How to create Poller to check certificate expiration in F5 BigIP LTM

Does anyone know the OID so that I can create a poller that will check the expiration date of certificates in the F5 BigIP LTM?

I need to figure out a method of notification before the cert expires.

Find more posts tagged with

${variable}_advanced_alerts

ssl

trap_viewer

Accepted answers

All comments

lmacvittie

Have you checked in F5-BIGIP-SYSTEM-MIB.txt file under the Host_info_stat_cpu_infoheader?

Lori MacVittie

F5 Networks

just4now88

According to F5 documentation (http://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html) you select the OID you wish to assign the poller. You are limited to the .1.3.6.1.4.1.3375.2.4.0.300 through .1.3.6.1.4.1.3375.2.4.0.999 range.

This is how I got it working on F5 LTM v. 9.4.8:

- Verify port 162 (SNMP trap) is configured on F5 (System -> SNMP -> Traps destination)

- backup /config/user_alert.conf file.

- Add the following to /config/user_alert.conf:

alert CHECK_CERTIFICATE "Certificate (.*) in file (.*) will expire on (.*)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.855"
}

I used 855 as the OID. I'm not a Regular Expressions expert but the above should do the trick.

- test. I was able to test mine right away as we had certificate about to expire in a week. I went to /usr/bin/ and ran the checkcert utility. This is the weekly cron job that F5 employs as the notification tool.

Orion

- Open Trapviewer and locate the trap generated by the above step.

- Right click the trap and select "add Rule"

- You can restrict the rule as you wish via IP address, DNS, SNMP community string etc

- By default, Orion will send something similar to the following (if configured to email the alert):

03/02/2012 16:50 : F5-BIGIP-COMMON-MIB:bigipNotifications.855 SNMP Trap

Received Time:3/2/2012 4:50:19 PM

Source:10.XXX.XX.X(10.XXX.XX.X)

Community:string

Variable Bindings

sysUpTime:= 1 hour 2 minutes 9.17 seconds (372917)

snmpTrapOID:= F5-BIGIP-COMMON-MIB:bigipNotifications.855 (1.3.6.1.4.1.3375.2.4.0.855)

bigipNotifyObjMsg:= Certificate 'askf5' in file askf5.crt will expire on Wed Mar 7 15:56:25 2012 GMT

If you read through the Orion documentation, there are SNMP trap variable bindings (${vbdata} and ${vbname})that allow you to customize the email sent by Orion in response to an alert/trap. Looking at the above example, the "$vbnames" are sysUpTime, snmpTrapOID and bigipNotifyObjMsg and "$vbdata" are the corresponding values. So with this info I configured the rule to send the following message: ${DateTime} : ${vbData3}. The email message looks like this:

Hope this helps.

03/04/2012 04:22 : Certificate 'askf5' in file askf5.crt will expire on Wed Mar 7 15:56:25 2012 GMT