Certificate Monitoring Daemon

The certificate monitoring daemon watches for an impending expiry of the NTLS certificate and sends a trap when the lifetime of the certificate falls within a configurable threshold number of days remaining.

Facility Keyword

Software Process

Log File

local5

certmonitord[pid]

lunalogs

Expected Log Messages

The following log messages are normal and expected entries in the log files when NTLS certificate monitoring is enabled.

Daemon Started

2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : NTLS certificate expiry monitor started
2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : NTLS certificate expiry monitor is configured to send SNMP trap 5 day(s) before the NTLS certificate expires and on every 12 hour(s)

These messages indicate that the certificate monitoring daemon is running. The daemon does not run by default. Rather, an administrator must configure and start it from the Luna administrative shell. The number of days and hours in the message reflects the configuration set via LunaSH.

Daemon Stopping

2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : Shutting down NTLS certificate expiry monitor....
2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : NTLS certificate expiry monitor terminated

These messages indicate that the certificate monitoring daemon gracefully shut down as a result of a signal (SIGINT, SIGTERM, SIGABRT) outside of a normal system shutdown (e.g., lunash:>ntls certificate monitor disable).

Impending Certificate Expiry

2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : NTLS certificate will be expire on Jul 26 16:32:48 2023 GMT
2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : NTLS certificate expiry SNMP trap sent to trap host 192.168.0.115

These messages indicate that the NTLS certificate is set to expire and that the certificate monitoring daemon successfully sent a trap to the configured host.

Certificate Missing

2012 Feb 29 12:05:01 myLuna  local5 warn  certmonitord[1234]: warning : 0 : NTLS certificate is missing

This message indicates that the daemon failed to find the server.pem file for NTLS in the expected location on the hard drive. However, the daemon remains running in the event that an administrator creates the necessary server certificate in a subsequent operation. On a new SafeNet Luna Network HSM appliance from the factory, this message is normal. An administrator must create the NTLS certificate (lunash:>sysconf regenCert).

New NTLS Certificate

2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : New NTLS certificate detected and the expiry date of this new certificate is Jul 26 16:32:48 2033 GMT

This message indicates that an administrator created a new NTLS certificate that is sufficiently far into the future such that a trap is no longer necessary. The daemon will continue to monitor for the certificate expiry window.

Unexpected Log Messages

Under normal circumstances, you should not see any of these log messages. If you do, please contact Thales Group Technical Support to report the message and seek guidance on what to do next.

Failed to Detach

2012 Feb 29 12:05:01 myLuna  local5 err  certmonitord[1234]: error : 0 : Failed to detach from console

This message indicates that the startup procedure for the certificate monitoring daemon failed, specifically that the daemon did not launch into a background process.

Running in Console Mode

2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : NTLS certificate expiry monitor running in console mode

This message indicates that the certificate monitoring daemon is running in console mode rather than as a background process.

SNMP V3 Not Properly Configured

2012 Feb 29 12:05:01 myLuna  local5 info  certmonitord[1234]: info : 0 : SNMP v3 trap is not properly configured

This message indicates that either the engine identifier and/or the host IP address configured and stored in the snmp.conf is/are invalid. Lush command(s) that create these entries include the necessary processing checks to ensure the operation(s) writes valid entries to the configuration file.

Failed to Allocate Memory Buffers

2012 Feb 29 12:05:01 myLuna  local5 err  certmonitord[1234]: error : 0 : Failed to allocate memory buffers

This message indicates that the daemon was unable to allocate the requisite buffers for file handling and string manipulation.

Failed to Send Trap

2012 Feb 29 12:05:01 myLuna  local5 err  certmonitord[1234]: error : 0 : Failed to send NTLS certificate expiry SNMP trap to trap host 192.168.0.100

This message indicates that the certificate monitoring daemon was unable to execute a system call with a pre-formed command to send a trap. The daemon relies upon the Linux utility snmptrap() to complete this action. An invalid host IP address for example, would cause the system call to fail (e.g., 192.168.0.1004).

certmonitord Crash and Burn

2012 Feb 29 12:05:01 myLuna  local5 crit  certmonitord[1234]: info : 0 : certmonitord CRASH AND BURN! Stack dump saved to /var/log/certmonitord_bt_2012-02-29_12:05:01
2012 Feb 29 12:05:01 myLuna  local5 crit  certmonitord[1234]: info : 0 : certmonitord CRASH AND BURN and unable to dump the stack!

These messages indicate a programming error. The first message indicates that the certificate monitoring daemon terminated abnormally (on one of SIGSEGV, SIGILL or SIGBUS signals), generating a stack trace file certmonitord_bt_2012-02-29_12:05:01 in the process. Forwarding this file to Thales Group may assist a developer to isolate the reason for the abnormal termination. The second message indicates an abnormal termination but with no resulting stack trace created.