Muva nje besibhekene nomsebenzi wokuqapha isikhathi sokufaneleka kwezitifiketi kumaseva e-Windows. Hhayi-ke, ukuthi ngasukuma kanjani ngemuva kokuthi izitifiketi ziphenduke ithanga izikhathi eziningana, ngaleso sikhathi lapho uzakwethu onentshebe obhekele ukuvuselelwa kwabo eseholidini. Ngemva kwalokho, mina naye sasola okuthile futhi sanquma ukucabanga ngakho. Njengoba senza kancane kancane uhlelo lokuqapha lwe-NetXMS, isibe yiyona enkulu futhi, ngokomthetho, okuwukuphela kwekhandidethi yalo msebenzi.
Ekugcineni umphumela watholakala ngale ndlela elandelayo:
Futhi inqubo ngokwayo iyaqhubeka.
Hamba. Asikho isibali esakhelwe ngaphakathi sezitifiketi eziphelelwa yisikhathi ku-NetXMS, ngakho-ke udinga ukudala eyakho futhi usebenzise imibhalo ukuze uyinikeze idatha. Kunjalo, ku-Powershell, lena yiWindows. Umbhalo kufanele ufunde zonke izitifiketi kusistimu yokusebenza, uthathe usuku lwazo lokuphelelwa yisikhathi ngezinsuku ukusuka lapho bese udlulisela le nombolo ku-NetXMS. Nge-ejenti yakhe. Yilapho esizoqala khona.
Inketho eyodwa, elula kakhulu. Thola kalula inani lezinsuku kuze kufike usuku lokuphelelwa yisikhathi kwesitifiketi nosuku oluseduze.
Ukuze iseva ye-NetXMS yazi ngobukhona bepharamitha yethu yangokwezifiso, kufanele iyithole kumenzeli. Uma kungenjalo, le pharamitha ayikwazi ukungezwa ngenxa yokungabikho kwayo. Ngakho-ke, kufayela lokumisa i-ejenti nxagentd.conf sengeza iyunithi yezinhlamvu yangaphandle ebizwa ngokuthi I-HTTPS.CertificateExpireDateSimple, lapho sibhalisa khona ukwethulwa kombhalo:
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"
Uma ucabangela ukuthi iskripthi sethulwa phezu kwenethiwekhi, udinga ukukhumbula mayelana
Ngenxa yalokho, ukulungiselelwa kwe-ejenti kubukeka kanjena:
#
# NetXMS agent configuration file
# Created by agent installer at Thu Jun 13 11:24:43 2019
#
MasterServers = netxms.corp.testcompany.ru
ConfigIncludeDir = C:NetXMSetcnxagentd.conf.d
LogFile = {syslog}
FileStore = C:NetXMSvar
SubAgent = ecs.nsm
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"
Ngemuva kwalokhu, udinga ukulondoloza ukulungiselelwa bese uqala kabusha i-ejenti. Ungakwenza lokhu kukhonsoli ye-NetXMS: vula i-config (Hlela ifayela lokumisa le-ejenti), lihlele, sebenzisa Londoloza & Faka, ngenxa yalokho, empeleni, into efanayo izokwenzeka. Bese ufunda kabusha ukucushwa (I-Poll > Ukucushwa), uma ungenawo amandla okulinda nhlobo. Ngemva kwalezi zinyathelo, kufanele ukwazi ukwengeza ipharamitha yethu yangokwezifiso.
Kukhonsoli ye-NetXMS iya ku Ukucushwa Kweqoqo Ledatha iseva yokuhlola esizoqapha kuyo izitifiketi futhi sidale ipharamitha entsha lapho (ngokuzayo, ngemva kokucushwa, kunengqondo ukuyidlulisela kuzifanekiso). Khetha i-HTTPS.CertificateExpireDateSimple ohlwini, faka Incazelo enegama elicacile, setha uhlobo ku-Integer futhi ulungiselele isikhawu sokuvota. Ngezinjongo zokususa iphutha, kunengqondo ukuyenza ibe mfushane, imizuzwana engama-30, isibonelo. Konke sekumi ngomumo, sekwanele manje.
Ungahlola... cha, kusesekuseni kakhulu. Manje, kunjalo, ngeke sithole lutho. Ngoba nje umbhalo awukabhalwa. Masilungise lokhu kushiywa. Umbhalo uzomane ubonise inombolo, inani lezinsuku ezisele kuze kuphelelwe yisikhathi isitifiketi. Okuncane kunakho konke okutholakalayo. Isibonelo sombhalo:
try {
# ΠΠΎΠ»ΡΡΠ°Π΅ΠΌ Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΠΈΠ· Ρ
ΡΠ°Π½ΠΈΠ»ΠΈΡΠ° ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
$lmCertificates = @( Get-ChildItem -Recurse -path 'Cert:LocalMachineMy' -ErrorAction Stop )
# ΠΡΠ»ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² Π½Π΅Ρ, Π²Π΅ΡΠ½ΡΡΡ "10 Π»Π΅Ρ"
if ($lmCertificates.Count -eq 0) { return 3650 }
# ΠΠΎΠ»ΡΡΠ°Π΅ΠΌ Expiration Date Π²ΡΠ΅Ρ
ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
$expirationDates = @( $lmCertificates | ForEach-Object { return $_.NotAfter } )
# ΠΠΎΠ»ΡΡΠ°Π΅ΠΌ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π±Π»ΠΈΠ·ΠΊΠΈΠΉ Expiration Date ΠΈΠ· Π²ΡΠ΅Ρ
$minExpirationDate = ($expirationDates | Measure-Object -Minimum -ErrorAction Stop ).Minimum
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π±Π»ΠΈΠ·ΠΊΠΈΠΉ Expiration Date Π² ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΠΎΡΡΠ°Π²ΡΠΈΡ
ΡΡ Π΄Π½Π΅ΠΉ Ρ ΠΎΠΊΡΡΠ³Π»Π΅Π½ΠΈΠ΅ΠΌ Π² ΠΌΠ΅Π½ΡΡΡΡ ΡΡΠΎΡΠΎΠ½Ρ
$daysLeft = [Math]::Floor( ($minExpirationDate - [DateTime]::Now).TotalDays )
# ΠΠΎΠ·Π²ΡΠ°ΡΠ°Π΅ΠΌ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅
return $daysLeft
}
catch {
return -1
}
Kuvela kanje:
izinsuku ezingama-723, cishe iminyaka emibili esele kuze kuphele isitifiketi. Kunengqondo, ngoba ngiphinde ngakhipha izitifiketi zebhentshi lokuhlola i-Exchange muva nje.
Bekuyindlela elula. Mhlawumbe, othile uzokwaneliseka ngalokhu, kodwa besifuna okwengeziwe. Sizibekele umsebenzi wokuthola uhlu lwazo zonke izitifiketi kuseva, ngamagama, nokuthi ngamunye abone inani lezinsuku ezisele kuze kuphele isitifiketi.
Ukhetho lwesibili, kuyinkimbinkimbi ngokwengeziwe.
Futhi sihlela ukucushwa kwe-ejenti futhi lapho, esikhundleni somugqa one-ExternalParameter, sibhala ezinye ezimbili:
ExternalList = HTTPS.CertificateNames: powershell.exe -File "serversharenetxms_CertExternalNames.ps1"
ExternalParameter = HTTPS.CertificateExpireDate(*): powershell.exe -File "serversharenetxms_CertExternalParameter.ps1" -CertificateId "$1"
Π Uhlu lwangaphandle sithola nje uhlu lwezintambo. Esimweni sethu, uhlu lwezintambo ezinamagama esitifiketi. Sizothola uhlu lwale migqa sisebenzisa umbhalo. Igama lohlu - HTTPS.CertificateNames.
Iskriphthi NetXMS_CertNames.ps1:
#Π‘ΠΏΠΈΡΠΎΠΊ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΡΡ
ΠΈΠΌΠ΅Π½ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
$nameTypeList = @(
[System.Security.Cryptography.X509Certificates.X509NameType]::SimpleName,
[System.Security.Cryptography.X509Certificates.X509NameType]::DnsName,
[System.Security.Cryptography.X509Certificates.X509NameType]::DnsFromAlternativeName,
[System.Security.Cryptography.X509Certificates.X509NameType]::UrlName,
[System.Security.Cryptography.X509Certificates.X509NameType]::EmailName,
[System.Security.Cryptography.X509Certificates.X509NameType]::UpnName
)
#ΠΡΠ΅ΠΌ Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ, ΠΈΠΌΠ΅ΡΡΠΈΠ΅ Π·Π°ΠΊΡΡΡΡΠΉ ΠΊΠ»ΡΡ
$certList = @( Get-ChildItem -Path 'Cert:LocalMachineMy' | Where-Object { $_.HasPrivateKey -eq $true } )
#ΠΡΠΎΡ
ΠΎΠ΄ΠΈΠΌ ΠΏΠΎ ΡΠΏΠΈΡΠΊΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ², ΡΠΎΡΠΌΠΈΡΡΠ΅ΠΌ ΡΡΡΠΎΠΊΡ "ΠΠΌΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° - ΠΠ°ΡΠ° - Thumbprint" ΠΈ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°Π΅ΠΌ Π΅Ρ
foreach ($cert in $certList) {
$name = '(unknown name)'
try {
$thumbprint = $cert.Thumbprint
$dateExpire = $cert.NotAfter
foreach ($nameType in $nameTypeList) {
$name_temp = $cert.GetNameInfo( $nameType, $false)
if ($name_temp -ne $null -and $name_temp -ne '') {
$name = $name_temp;
break;
}
}
Write-Output "$($name) - $($dateExpire.ToString('dd.MM.yyyy')) - [T:$($thumbprint)]"
}
catch {
Write-Error -Message "Error processing certificate list: $($_.Exception.Message)"
}
}
Futhi usungenile Ipharamitha yangaphandle Sifaka amarowu kuhlu lwe-ExternalList, futhi kokukhiphayo sithola inani elifanayo lezinsuku kulunye. Inkomba yisithupha sesitifiketi. Qaphela ukuthi i-HTTPS.CertificateExpireDate iqukethe inkanyezi (*) kulokhu okuhlukile. Lokhu kuyadingeka ukuze kwamukele okuguquguqukayo kwangaphandle, i-CertificateId yethu kuphela.
Iskripthi NetXMS_CertExpireDate.ps1:
#ΠΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΠΌ Π²Ρ
ΠΎΠ΄ΡΡΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ $CertificateId
param (
[Parameter(Mandatory=$false)]
[String]$CertificateId
)
#ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π½Π° ΡΡΡΠ΅ΡΡΠ²ΠΎΠ²Π°Π½ΠΈΠ΅
if ($CertificateId -eq $null) {
Write-Error -Message "CertificateID parameter is required!"
return
}
#ΠΠΎ Thumbprint ΠΈΠ· ΡΡΡΠΎΠΊΠΈ Π² $CertificateId ΠΈΡΠ΅ΠΌ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΠΌ Π΅Π³ΠΎ Expiration Date
$certId = $CertificateId;
try {
if ($certId -match '^.*[T:(?<Thumbprint>[A-Z0-9]+)]$') {
$thumbprint = $Matches['Thumbprint']
$certificatePath = "Cert:LocalMachineMy$($thumbprint)"
if (Test-Path -PathType Leaf -Path $certificatePath ) {
$certificate = Get-Item -Path $certificatePath;
$certificateExpirationDate = $certificate.NotAfter
$certificateDayToLive = [Math]::Floor( ($certificateExpirationDate - [DateTime]::Now).TotalDays )
Write-Output "$($certificateDayToLive)";
}
else {
Write-Error -Message "No certificate matching this thumbprint found on this server $($certId)"
}
}
else {
Write-Error -Message "CertificateID provided in wrong format. Must be FriendlyName [T:<thumbprint>]"
}
}
catch {
Write-Error -Message "Error while executing script: $($_.Exception.Message)"
}
Ekucushweni Ukuqoqwa Kwedatha yeseva, sakha ipharamitha entsha. Ku-Parameter sikhetha yethu I-HTTPS.CertificateExpireDate(*) kusukela kuhlu, futhi (qaphela!) shintsha inkanyezi ibe {isibonelo}. Leli phuzu elibalulekile lizokuvumela ukuthi udale ikhawunta ehlukile yesibonelo ngasinye (isitifiketi). Okunye kugcwalisa njengakunguqulo yangaphambilini:
Ukuze ube nokuthile ongadala kukho izinto zokubala, kuthebhu ethi I-Instance Discovery udinga ukukhetha Uhlu Lwe-ejenti ohlwini futhi endaweni Yegama Lohlu faka igama Lohlu Lwethu Lwangaphandle embhalweni - HTTPS.CertificateNames.
Cishe usulungile, linda kancane noma uphoqelele I-Poll > Ukucushwa kanye Nenhlolovo > I-Instance Discovery uma kungenakwenzeka ngokuphelele ukulinda. Ngenxa yalokho, sithola zonke izitifiketi zethu ezinezikhathi zokuqinisekisa:
Udinga ini? Yebo, yebo, i-worm of perfectionism kuphela ebheka le Thumbprint engadingekile egameni lekhawunta ngamehlo adabukile futhi ayingivumeli ukuthi ngiqedele isihloko. Ukuze uyifunze, vula izici zokubala futhi nakuthebhu ye-Instance Discovery, kunkambu ethi βIskripthi sesihlungi se-Instance discoveryβ, engeza esibhalwe kuso.
instance = $1;
if (instance ~= "^(.*)s-s[T:[a-zA-Z0-9]+]$")
{
return %(true, instance, $1);
}
return true;
ezohlunga i-Thumbprint:
Futhi ukuze uyibonise ihlungiwe, kuthebhu ethi Okujwayelekile kunkambu Yencazelo, shintsha i-CertificateExpireDate: {instance} ibe CertificateExpireDate: {instance-name}:
Yilokho, ekugcineni umugqa wokuqeda ovela ku-KDPV:
Akubona ubuhle?
Okusele wukusetha izexwayiso ukuze zifike nge-imeyili uma isitifiketi siphelelwa yisikhathi.
1. Okokuqala sidinga ukwakha Isifanekiso Somcimbi ukuze sisisebenzise lapho inani lekhawunta lehla liye komunye umkhawulo esiwusethile. IN Ukucushwa komcimbi ake sakhe izifanekiso ezintsha ezimbili ezinamagama afana nalawa CertificateExpireDate_Threshold_Activate ngesimo Sesexwayiso:
futhi efanayo CertificateExpireDate_Threshold_Deactivate ngesimo Esijwayelekile.
2. Okulandelayo, iya kuzakhiwo zekhawunta bese usetha umkhawulo kuthebhu ye-Tresholds:
lapho sikhetha imicimbi yethu edaliwe CertificateExpireDate_Threshold_Activate and CertificateExpireDate_Threshold_Deactivate, setha inani lamasampuli (Amasampuli) abe ngu-1 (ngokukhethekile kulesi sibali akukho phuzu ekusetheni okwengeziwe), inani lingu-30 (izinsuku), isibonelo, futhi, okubalulekile, limisiwe. isikhathi sokuphinda umcimbi. Ukuze uthole izitifiketi ekukhiqizeni, ngiyibeka kanye ngosuku (imizuzwana engu-86400), ngaphandle kwalokho ungakwazi ukucwila ezazisweni (okuyinto, ngendlela, eyenzeka kanye, kangangokuthi ibhokisi leposi laligcwele ngempelasonto). Ngesikhathi sokulungisa iphutha, kunengqondo ukuyibeka phansi, imizuzwana engama-60, isibonelo.
Buka Kufakiwe 3 In Ukucushwa Kwesenzo dala isifanekiso sencwadi yesaziso, kanje:
Zonke lezi %m, %S, njll. - ama-macros lapho amanani asuka kupharamitha yethu azoshintshwa. Zichazwe kabanzi ku
4. Futhi ekugcineni, ukuhlanganisa amaphuzu odlule, zibe Inqubomgomo Yokucubungula Umcimbi dala umthetho ngokuthi i-Alamu izokwenziwa futhi incwadi izothunyelwa:
Silondoloza inqubomgomo, yonke into ingahlolwa. Ake sibeke umkhawulo phezulu ukuze sihlole. Isitifiketi sami esiseduze siphelelwa yisikhathi ezinsukwini ezingu-723, ngisibeke ku-724 ukuze ngihlole. Njengomphumela, sithola i-alamu elandelayo:
kanye nalesi saziso se-imeyili:
Yilokho kuphela okuqinisekile manje. Kungaba nokwenzeka, vele, ukusetha ideshibhodi futhi kwakhiwe amagrafu, kodwa ezitifiketini lezi zizoba imigqa eqondile engasho lutho futhi eyisicefe, ngokungafani namagrafu wephrosesa noma umthwalo wenkumbulo, isibonelo. Kodwa-ke, okuningi mayelana nalokhu ngesinye isikhathi.
Source: www.habr.com