke, da suna, kuma kowane ɗayan ya ga adadin kwanakin da suka rage har sai satifiket ɗin ya ƙare.
Zaɓin na biyu, da ɗan ƙarin rikitarwa.
Muna sake gyara saitin wakili kuma a can, maimakon layi tare da ExternalParameter, muna rubuta wasu biyu:
ExternalList = HTTPS.CertificateNames: powershell.exe -File "serversharenetxms_CertExternalNames.ps1"
ExternalParameter = HTTPS.CertificateExpireDate(*): powershell.exe -File "serversharenetxms_CertExternalParameter.ps1" -CertificateId "$1"В Lissafin Waje muna kawai samun jerin kirtani. A cikin yanayin mu, jerin kirtani tare da sunayen takaddun shaida. Za mu sami jerin waɗannan layin ta amfani da rubutun. Jerin suna - HTTPS.Takaddun Sunayen.
Rubutun NetXMS_CertNames.ps1:
#Список возможных имен сертификатов
$nameTypeList = @(
[System.Security.Cryptography.X509Certificates.X509NameType]::SimpleName,
[System.Security.Cryptography.X509Certificates.X509NameType]::DnsName,
[System.Security.Cryptography.X509Certificates.X509NameType]::DnsFromAlternativeName,
[System.Security.Cryptography.X509Certificates.X509NameType]::UrlName,
[System.Security.Cryptography.X509Certificates.X509NameType]::EmailName,
[System.Security.Cryptography.X509Certificates.X509NameType]::UpnName
)
#Ищем все сертификаты, имеющие закрытый ключ
$certList = @( Get-ChildItem -Path 'Cert:LocalMachineMy' | Where-Object { $_.HasPrivateKey -eq $true } )
#Проходим по списку сертификатов, формируем строку "Имя сертификата - Дата - Thumbprint" и возвращаем её
foreach ($cert in $certList) {
$name = '(unknown name)'
try {
$thumbprint = $cert.Thumbprint
$dateExpire = $cert.NotAfter
foreach ($nameType in $nameTypeList) {
$name_temp = $cert.GetNameInfo( $nameType, $false)
if ($name_temp -ne $null -and $name_temp -ne '') {
$name = $name_temp;
break;
}
}
Write-Output "$($name) - $($dateExpire.ToString('dd.MM.yyyy')) - [T:$($thumbprint)]"
}
catch {
Write-Error -Message "Error processing certificate list: $($_.Exception.Message)"
}
}Kuma tuni a ciki ExternalParameter Muna shigar da layuka daga lissafin ExternalList, kuma a wurin fitarwa muna samun adadin kwanakin kowace. Mai ganowa shine babban yatsan yatsan satifiket. Lura cewa HTTPS.CertificateExpireDate ya ƙunshi alamar alama (*) a cikin wannan bambance-bambancen. Wannan ya zama dole don ya karɓi masu canjin waje, kawai CertificateId ɗin mu.
Rubutun NetXMS_CertExpireDate.ps1:
#Определяем входящий параметр $CertificateId
param (
[Parameter(Mandatory=$false)]
[String]$CertificateId
)
#Проверка на существование
if ($CertificateId -eq $null) {
Write-Error -Message "CertificateID parameter is required!"
return
}
#По Thumbprint из строки в $CertificateId ищем сертификат и определяем его Expiration Date
$certId = $CertificateId;
try {
if ($certId -match '^.*[T:(?<Thumbprint>[A-Z0-9]+)]$') {
$thumbprint = $Matches['Thumbprint']
$certificatePath = "Cert:LocalMachineMy$($thumbprint)"
if (Test-Path -PathType Leaf -Path $certificatePath ) {
$certificate = Get-Item -Path $certificatePath;
$certificateExpirationDate = $certificate.NotAfter
$certificateDayToLive = [Math]::Floor( ($certificateExpirationDate - [DateTime]::Now).TotalDays )
Write-Output "$($certificateDayToLive)";
}
else {
Write-Error -Message "No certificate matching this thumbprint found on this server $($certId)"
}
}
else {
Write-Error -Message "CertificateID provided in wrong format. Must be FriendlyName [T:<thumbprint>]"
}
}
catch {
Write-Error -Message "Error while executing script: $($_.Exception.Message)"
}A cikin Tsarin Tarin Bayanai na uwar garken, mun ƙirƙiri sabon siga. A cikin Parameter mun zaɓi namu HTTPS.Takardar Ƙarshen Ƙarshen (*) daga lissafin, kuma (hankali!) canza alamar alama zuwa {misali}. Wannan muhimmin batu zai ba ku damar ƙirƙira ƙira daban don kowane misali (takaddar shaida). Sauran an cika su kamar yadda a cikin sigar da ta gabata:
Domin samun wani abu don ƙirƙirar ƙididdiga daga, akan shafin Gano Misali kana buƙatar zaɓar Jerin Wakilai daga lissafin kuma a cikin filin Sunan Lissafi shigar da sunan ExternalList daga rubutun - HTTPS.CertificateNames.
Kusan a shirye, jira kaɗan ko tilasta Zaɓe> Kanfigareshan da Zaɓe> Gano Misali idan ba zai yiwu a jira gaba ɗaya ba. A sakamakon haka, muna samun duk takaddun shaida tare da lokutan inganci:
Me kuke bukata? To, a, kawai tsutsa ta kamala tana kallon wannan babban yatsan yatsa da ba dole ba a cikin sunan counter tare da idanun bakin ciki kuma baya barin in gama labarin. Don ciyar da shi, sake buɗe kaddarorin ƙididdiga kuma a kan shafin Ganowa Misali, a cikin filin “Sakamakon gano rubutun fil”, ƙara wanda aka rubuta a ciki. Rubutun (Yaren ciki na NetXMS):
instance = $1;
if (instance ~= "^(.*)s-s[T:[a-zA-Z0-9]+]$")
{
return %(true, instance, $1);
}
return true;wanda zai tace Thumbprint:
Kuma don nuna ta tace, a kan Gaba ɗaya shafin a cikin filin Bayani, canza CertificateExpireDate: {misali} zuwa CertificateExpireDate: {misali-name}:
Shi ke nan, a ƙarshe ƙarshen layin daga KDPV:
Ba kyau ba?
Abin da ya rage shi ne saita faɗakarwa don su zo ta imel lokacin da takardar shaidar ta ƙare.
1. Da farko muna buƙatar ƙirƙirar Samfuran Event don kunna shi lokacin da ƙimar ƙima ta ragu zuwa wani ƙofa da muka saita. IN Kanfigareshan Taron bari mu ƙirƙiri sababbin samfura guda biyu masu suna kamar CertificateExpireDate_Threshold_A kunna tare da matsayin Gargaɗi:
da makamantansu CertificateExpireDate_Threshold_Deactivate tare da Matsayin Al'ada.
2. Na gaba, je zuwa kaddarorin ƙididdiga kuma saita ƙofa akan shafin Tresholds:
inda muka zaɓi abubuwan da muka ƙirƙira CertificateExpireDate_Threshold_Activate da CertificateExpireDate_Threshold_Deactivate, saita adadin samfurori (Samples) zuwa 1 (musamman ga wannan counter ɗin babu ma'ana a saita ƙarin), ƙimar shine 30 (kwanaki), misali, kuma, mahimmanci, saita. lokacin maimaita taron. Don takaddun shaida a cikin samarwa, na saita shi sau ɗaya a rana (86400 seconds), in ba haka ba za ku iya nutsewa a cikin sanarwar (wanda, ta hanyar, ya faru sau ɗaya, har akwatin gidan waya ya cika a karshen mako). Don lokacin cirewa, yana da ma'ana don saita shi ƙasa, 60 seconds, misali.
3. A Kanfigareshan Aiki ƙirƙirar samfurin wasiƙar sanarwa, kamar haka:
Duk waɗannan %m, %S, da sauransu. - Macros wanda za a musanya dabi'u daga sigar mu. An bayyana su dalla-dalla a cikin NetXMS.
4. Kuma a ƙarshe, haɗa abubuwan da suka gabata, cikin Manufar Gudanar da taron Ƙirƙirar doka bisa ga abin da za a ƙirƙira Ƙararrawa kuma za a aika da wasiƙa:
Mun ajiye manufofin, duk abin da za a iya gwada. Bari mu saita ƙofa mafi girma don dubawa. Takaddun shaida mafi kusa ta ƙare a cikin kwanaki 723, na saita ta zuwa 724 don bincika. A sakamakon haka, muna samun ƙararrawa mai zuwa:
kuma wannan sanarwar ta imel:
Shi ke nan tabbas yanzu. Zai yiwu, ba shakka, a kafa dashboard da gina jadawali, amma ga takaddun shaida waɗannan za su zama marasa ma'ana kuma madaidaiciya madaidaiciya, sabanin jadawali na processor ko nauyin ƙwaƙwalwar ajiya, misali. Amma, fiye game da wannan wasu sauran lokaci.
source: www.habr.com