Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

ASA certificate check

https://support.nagios.com/forum/viewtopic.php?t=7676

Page 1 of 1

ASA certificate check

Posted: Tue Oct 09, 2012 7:25 am
by dhirajkumar
Hi,

I need to configure nagios check to monitor CA certificate for cisco ASA 5510 ssl vpn device. Could you please guide me to configure the same.


Regards,
Dhiraj

Re: ASA certificate check

Posted: Tue Oct 09, 2012 11:31 am
by inventsekar
Hi Dhiraj,

i am not sure of this task.. searched here in this forum and google'd but didnt get any good results...
ok, could you tell us without Nagios how to monitor CA certificate for cisco ASA 5510 ssl vpn device?
when we understand that one, we can get some more ideas about how to monitor that using Nagios (or HPOV or Tivoli or BMC or anything...)

Thanks...
Sekar

Re: ASA certificate check

Posted: Tue Oct 09, 2012 5:01 pm
by jsmurphy
Monitoring SSL Certs is a b*tch.

There won't be any pre-built solutions for this I'm afraid, you will have to build your own. You do have two options though, the first is to write a script that will ssh to the device and run something like the "sh crypt ca certificates" and then parse the output for whatever data it is you want to verify, which might not be possible depending on your security policies and if you are 100% reliant on radius or tacacs.

The second option will undoubtedly be the preferred option but it requires looking at mibs. Find the oid in the CISCO-SSL-PROXY-MIB file that corresponds to what you are looking for and then create a script to query and interrogate that information... You can browse through the descriptions to (hopefully) find what you should be querying: http://tools.cisco.com/Support/SNMP/do/ ... -PROXY-MIB

Re: ASA certificate check

Posted: Wed Oct 10, 2012 6:57 am
by dhirajkumar
inventsekar wrote:Hi Dhiraj,

i am not sure of this task.. searched here in this forum and google'd but didnt get any good results...
ok, could you tell us without Nagios how to monitor CA certificate for cisco ASA 5510 ssl vpn device?
when we understand that one, we can get some more ideas about how to monitor that using Nagios (or HPOV or Tivoli or BMC or anything...)

Thanks...
Sekar
Thanks Sekar and jsmurphy

we haven't monitor cisco ASA ca certificate using another tools. However, we can check status of certificate by ssh login command is show crypto ca certificate. So as suggested by jsmurphy I am working on the perl script to ssh login, run the command and parse result for certificate expiration.



Regards,
Dhiraj.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited