SSL Certificate Test

All SSL web servers are configured with security certificates. During the SSL protocol handshake with clients, a server exchanges this certificate with the clients. An SSL certificate includes information about the server/domain to which the certificate is licensed, the issuing authority, and a validity period for the certificate. Beyond the validity period, the SSL certificate becomes invalid, and clients' SSL connections to the web server would fail. To avoid such a situation, it is essential that web server administrators are alerted in advance about the potential expiry of the SSL certificates on their web site. The SSL Certificate test monitors the validity period for SSL certificates of different web sites.

Note:

This test will report metrics only for SSL-enabled web applications. This test will not execute if the target application is a non-web based application (for e.g., Microsoft SQL server with SSL, Active Directory with SSL etc).

Target of the test : A Web server

Agent deploying the test : An external agent; if you are running this test using the external agent on the eG manager box, then make sure that this external agent is able to communicate with the port on which the target Web server is listening. Alternatively, you can deploy the external agent that will be running this test on a host that can access the port on which the target Web server is listening.

Outputs of the test : One set of results for every Target configured.

Configurable parameters for the test

Parameter	Description
Test Period	How often should the test be executed.
Host	The host for which the test is to be configured.
Port	The port at which the application listens.
Timeout	Provide the duration (in seconds) beyond which the test times out.
Targets	Provide a comma-separated list of {HostIP/Name}:{Port) pairs in the TARGETS text box, which represent the web sites to be monitored. For example, 192.168.10.7:443,192.168.10.8:443. The test connects to each IP/port pair and checks for validity of the certificate associated with this target. One set of metrics is reported for each target. The descriptor represents the common name (CN) value of the SSL certificate. To enable administrators to easily configure the Targets parameter, eG Enterprise provides a special interface. To access this interface, click on the encircled ‘+’ button alongside the TARGETS text box in the test configuration page. To know how to use this special interface, refer to Configuring Multiple Targets for Monitoring.
Proxy Host, Proxy Port, Proxy User Name, Proxy Password and Confirm Password	These parameters are applicable only if the eG agent needs to communicate with the target server via a Proxy server. In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the PROXY HOST and PROXY PORT parameters, respectively. If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes. On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.
Report Decimal	By default, this flag is set to Yes indicating that this test will report the validity of the certificate in the number of days format and the validity of the certificate for the hours in a day will be represented as a decimal value. If you wish this test to report only the number of days for which the certificate is valid and exclude the number of hours remaining, then, you can set this flag to No.
Report by Host	If this flag is set to Yes, then the descriptor for this test will be the HostIP/Name as provided in the Targets parameter. If this flag is set to No, then the descriptor for this test will be the Certificate Subject Alternative Name of the HostIP/Name - for example san. By default, this flag is set to No.

Measurements made by the test

Measurement	Description	Measurement Unit	Interpretation
SSL certificate validity	Represents the validity of the SSL certificate in days.	Days	As this value approaches close to 0, an alert is generated to proactively inform the administrator that the SSL certificate is nearing expiry. A value of 0 indicates that the SSL certificate has expired.

Configuring Multiple Targets for Monitoring

By default, the SSL Certificate test will be configured with the HostIP/Name:Port pair. For example, 172.162.43.67:9000. To configure additional HostIP/Name:Port pairs, do the following:

1. Click on the encircled ‘+’ button alongside the TARGETS text box in Figure 1.

   

   Figure 1 : Configuring the SSL Certificate test

2. then appears. To add another TARGET, click the Add More button in .

   

   Figure 2 : Configuring multiple Targets

3. Another Target specification section will appear. Specify the following in that section:

   • Host: Specify a Host by which the Target you will be specifying shortly will be referred to across the eG user interface.

   • Port: Specify the Port that this test should access.

   • Thumbprint: The Thumbprint parameter has to be configured with the specified Host IP/Name:Port pair that will be used to validate the certificate (represented in encrypted format) being returned by the test.

   • Is TCP Sockets: By default, communication occurs between server and client through Secured Socket Layer (SSL). When the client needs to access the server, you need to provide Host IP/Name:Port pair combination from the client end to communicate with the server. In order to access DB/LDAP server environment from the client end, then you will have to use a port based TCP socket. In such case, we have to enable the Is TCP Sockets option (see ).

   • System Properties - Property and Value : Some web pages (URLs) configured for monitoring may have been designed to allow access for only those requests that have certain specific properties enabled. For instance, web pages of an SSL-enabled web site may have been designed to support TLS v1.3 requests alone. In such a case, you will have to instruct the test to send connection requests to the configured URL over the TLS v1.3 protocol alone; if not, the test will fail. For this, you can use the Property and Value text boxes in the System Properties section. Specify the request property that the test needs to look up, in the Property text box. In the Value text box, enter the value this property should be set to, so that the eG agent is allowed access to the configured web page. In the case of the above example, you will have to specify -Dhttps.protocol in the Property text box and TLSv1.3 in the Value text box. You can even provide a comma-separated list of values in the Value text box. For example, if the web page supports multiple versions of the TLS protocol, then the Value specification will be: TLSv1.1,TLSv1.2,TLSv1.3. You can even configure more than one Property:Value pair, if the configured URL supports multiple properties. To add another pair, click on the encircled '+' button adjacent to the Value text box.

     By default, the values for Property and Value text boxes in System Properties section is None.

4. Similarly, you can add multiple Target specifications. To remove a Target specification, click on the encircled ‘-‘ button corresponding to it. To clear all Target specifications, click the Clear button in . To update all the changes you made, click the Update button.

5. Once Update is clicked, you will return to the test configuration page (see Figure 3). The target text box in the test configuration page will display the HostIP/Name:Port pairs – that you may have configured for the multiple Targets, as a comma-separated list. To view the complete Target specification, click the encircled ‘’+’ button alongside the TARGET text box, once again.

   

   Figure 3 : A comma-separated list of configured Targets