Kutshanje siye sajongana nomsebenzi wokubek' esweni ixesha lokunyaniseka kwezatifikethi kwiiseva zikaWindows. Ewe, ndavuka njani emva kokuba izatifikethi zijike zibe yithanga izihlandlo ezininzi, ngelo xesha kanye xa umlingane onentshebe ojongene nokuhlaziywa kwawo wayesekhefini. Emva koko, mna naye sarhanela into ethile saza sagqiba kwelokuba sicinge ngayo. Ekubeni siphumeza kancinane inkqubo yokubeka iliso ye-NetXMS, ibe yeyona nto iphambili kwaye, ngokomgaqo, ikuphela komgqatswa walo msebenzi.
Ekugqibeleni isiphumo safunyanwa ngolu hlobo lulandelayo:
Kwaye inkqubo ngokwayo iyaqhubeka.
Hamba. Akukho khawuntara eyakhelwe-ngaphakathi yezatifikethi eziphelelwayo kwi-NetXMS, ngoko ke kufuneka uzenzele eyakho kwaye usebenzise izikripthi ukuyibonelela ngedatha. Ewe, kwi-Powershell, le yiWindows. Incwadi yeempendulo kufuneka ifunde zonke izatifikethi kwisistim yokusebenza, ithathe umhla wazo wokuphelelwa ngeentsuku ukusuka apho kwaye igqithise le nombolo kwi-NetXMS. Nge-arhente yakhe. Kulapho sizakuqala khona.
Option One, ilula. Fumana nje inani leentsuku kude kube ngumhla wokuphelelwa kwesatifikethi kunye nomhla okufutshane.
Ukuze iseva ye-NetXMS yazi malunga nobukho bepharamitha yethu yesiko, kufuneka iyifumane kwiarhente. Ngaphandle koko, le parameter ayinakongezwa ngenxa yokungabikho kwayo. Ngoko ke, kwifayile yoqwalaselo ye-arhente nxagentd.conf songeza umtya weparameter yangaphandle ebizwa HTTPS.CertificateExpireDateSimple, apho sibhalisa khona ukuqaliswa kwescript:
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"
Ukuqwalasela ukuba iskripthi siqaliswe phezu kwenethiwekhi, kufuneka ukhumbule malunga
Ngenxa yoko, uqwalaselo lwearhente lujongeka ngolu hlobo:
#
# NetXMS agent configuration file
# Created by agent installer at Thu Jun 13 11:24:43 2019
#
MasterServers = netxms.corp.testcompany.ru
ConfigIncludeDir = C:NetXMSetcnxagentd.conf.d
LogFile = {syslog}
FileStore = C:NetXMSvar
SubAgent = ecs.nsm
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"
Emva koku, kufuneka ugcine uqwalaselo kwaye uqalise kwakhona iarhente. Unokwenza oku kwi-console ye-NetXMS: vula i-config (Hlela ifayile yoqwalaselo ye-arhente), yihlele, yenza Gcina & Faka isicelo, ngenxa yoko, ngokwenene, into efanayo iya kwenzeka. Emva koko phinda ufunde uqwalaselo (I-Poll> Uqwalaselo), ukuba awunawo amandla okulinda konke. Emva kwala manyathelo, kuya kufuneka ukwazi ukongeza iparamitha yethu yesiko.
Kwikhonsoli yeNetXMS yiya ku Uqwalaselo loQokelelo lweenkcukacha iseva yovavanyo apho siza kuhlola izatifikethi kwaye senze iparameter entsha apho (kwixesha elizayo, emva koqwalaselo, kunengqiqo ukuyidlulisela kwiitemplates). Khetha i-HTTPS.CertificateExpireDateSimple kuluhlu, faka iNkcazelo enegama elicacileyo, setha uhlobo kwi-Integer kwaye uqwalasele isithuba sokuvota. Ngeenjongo zokulungisa ingxaki, kunengqiqo ukuyenza ibe mfutshane, imizuzwana engama-30, umzekelo. Yonke into ilungile, kwanele ngoku.
Ungajonga ... hayi, kusekutsha kakhulu. Ngoku, ngokuqinisekileyo, asiyi kufumana nto. Kuba nje iskripthi asikabhalwa. Masiyilungise le nto ishiyiweyo. Iscript siya kubonisa ngokulula inani, inani leentsuku eziseleyo de isatifikethi siphelelwe lixesha. Eyona incinci kuzo zonke ezikhoyo. Umzekelo wescript:
try {
# ΠΠΎΠ»ΡΡΠ°Π΅ΠΌ Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΠΈΠ· Ρ
ΡΠ°Π½ΠΈΠ»ΠΈΡΠ° ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
$lmCertificates = @( Get-ChildItem -Recurse -path 'Cert:LocalMachineMy' -ErrorAction Stop )
# ΠΡΠ»ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² Π½Π΅Ρ, Π²Π΅ΡΠ½ΡΡΡ "10 Π»Π΅Ρ"
if ($lmCertificates.Count -eq 0) { return 3650 }
# ΠΠΎΠ»ΡΡΠ°Π΅ΠΌ Expiration Date Π²ΡΠ΅Ρ
ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
$expirationDates = @( $lmCertificates | ForEach-Object { return $_.NotAfter } )
# ΠΠΎΠ»ΡΡΠ°Π΅ΠΌ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π±Π»ΠΈΠ·ΠΊΠΈΠΉ Expiration Date ΠΈΠ· Π²ΡΠ΅Ρ
$minExpirationDate = ($expirationDates | Measure-Object -Minimum -ErrorAction Stop ).Minimum
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π±Π»ΠΈΠ·ΠΊΠΈΠΉ Expiration Date Π² ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΠΎΡΡΠ°Π²ΡΠΈΡ
ΡΡ Π΄Π½Π΅ΠΉ Ρ ΠΎΠΊΡΡΠ³Π»Π΅Π½ΠΈΠ΅ΠΌ Π² ΠΌΠ΅Π½ΡΡΡΡ ΡΡΠΎΡΠΎΠ½Ρ
$daysLeft = [Math]::Floor( ($minExpirationDate - [DateTime]::Now).TotalDays )
# ΠΠΎΠ·Π²ΡΠ°ΡΠ°Π΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅
return $daysLeft
}
catch {
return -1
}
Ivela ngolu hlobo:
Iintsuku ezingama-723, phantse iminyaka emibini eshiyekileyo de isiqinisekiso siphelelwe. Kusengqiqweni, kuba ndiphinde ndakhupha izatifikethi zebhentshi yovavanyo loTshintsho kutsha nje.
Yayilukhetho olulula. Mhlawumbi, umntu uya kwaneliseka ngale nto, kodwa sasifuna ngaphezulu. Sizibekele umsebenzi wokufumana uluhlu lwazo zonke izatifikethi kumncedisi, ngamagama, kwaye ngamnye kubo abone inani leentsuku eziseleyo de isatifikethi siphelelwe.
Inketho yesibini, intsonkothe ββngakumbi.
Kwakhona sihlela i-ejenti yoqwalaselo kwaye apho, endaweni yomgca nge-ExternalParameter, sibhala ezinye ezimbini:
ExternalList = HTTPS.CertificateNames: powershell.exe -File "serversharenetxms_CertExternalNames.ps1"
ExternalParameter = HTTPS.CertificateExpireDate(*): powershell.exe -File "serversharenetxms_CertExternalParameter.ps1" -CertificateId "$1"
Π Uluhlu lwangaphandle sifumana nje uluhlu lweentambo. Kwimeko yethu, uluhlu lweentambo ezinamagama esatifikethi. Siza kufumana uluhlu lwale migca sisebenzisa iskripthi. Uluhlu lwegama - HTTPS.CertificateNames.
Ushicilelo lwe-NetXMS_CertNames.ps1:
#Π‘ΠΏΠΈΡΠΎΠΊ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΡΡ
ΠΈΠΌΠ΅Π½ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
$nameTypeList = @(
[System.Security.Cryptography.X509Certificates.X509NameType]::SimpleName,
[System.Security.Cryptography.X509Certificates.X509NameType]::DnsName,
[System.Security.Cryptography.X509Certificates.X509NameType]::DnsFromAlternativeName,
[System.Security.Cryptography.X509Certificates.X509NameType]::UrlName,
[System.Security.Cryptography.X509Certificates.X509NameType]::EmailName,
[System.Security.Cryptography.X509Certificates.X509NameType]::UpnName
)
#ΠΡΠ΅ΠΌ Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ, ΠΈΠΌΠ΅ΡΡΠΈΠ΅ Π·Π°ΠΊΡΡΡΡΠΉ ΠΊΠ»ΡΡ
$certList = @( Get-ChildItem -Path 'Cert:LocalMachineMy' | Where-Object { $_.HasPrivateKey -eq $true } )
#ΠΡΠΎΡ
ΠΎΠ΄ΠΈΠΌ ΠΏΠΎ ΡΠΏΠΈΡΠΊΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ², ΡΠΎΡΠΌΠΈΡΡΠ΅ΠΌ ΡΡΡΠΎΠΊΡ "ΠΠΌΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° - ΠΠ°ΡΠ° - Thumbprint" ΠΈ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°Π΅ΠΌ Π΅Ρ
foreach ($cert in $certList) {
$name = '(unknown name)'
try {
$thumbprint = $cert.Thumbprint
$dateExpire = $cert.NotAfter
foreach ($nameType in $nameTypeList) {
$name_temp = $cert.GetNameInfo( $nameType, $false)
if ($name_temp -ne $null -and $name_temp -ne '') {
$name = $name_temp;
break;
}
}
Write-Output "$($name) - $($dateExpire.ToString('dd.MM.yyyy')) - [T:$($thumbprint)]"
}
catch {
Write-Error -Message "Error processing certificate list: $($_.Exception.Message)"
}
}
Kwaye sele ungenile IParameter yangaphandle Sifaka iirowu kuluhlu lwangaphandle, kwaye kwimveliso sifumana inani elifanayo leentsuku nganye. Isichongi nguMprinto weSiqinisekiso. Qaphela ukuba iHTTPS.CertificateExpireDate iqulathe asterisk (*) kulo mahluko. Oku kuyimfuneko ukuze yamkele variables zangaphandle, nje CertificateId yethu.
Ushicilelo lweNetXMS_CertExpireDate.ps1:
#ΠΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΠΌ Π²Ρ
ΠΎΠ΄ΡΡΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ $CertificateId
param (
[Parameter(Mandatory=$false)]
[String]$CertificateId
)
#ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π½Π° ΡΡΡΠ΅ΡΡΠ²ΠΎΠ²Π°Π½ΠΈΠ΅
if ($CertificateId -eq $null) {
Write-Error -Message "CertificateID parameter is required!"
return
}
#ΠΠΎ Thumbprint ΠΈΠ· ΡΡΡΠΎΠΊΠΈ Π² $CertificateId ΠΈΡΠ΅ΠΌ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΠΌ Π΅Π³ΠΎ Expiration Date
$certId = $CertificateId;
try {
if ($certId -match '^.*[T:(?<Thumbprint>[A-Z0-9]+)]$') {
$thumbprint = $Matches['Thumbprint']
$certificatePath = "Cert:LocalMachineMy$($thumbprint)"
if (Test-Path -PathType Leaf -Path $certificatePath ) {
$certificate = Get-Item -Path $certificatePath;
$certificateExpirationDate = $certificate.NotAfter
$certificateDayToLive = [Math]::Floor( ($certificateExpirationDate - [DateTime]::Now).TotalDays )
Write-Output "$($certificateDayToLive)";
}
else {
Write-Error -Message "No certificate matching this thumbprint found on this server $($certId)"
}
}
else {
Write-Error -Message "CertificateID provided in wrong format. Must be FriendlyName [T:<thumbprint>]"
}
}
catch {
Write-Error -Message "Error while executing script: $($_.Exception.Message)"
}
Kuqwalaselo lweNgqokelela yeDatha yomncedisi, senza iparamitha entsha. KwiParameter sikhetha yethu HTTPS.CertificateExpireDate(*) ukusuka kuluhlu, kwaye (ingqalelo!) Guqula iinkwenkwezi ukuya {umzekelo}. Le ngongoma ibalulekileyo iya kukuvumela ukuba wenze ikhawuntara eyahlukileyo kumzekelo ngamnye (isatifikethi). Eminye izaliswe njengakwinguqulelo yangaphambili:
Ukuze ube nento yokwenza izinto zokubala ukusuka, kwi-Instance Discovery tab kufuneka ukhethe uLuhlu lwe-Agent kuluhlu kwaye kwi-List Name field faka igama loLuhlu lwangaphandle kwiskripthi - i-HTTPS.CertificateNames.
Uphantse ulungele, linda kancinci okanye unyanzelise i-Poll> Uqwalaselo kunye ne-Poll> Ukufunyanwa kwe-Instance ukuba akunakwenzeka ngokupheleleyo ukulinda. Ngenxa yoko, sifumana zonke izatifikethi zethu ngamaxesha okusebenza:
Ingaba udinga ntoni? Ewe, ewe, kuphela imbungu yokufezeka ijonge le Thumbprint engeyomfuneko egameni lekhawuntari ngamehlo alusizi kwaye ayindivumeli ukuba ndigqibezele inqaku. Ukuyondla, vula iipropathi zokubala kwakhona kunye nakwi-Instance Discovery thebhu, kwindawo ethi "Iskripthi sokufunyanwa kwesihluzi sokufumana", yongeza ebhalwe kuyo.
instance = $1;
if (instance ~= "^(.*)s-s[T:[a-zA-Z0-9]+]$")
{
return %(true, instance, $1);
}
return true;
elizakucoca iThumbprint:
Kwaye ukuyibonisa icociwe, kwi Ngokubanzi isithuba kwindawo yeNkcazo, tshintsha CertificateExpireDate: {instance} ukuya CertificateExpireDate: {igama-igama}:
Yiyo loo nto, ekugqibeleni umgca wokugqibela ovela kwi-KDPV:
Ayibobuhle na?
Ekuphela kwento eseleyo kukuseta izilumkiso ukuze zifike nge-imeyile xa isatifikethi siphelelwe lixesha.
1. Okokuqala kufuneka senze iSifanekiso seSigigaba ukusivula xa ixabiso lekhawuntari lincipha ukuya kumda othile esiwubekayo. IN Uqwalaselo Lwesiganeko masenze iitemplates ezimbini ezintsha ezinamagama afana nala CertificateExpireDate_Threshold_Activate enesimo sesilumkiso:
kunye okufanayo CertificateExpireDate_Threshold_Deactivate ngemo eqhelekileyo.
2. Okulandelayo, yiya kwiipropathi zekhawuntari kwaye usete umda kwi-Tresholds ithebhu:
apho sikhetha izehlo zethu ezenziweyo CertificateExpireDate_Threshold_Activate and CertificateExpireDate_Threshold_Deactivate, seta inani leisampulu (Samples) ukuya ku-1 (ngokukodwa kule khawuntara akukho nqaku lokuseta ngaphezulu), ixabiso ngama-30 (iintsuku), umzekelo, kwaye, ngokubalulekileyo, ixesha lokuphinda isiganeko. Kwizatifikethi kwimveliso, ndiyibeka kanye ngosuku (imizuzwana ye-86400), ngaphandle koko unokutshona kwizaziso (oko, ngendlela, kwenzeka kanye, kangangokuba ibhokisi leposi laligcwele ngempelaveki). Ngexesha lokulungisa ingxaki, kunengqiqo ukuyibeka ezantsi, imizuzwana engama-60, umzekelo.
3.In Uqwalaselo Lwentshukumo yenza itemplate yeleta yesaziso, ngolu hlobo:
Zonke ezi %m, %S, njl. - iimacros apho amaxabiso asuka kwiparamitha yethu aya kutshintshwa. Zichazwe ngokubanzi kwi
4. Kwaye ekugqibeleni, ukudibanisa amanqaku angaphambili, kwi UMgaqo-nkqubo woLungiselelo lweMisitho yenza umthetho ngokungqinelana ne-Alamu eya kwenziwa kwaye neleta iya kuthunyelwa:
Siyayigcina ipolisi, yonke into inokuvavanywa. Masibeke umda ophezulu ukujonga. Isatifikethi sam esikufutshane siphelelwa kwiintsuku ezingama-723, ndibeke ku-724 ukujonga. Ngenxa yoko, sifumana le alarm ilandelayo:
kunye nesi saziso se-imeyile:
Oko kuqinisekileyo ngoku. Kunokwenzeka, ngokuqinisekileyo, ukuseta ideshibhodi kunye nokwakha iigrafu, kodwa kwizatifikethi ezi ziya kuba zingenantsingiselo kwaye imigca ethe tye ekruqulayo, ngokungafaniyo neegrafu zeprosesa okanye umthwalo wememori, umzekelo. Kodwa, ngakumbi malunga nalo ngelinye ixesha.
umthombo: www.habr.com