ProHoster > Blog > Tsamaiso > Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Haufinyane tjena re ne re tobane le mosebetsi oa ho lekola nako ea bonnete ba litifikeiti ho li-server tsa Windows. Hantle, ke ile ka tsoha joang ka mor'a hore litifikeiti li fetohe mokopu ka makhetlo a 'maloa, ka nako eo mosebetsi-'moho le eena ea nang le litelu ea ikarabellang bakeng sa ho tsosolosoa ha bona a le phomolong. Ka mor’a moo, ’na le eena re ile ra belaella ho hong ’me ra etsa qeto ea ho nahana ka eona. Kaha butle-butle re kenya ts'ebetsong mokhoa oa ho shebella oa NetXMS, e se e le eona e ka sehloohong 'me, ha e le hantle, ke eena feela mokhethoa oa mosebetsi ona.

Qetellong sephetho se fumanoe ka mokhoa o latelang:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

'Me ts'ebetso ka boeona e tsoela pele.

Eya. Ha ho na k'haonte e hahelletsoeng ka har'a litifikeiti tse felloang ke nako ho NetXMS, kahoo o hloka ho iketsetsa ea hau le ho sebelisa mangolo ho e fana ka data. Ehlile, ho Powershell, ena ke Windows. Script e lokela ho bala litifikeiti tsohle tse tsamaisong ea ts'ebetso, li nke letsatsi la tsona la ho felloa ke nako ka matsatsi ho tloha moo 'me li fetise nomoro ena ho NetXMS. Ka moemeli oa hae. Ke hona moo re tla qala teng.

Khetho ea pele, bonolo ka ho fetisisa. Fumana feela palo ea matsatsi ho fihlela letsatsi la ho felloa ke nako ha setifikeiti ka letsatsi le haufi.

Hore seva sa NetXMS se tsebe ka boteng ba paramente ea rona ea moetlo, e tlameha ho e fumana ho tsoa ho moemeli. Ho seng joalo, parameter ena e ke ke ea eketsoa ka lebaka la ho ba sieo ha eona. Ka hona, ho faele ea tlhophiso ea moemeli nxagentd.conf re eketsa khoele ea ka ntle ea parameter e bitsoang HTTPS.CertificateExpireDateSimple, moo re ngolisang ho qalisoa ha mongolo:

ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"

Ha u nahana hore script e qalisoa holim'a marang-rang, u lokela ho hopola ka Leano la Phethahatso, hape u se ke ua lebala e 'ngoe "-NoLogo -NoProfile -NonInteractive", eo ke e siileng bakeng sa ho baloa ha khoutu hamolemo.

Ka lebaka leo, config ea moemeli e shebahala tjena:

#
# NetXMS agent configuration file
# Created by agent installer at Thu Jun 13 11:24:43 2019
#
 
MasterServers = netxms.corp.testcompany.ru
ConfigIncludeDir = C:NetXMSetcnxagentd.conf.d
LogFile = {syslog}
FileStore = C:NetXMSvar
SubAgent = ecs.nsm
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
 
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"

Ka mor'a sena, o hloka ho boloka config ebe o qala moemeli hape. U ka etsa sena ho tswa ho NetXMS console: bula config (Fetola faele ea tlhophiso ea moemeli), e hlophise, etsa Save & Apply, ka lebaka leo, ha e le hantle, ntho e tΕ‘oanang e tla etsahala. Ebe u bala tlhophiso (Poll> Configuration), haeba u se na matla a ho ema ho hang. Ka mor'a mehato ena, u lokela ho khona ho eketsa parameter ea rona ea tloaelo.

Ka NetXMS console e ea ho Tlhophiso ea Pokello ea Lintlha Seva ea liteko eo re tla e beha leihlo ho litifikeiti le ho theha paramente e ncha moo (nakong e tlang, kamora ho hlophisoa, hoa utloahala ho e fetisetsa ho litempele). Khetha HTTPS.CertificateExpireDateSimple lethathamong, kenya Tlhaloso e nang le lebitso le hlakileng, beha mofuta ho Integer mme u lokise nako ea likhetho. Bakeng sa merero ea ho lokisa liphoso, hoa utloahala ho e etsa e khuts'oane, metsotsoana e 30, mohlala. Tsohle di lokile, ho lekane hona jwale.

U ka hlahloba ... che, e sa le pele haholo. Joale, ehlile, ha re na ho fumana letho. Hobane feela script ha e so ngoloe. Ha re lokiseng sieo ena. Script e tla hlahisa palo feela, palo ea matsatsi a setseng ho fihlela setifikeiti se fela. Bonyane ho feta tsohle tse fumanehang. Mohlala oa mongolo:

try {
    # ΠŸΠΎΠ»ΡƒΡ‡Π°Π΅ΠΌ всС сСртификаты ΠΈΠ· Ρ…Ρ€Π°Π½ΠΈΠ»ΠΈΡ‰Π° сСртификатов
    $lmCertificates = @( Get-ChildItem -Recurse -path 'Cert:LocalMachineMy' -ErrorAction Stop )
     
    # Если сСртификатов Π½Π΅Ρ‚, Π²Π΅Ρ€Π½ΡƒΡ‚ΡŒ "10 Π»Π΅Ρ‚"
    if ($lmCertificates.Count -eq 0) { return 3650 }
 
    # ΠŸΠΎΠ»ΡƒΡ‡Π°Π΅ΠΌ Expiration Date всСх сСртификатов
    $expirationDates = @( $lmCertificates | ForEach-Object { return $_.NotAfter } )
 
    # ΠŸΠΎΠ»ΡƒΡ‡Π°Π΅ΠΌ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π±Π»ΠΈΠ·ΠΊΠΈΠΉ Expiration Date ΠΈΠ· всСх
    $minExpirationDate = ($expirationDates | Measure-Object -Minimum -ErrorAction Stop ).Minimum
 
    # ΠšΠΎΠ½Π²Π΅Ρ€Ρ‚ΠΈΡ€ΡƒΠ΅ΠΌ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π±Π»ΠΈΠ·ΠΊΠΈΠΉ Expiration Date Π² количСство ΠΎΡΡ‚Π°Π²ΡˆΠΈΡ…ΡΡ Π΄Π½Π΅ΠΉ с ΠΎΠΊΡ€ΡƒΠ³Π»Π΅Π½ΠΈΠ΅ΠΌ Π² ΠΌΠ΅Π½ΡŒΡˆΡƒΡŽ сторону
    $daysLeft = [Math]::Floor( ($minExpirationDate - [DateTime]::Now).TotalDays )
 
    # Π’ΠΎΠ·Π²Ρ€Π°Ρ‰Π°Π΅ΠΌ Π·Π½Π°Ρ‡Π΅Π½ΠΈΠ΅
    return $daysLeft
}
catch {
    return -1
}

E shebahala tjena:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Matsatsi a 723, hoo e ka bang lilemo tse peli tse setseng ho fihlela setifikeiti se fela. Hoa utloahala, hobane ke fane ka litifikeiti hape bakeng sa benche ea liteko tsa Exchange haufinyane tjena.

E ne e le khetho e bonolo. Mohlomong, motho e mong o tla khotsofatsoa ke sena, empa re ne re batla ho feta. Re ipehetse mosebetsi oa ho fumana lethathamo la litifikeiti tsohle ho seva, ka mabitso, le hore e mong le e mong a bone matsatsi a setseng ho fihlela setifikeiti se fela.

Khetho ea bobeli, e batlang e rarahane ho feta.

Hape re hlophisa tlhophiso ea moemeli mme moo, sebakeng sa mola o nang le ExternalParameter, re ngola tse ling tse peli:

ExternalList = HTTPS.CertificateNames: powershell.exe -File "serversharenetxms_CertExternalNames.ps1"
ExternalParameter = HTTPS.CertificateExpireDate(*): powershell.exe -File "serversharenetxms_CertExternalParameter.ps1" -CertificateId "$1"

Π’ ExternalList re fumana feela lethathamo la likhoele. Tabeng ea rona, lethathamo la likhoele tse nang le mabitso a setifikeiti. Re tla fumana lethathamo la mela ena re sebelisa script. Lethathamo la mabitso - HTTPS.CertificateNames.

Script NetXMS_CertNames.ps1:

#Бписок Π²ΠΎΠ·ΠΌΠΎΠΆΠ½Ρ‹Ρ… ΠΈΠΌΠ΅Π½ сСртификатов
$nameTypeList = @(
        [System.Security.Cryptography.X509Certificates.X509NameType]::SimpleName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::DnsName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::DnsFromAlternativeName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::UrlName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::EmailName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::UpnName
)
 
#Π˜Ρ‰Π΅ΠΌ всС сСртификаты, ΠΈΠΌΠ΅ΡŽΡ‰ΠΈΠ΅ Π·Π°ΠΊΡ€Ρ‹Ρ‚Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡
$certList = @( Get-ChildItem -Path 'Cert:LocalMachineMy' | Where-Object { $_.HasPrivateKey -eq $true } )
 
#ΠŸΡ€ΠΎΡ…ΠΎΠ΄ΠΈΠΌ ΠΏΠΎ списку сСртификатов, Ρ„ΠΎΡ€ΠΌΠΈΡ€ΡƒΠ΅ΠΌ строку "Имя сСртификата - Π”Π°Ρ‚Π° - Thumbprint" ΠΈ Π²ΠΎΠ·Π²Ρ€Π°Ρ‰Π°Π΅ΠΌ Π΅Ρ‘
foreach ($cert in $certList) {
    $name = '(unknown name)'
    try {
        $thumbprint = $cert.Thumbprint
        $dateExpire = $cert.NotAfter
        foreach ($nameType in $nameTypeList) {
            $name_temp = $cert.GetNameInfo( $nameType, $false)
            if ($name_temp -ne $null -and $name_temp -ne '') {
                $name = $name_temp;
                break;
            }
        }
        Write-Output "$($name) - $($dateExpire.ToString('dd.MM.yyyy')) - [T:$($thumbprint)]"
    }
    catch {
        Write-Error -Message "Error processing certificate list: $($_.Exception.Message)"
    }
}

Mme e se e kene ExternalParameter Re kenya mela ho tsoa lethathamong la ExternalList, 'me ho tlhahiso re fumana matsatsi a lekanang bakeng sa e' ngoe le e 'ngoe. Sesupo ke Mongolo o motona oa setifikeiti. Hlokomela hore HTTPS.CertificateExpireDate e na le asterisk (*) mofuta ona. Sena sea hlokahala e le hore se amohele mefuta e fapaneng ea kantle, feela CertificateId ea rona.

Script NetXMS_CertExpireDate.ps1:

#ΠžΠΏΡ€Π΅Π΄Π΅Π»ΡΠ΅ΠΌ входящий ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ $CertificateId
param (
    [Parameter(Mandatory=$false)]
    [String]$CertificateId
)
 
#ΠŸΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° Π½Π° сущСствованиС
if ($CertificateId -eq $null) {
    Write-Error -Message "CertificateID parameter is required!"
    return
}
 
#По Thumbprint ΠΈΠ· строки Π² $CertificateId ΠΈΡ‰Π΅ΠΌ сСртификат ΠΈ опрСдСляСм Π΅Π³ΠΎ Expiration Date 
$certId = $CertificateId;
try {
    if ($certId -match '^.*[T:(?<Thumbprint>[A-Z0-9]+)]$') {
        $thumbprint = $Matches['Thumbprint']
        $certificatePath = "Cert:LocalMachineMy$($thumbprint)"
         
        if (Test-Path -PathType Leaf -Path $certificatePath ) {
            $certificate = Get-Item -Path $certificatePath;
            $certificateExpirationDate = $certificate.NotAfter
            $certificateDayToLive = [Math]::Floor( ($certificateExpirationDate - [DateTime]::Now).TotalDays )
            Write-Output "$($certificateDayToLive)";
        }
        else {
            Write-Error -Message "No certificate matching this thumbprint found on this server $($certId)"
        }
    }
    else {
        Write-Error -Message "CertificateID provided in wrong format. Must be FriendlyName [T:<thumbprint>]"
    }
}
catch {
    Write-Error -Message "Error while executing script: $($_.Exception.Message)"
}

Ka Sebopeho sa Pokello ea Lintlha tsa seva, re theha parameter e ncha. Ka Parameter re khetha rona HTTPS.CertificateExpireDate(*) ho tloha lethathamong, le (tlhokomeliso!) fetola naleli ho { mohlala}. Ntlha ena ea bohlokoa e tla u lumella ho etsa k'haonte e arohaneng bakeng sa ketsahalo ka 'ngoe (setifikeiti). Tse ling kaofela li tlatsitsoe joalo ka mofuta o fetileng:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

E le hore u be le seo u ka iketsetsang li-counters ho sona, tabeng ea Instance Discovery u lokela ho khetha Lenane la Baemeli ho tsoa lethathamong 'me sebakeng sa Lebitso la Lethathamo kenya lebitso la "ExternalList" ea rona ho tsoa ho mongolo - HTTPS.CertificateNames.

E se e le malala-a-laotsoe, ema hanyane kapa u qobelle Poll> Configuration and Poll> Instance Discovery haeba ho ke ke ha khoneha ho ema. Ka lebaka leo, re fumana litifikeiti tsa rona kaofela ka linako tse sebetsang:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

U hloka eng? Ho joalo, e, ke seboko feela sa phetheho se shebang Thumbprint ena e sa hlokahaleng ka lebitso la k'haontareng ka mahlo a hlonameng mme ha e ntumelle hore ke qete sengoloa. Ho e fepa, bula thepa ea khaonta hape le ho tab ea Instance Discovery, tΕ‘imong ea "Instance discovery filter script", eketsa e ngotsoeng ho eona. NXSL (Puo ea ka hare ea NetXMS) script:

instance = $1;
 if (instance ~= "^(.*)s-s[T:[a-zA-Z0-9]+]$")
 {
 return %(true, instance, $1);
 }
 return true;

e tla sefa Thumbprint:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Le ho e bontΕ‘a e tlhotliloeng, ho tab ea Kakaretso tΕ‘imong ea Tlhaloso, fetola CertificateExpireDate: {instance} ho CertificateExpireDate: {instance-name}:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Ke eona, qetellong moeli oa KDPV:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Na ha se botle?

Ho setseng ke ho theha litlhokomeliso e le hore li fihle ka lengolo-tsoibila ha setifikeiti se felloa ke nako.

1. Pele re hloka ho theha Template ea Ketsahalo ho e kenya tΕ‘ebetsong ha boleng ba k'haontareng bo fokotseha ho fihla moeling o mong oo re o behileng. IN Ketsahalo ea Configuration ha re theheng litempele tse peli tse ncha tse nang le mabitso a kang CertificateExpireDate_Threshold_Activate ka boemo ba Temoso:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

le tse tshwanang CertificateExpireDate_Threshold_Deactivate e nang le maemo a Tloaelehileng.

2. Ka mor'a moo, e-ea ho thepa ea counter 'me u behe moeli holim'a Tresholds tab:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

moo re khethang liketsahalo tsa rona tse entsoeng CertificateExpireDate_Threshold_Activate le CertificateExpireDate_Threshold_Deactivate, beha palo ea disampole (Samples) ho 1 (haholo-holo k'haontareng ena ha ho na thuso ea ho beha tse ling), boleng ke 30 (matsatsi), mohlala, 'me, habohlokoa, nako ya poeletso ya ketsahalo. Bakeng sa litifikeiti tsa tlhahiso, ke e beha hang ka letsatsi (86400 metsotsoana), ho seng joalo u ka khangoa ke litsebiso (tseo, ka tsela, li etsahetse hang, hoo lebokose la poso le neng le tletse mafelo-beke). Bakeng sa nako ea ho lokisa liphoso, hoa utloahala ho e beha tlase, metsotsoana e 60, mohlala.

3. Ka Ketso Configuration theha template ea lengolo la tsebiso, joalo ka:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Tsena kaofela %m, %S, joalo-joalo. - macros moo litekanyetso tsa paramente ea rona li tla nkeloa sebaka. Li hlalosoa ka ho qaqileng haholoanyane ho tataiso NetXMS.

4. 'Me qetellong, ho kopanya lintlha tse fetileng, ho Leano la Ts'ebetso ea Ketsahalo theha molao ho latela hore na Alamo e tla etsoa le lengolo le tla romelloa:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Re boloka pholisi, tsohle li ka lekoa. Ha re behe moeli holimo ho hlahloba. Setifikeiti sa ka se haufi se fela ka matsatsi a 723, ke se behile ho 724 ho hlahloba. Ka lebaka leo, re fumana alamo e latelang:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

le tsebiso ena ea lengolo-tsoibila:

Letsatsi la ho felloa ke nako ha setifikeiti sa ho beha leihlo ho Windows ho NetXMS

Ke nnete feela jwale. Ehlile, ho ka khonahala ho theha dashboard le ho aha li-graph, empa bakeng sa litifikeiti tsena e tla ba mela e otlolohileng e se nang moelelo le e tenang, ho fapana le li-graph tsa processor kapa memory load. Empa, ho feta ka sena ka nako e 'ngoe.

Source: www.habr.com

Eketsa ka tlhaloso