Certificate Monitoring Daemon
The certificate monitoring daemon watches for an impending expiry of the NTLS certificate and sends a trap when the lifetime of the certificate falls within a configurable threshold number of days remaining.
Facility Keyword |
Software Process |
Log File |
---|---|---|
|
|
|
Expected Log Messages
The following log messages are normal and expected entries in the log files when NTLS certificate monitoring is enabled.
Daemon Started
2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : NTLS certificate expiry monitor started 2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : NTLS certificate expiry monitor is configured to send SNMP trap 5 day(s) before the NTLS certificate expires and on every 12 hour(s)
These messages indicate that the certificate monitoring daemon is running. The daemon does not run by default. Rather, an administrator must configure and start it from the Luna administrative shell. The number of days and hours in the message reflects the configuration set via LunaSH.
Daemon Stopping
2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : Shutting down NTLS certificate expiry monitor.... 2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : NTLS certificate expiry monitor terminated
These messages indicate that the certificate monitoring daemon gracefully shut down as a result of a signal (SIGINT, SIGTERM, SIGABRT) outside of a normal system shutdown (e.g., lunash:>ntls certificate monitor disable).
Impending Certificate Expiry
2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : NTLS certificate will be expire on Jul 26 16:32:48 2023 GMT 2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : NTLS certificate expiry SNMP trap sent to trap host 192.168.0.115
These messages indicate that the NTLS certificate is set to expire and that the certificate monitoring daemon successfully sent a trap to the configured host.
Certificate Missing
2012 Feb 29 12:05:01 myLuna local5 warn certmonitord[1234]: warning : 0 : NTLS certificate is missing
This message indicates that the daemon failed to find the server.pem file for NTLS in the expected location on the hard drive. However, the daemon remains running in the event that an administrator creates the necessary server certificate in a subsequent operation. On a new SafeNet Luna Network HSM appliance from the factory, this message is normal. An administrator must create the NTLS certificate (lunash:>sysconf regenCert).
New NTLS Certificate
2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : New NTLS certificate detected and the expiry date of this new certificate is Jul 26 16:32:48 2033 GMT
This message indicates that an administrator created a new NTLS certificate that is sufficiently far into the future such that a trap is no longer necessary. The daemon will continue to monitor for the certificate expiry window.
Unexpected Log Messages
Under normal circumstances, you should not see any of these log messages. If you do, please contact Thales Technical Support to report the message and seek guidance on what to do next.
Failed to Detach
2012 Feb 29 12:05:01 myLuna local5 err certmonitord[1234]: error : 0 : Failed to detach from console
This message indicates that the startup procedure for the certificate monitoring daemon failed, specifically that the daemon did not launch into a background process.
Running in Console Mode
2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : NTLS certificate expiry monitor running in console mode
This message indicates that the certificate monitoring daemon is running in console mode rather than as a background process.
SNMP V3 Not Properly Configured
2012 Feb 29 12:05:01 myLuna local5 info certmonitord[1234]: info : 0 : SNMP v3 trap is not properly configured
This message indicates that either the engine identifier and/or the host IP address configured and stored in the snmp.conf is/are invalid. Lush command(s) that create these entries include the necessary processing checks to ensure the operation(s) writes valid entries to the configuration file.
Failed to Allocate Memory Buffers
2012 Feb 29 12:05:01 myLuna local5 err certmonitord[1234]: error : 0 : Failed to allocate memory buffers
This message indicates that the daemon was unable to allocate the requisite buffers for file handling and string manipulation.
Failed to Send Trap
2012 Feb 29 12:05:01 myLuna local5 err certmonitord[1234]: error : 0 : Failed to send NTLS certificate expiry SNMP trap to trap host 192.168.0.100
This message indicates that the certificate monitoring daemon was unable to execute a system call with a pre-formed command to send a trap. The daemon relies upon the Linux utility snmptrap() to complete this action. An invalid host IP address for example, would cause the system call to fail (e.g., 192.168.0.1004).
certmonitord Crash and Burn
2012 Feb 29 12:05:01 myLuna local5 crit certmonitord[1234]: info : 0 : certmonitord CRASH AND BURN! Stack dump saved to /var/log/certmonitord_bt_2012-02-29_12:05:01 2012 Feb 29 12:05:01 myLuna local5 crit certmonitord[1234]: info : 0 : certmonitord CRASH AND BURN and unable to dump the stack!
These messages indicate a programming error. The first message indicates that the certificate monitoring daemon terminated abnormally (on one of SIGSEGV, SIGILL or SIGBUS signals), generating a stack trace file certmonitord_bt_2012-02-29_12:05:01 in the process. Forwarding this file to Thales may assist a developer to isolate the reason for the abnormal termination. The second message indicates an abnormal termination but with no resulting stack trace created.