Validate Certificates in Gateway's Store

• Overview
• Configuration
• Deployment Example

Overview

This filter checks the Enterprise Gateway's certificate store for certificates that are due to expire before a specified number of days. This enables you to monitor the certificates that the Enterprise Gateway is running with.

For example, you can configure a policy that includes a Validate Certificates in Gateway's Store filter and an Alert filter, which sends an email alert when it finds certificates that are due to expire. You can also configure this policy to run at regular intervals using the policy execution scheduler provided with the Enterprise Gateway.

Configuration

Configure the following fields on the Validate Gateway's Certificate Store screen:

Name:
Enter an appropriate name for the filter.

Days before expires:
Enter the number of days before the certificates are due to expire.

Check Gateway's Certificate Store:
Select whether to check the certificates in the Enterprise Gateway's Certificate store. This is selected by default.

Check Gateway's Java Keystore:
Select whether to check the certificates in the Enterprise Gateway's Java Keystore. This is not selected by default. When selected, you must enter the Password for this keystore. The default is password is changeit.

Check Java Keystore:
Select whether to check the certificates in the specified Java Keystore. This is not selected by default. When selected, you must configure the following fields:

Keystore Location	Specify the path to this keystore (for example, /home/oracle/osr-client.jks).
Password	Enter the password for this keystore.

Deployment Example

The following example shows a Validate Certificates policy that includes a Validate Certificates in Gateway's Store filter and an Alert filter. This policy sends an email alert when it finds certificates that are due to expire:

Configuring an Email Alert
When this filter is successful, and finds certificates that are due to expire, it generates an expired.certs.summary attribute, which contains a summary of certificates due to expire. You can then use this attribute in the Alert filter to send an email alert to the Enterprise Gateway administrators, as shown in the following example:

You must also select a pre-configured email alert destination on the Destination tab (for example, Email Gateway Administrators). For more details on configuring email alert destinations, see the Alerts topic.

Configuring a Policy Execution Schedule
You can configure this policy to run at regular intervals (for example, once every day) using the policy scheduler provided with the Enterprise Gateway. On the Services tab, right-click the Enterprise Gateway process node, and select Add policy execution scheduler. The following example runs the policy at 12 noon every day:

For more details, see the Policy Execution Scheduling topic.

Example Email Alert
An email alert is sent if any certificates that are due to expire are detected. The contents of the email are obtained from the expired.certs.summary message attribute. For example:

Oracle Enterprise Gateway running on Roadrunner contains certificates that will expire in 730 days.

2 expired certificates in Gateway certificate store:

1. Cert details:
Cert issued to: CN=CA
Cert issued by: CN=CA
SHA1 fingerprint: 72:04:35:7C:A1:B1:C2:F5:E2:86:75:C4:83:12:9C:70:A8:D6:21:8E
MD5 fingerprint: 82:23:6F:59:F2:8F:C3:95:56:87:70:B5:51:3F:53:05
Subject Key Identifier (SKI): dfABenFoM0r7iJ3E1ZqU7HmKiyY=
Expires on: 2012-04-20

2. Cert details:
Cert issued to: CN=John Doe
Cert issued by: CN=CA
SHA1 fingerprint: 83:32:EB:3F:9C:15:87:FB:81:E1:D5:AC:CC:35:C3:F8:21:BB:DF:CD
MD5 fingerprint: 48:02:F6:3F:B9:64:EB:DA:DF:CF:F9:82:AC:CC:13:AB
Subject Key Identifier (SKI): HabJNMjAsBAWp4AcCq8yZkTEJKQ=
Expires on: 2012-04-20