Digital Certificate Monitoring
Log File Monitor supports the monitoring of Digital Certificates. This is achieved by using a file type of *CERT when creating the Log File Monitor rule group. This allows, amongst other uses, the ability to detect when certificates that are getting near to their expiry dates or for any certificates that re missing.
When *CERT is specified as the File type, three fields that are unique to Digital Certificate monitoring are displayed.
Certificate store
This specifies the certificate store that contains the digital certificates. The default setting is *SYSTEM.
| *SYSTEM | The *SYSTEM certificate store is specified |
| *OBJECTSIGNING | The *OBJECTSIGNING certificate store is specified |
| *SIGNATUREVERIFICATION | The *SIGNATUREVERIFICATION certificate store is specified |
| path | Enter the IFS path and file name of the certificate store (extension of .kbd) |
Certificate
This specifies the certificates to be monitored by checking the label attribute of the certificates. The default setting is *ALL.
| *ALL | All certificates found in the store location are retrieved |
| generic* | All certificates in the store that match the generic name are retrieved |
| name | A record is returned for the named certificate whether the certificate is found in the store or not. The Exists attribute indicates whether or not the certificate was found. If it is not found only the Name and Exists attributes contain values, as all the other attributes return blanks or zeros. |
If *ALL or generic is specified, one record for each matching certificate is returned.
Certificate store password
This specifies the password required to access the certificate store.
| &Varname | Specify the name of a substitution variable that contains the required password. The substitution variable can be up to 128 characters. |
| value | Enter a specific password |
| ******** | A previously entered specific password is denoted by asterisks. The actual password is not displayed. To keep the existing password, leave the field set to all asterisks. To change the password or to use a substitution variable, overtype with the new value. |
Field Definitions
With a Field Type of *CERT, you can only define one normal field; CERTDATA with a type of *CHAR. This field contains XML data describing all the attributes of the certificate.
Any other fields must be type *CALC and typically use an %XML function to extract an attribute of the certificate from the XML data in the *CHAR field.
On the second page of the Log File MonitorRule Group for *CERT file type, five fields are automatically set.
| CERTDATA | *CHAR | Certificate data |
| CERT | *CALC | Certificate label |
| ENDDATE | *CALC | Validity period end date |
| EXPDAYS | *CALC | Validity period days remaining |
| EXISTS | *CALC | Certificate exists |
You can manually create fields and add the functions, but it is recommended that F4=Prompt is used in the Name field. This then displays the 'Select Certificate Attribute from where all the supported certificate attributes are listed. Once an attribute is selected the field is populated with the field name, type description and function.
Common uses for Digital Certificate Monitoring
The two commonest uses for Digital Certificate Monitoring are:
- Detect certificates nearing expiry
- Detect missing certificates
To detect certificates near their expiry date:
- Set the Store and set the Certificate to *ALL, generic or the specific name of the certificate to be monitored.
- Add rule criteria to check EXPDAYS is less then, for example, 30.
The EXPDAYS field definition then returns the number of days to go until the certificate expires. If the certificate has expired, zero is returned.
To detect certificates that are missing:
- Set the Store and the set Certificate to a specific name. Do not use *ALL or generic.
- Add rule criteria to check for EXISTS = N.
If the EXISTS field definition returns N, the certificate is missing.
Supported Attributes
A certificate is identified by its 'Label' attribute. This value is located in the 'Certificate' XML tag in Log File Monitor and is recognized by the CERT field in Log File Rule Groups.
There is a 'Name' attribute (Subject's common name). This value is located in the 'Name' XML tag and is recognized by the NAME field. It is usually the same value as the 'Label' attribute but it may be different or a blank value.
STRDATE and STRTIME indicate from when a certificate is valid and ENDDATE and ENDTIME indicate when it expires.
EXPDAYS is not an actual attribute of the certificate but is calculated by Log File Monitor by comparing ENDDATE with today's date.
All of the following attributes are supported when using Digital Certificate Monitoring.
| CERT | Certificate label |
| NAME | Subject's common name |
| EXISTS | Certificate exists |
| STRDATE | Validity period start date |
| STRTIME | Validity period start time |
| ENDDATE | Validity period end date |
| ENDTIME | Validity period end time |
| EXPDAYS | Validity period days remaining |
| COUNTRY | Subject's country or region |
| STATE | Subject's state or province |
| LOCALITY | Subject's locality |
| ORG | Subject's organization |
| UNIT | Subject's organizational unit |
| POSTCODE | Subject's postal code |
| ISSNAME | Issuer's common name |
| ISSCOUNTRY | Issuer's country or region |
| ISSSTATE | Issuer's state or province |
| ISSLOCAL | Issuer's locality |
| ISSORG | Issuer's organization |
| ISSUNIT | Issuer's organizational unit |
| ISSPCODE | Issuer's postal code |
| CRLLOC | CRL location |
| DOMAIN | Domain name |
| EMAILADDR | Email address |
| IPADDR | IP address |
| KEYSTG | Key storage location |
| LDAPSVR | LDAP server name |
| PRIVATE | Private key indicator |
| PVTKEYLBL | Private key label |
| SRLNBR | Serial number |
| TRUSTED | Trusted status |
| DIGSIG | Digital certificate extension |
| NONREPUD | Non-repudiation extension |
| KEYENCIPH | Key encipherment extension |
| DATENCIPH | Data encipherment extension |
| KEYAGREE | Key agreement extension |
| KEYCERTSIG | Key certificate signature extension |
| CRLSIG | CRL signature extension |
| ENCIPHONLY | Encipher only extension |
| DECIPHONLY | Decipher only extension |