vROps is my go-to tool for monitoring all things on-premises and cloud. With native support for vSphere, AWS, Azure and GCP the solution had developed into a true multi-cloud operations and monitoring tool.
vRealize Operations is one of the fastest-developed tools by VMware with releases every few months to keep up with the challenges around cloud management.
One powerful feature that’s available in all current versions is the ability to use scripts to import data into vROps, this means that if a particular solution isn’t supported in vROps, with a quick script you can add the functionality yourself.
We all know the pain of SSL certificate expiry and tracking these can often mean relying on a calendar or spreadsheet. If this is the case for you, read on!
Installing the Agent
An agent needs to only be installed on one server which has access to the servers on which you need to want to monitor the SSL certificates.
I am going to be checking SSL certificates of servers on the internet and a few internal ones on the same network, and I have a server in mind which has access to both
- Before we can get this working, we need to install the agent. Previously this was the EP OPS agent, but the latest release (8.1 and possibly earlier releases) supports the Telegraf agent for remote scripting which can be installed, uninstalled and upgraded directly from vROps.
- Follow my previous guide to get the Application Remote Collector deployed and the Telegraf agent installed on your Windows monitoring server: https://virtualg.uk/vrops-7-5-setting-up-the-new-telegraf-application-monitoring-feature/
- Once the Telegraf agent is installed (End of stage 6), continue below
Deploying the SSL check script
We want to write a script that accepts a parameter (the server to check the SSL expiry of) and returns a single result (the number of days until the certificate expires)
I have written a sample script below in PowerShell, but you may want to modify it for your own requirements.
Download the script here: https://github.com/VirtualgUK/vROps-Dashboards/blob/main/vrops-ssl-check.ps1
- Copy the script to the monitoring server, for example: C:\Scripts\vrops-ssl-check.ps1
- Test that it runs correctly
You can see that the SSL certificate of this blog, https://virtualg.uk expires in 194 days.
Configuring vRealize Operations
- Login to vROps and navigate to Administration > Inventory > Manage Agents
- Highlight the agent which has the script installed
- Use the drop-down icon to select the custom script option:
Enable the instance and enter the required information:
- Remember to save once complete.
- Also, note that you can create multiple custom instances here. You can use the same script but change the args to reflect other servers which you need to check.
- You can monitor the custom script status in the Manage Agents tab by selecting the monitoring VM and clicking Custom Script
Locating the data in vROps
Now that the script is executing, we need to see where the data is in vROps
- Navigate to Environment > All Objects
- VMware vRealize Application Management > Custom Script > Custom Script
- On the right panel, expand All Metrics > Scripts
- Your script will show as a metric which you can open and see the historic reporting data
- If you have configured multiple scripts, they will all show here as separate items
- As time passes, the number of days until expiry will decrease and the plotted lines on the chart will reflect this.
Creating a vROps Alert
As we can now see the data in vROps, let’s make an alert to trigger should the number of days fall below 30. This will give us plenty of time to act and replace the SSL certificates.
Alerts are created in 2 steps. First, we need a Symptom, then a corresponding alert for that symptom.
Creating a custom vROps Symptom Definition
- Within vROps, navigate to Alerts > Configuration Symptom Definitions
- Ensure you are on the Metric / Property tab and select Add
- On the right panel, enter Custom Script as the Base Object Type
- Enter Metrics as and Symptom Type
- When selecting the object, expand Scripts and double click the script to create the symptom for
- You’ll see the custom script object on the left pane
- Modify the settings as needed:
You can create a symptom for each trigger type, for example Warning & Critical at different levels
You can also create a Symptom Definition for each SSL certificate you are checking (provided you created the custom script object for each one earlier)
- Save the Symptom Definition
Creating a custom vROps Alert Definition
- With the Symptom Definition created, navigate to Alerts > Configuration > Alert Definitions > Add
- Enter the Alert Name, Description and Base Object Type:
- For the Symptoms, use the search on the far right, search for the custom script name, for example: SSL
- Drag each symptom into the left pane as required
- The alert can have more than one symptom. If you add more than one, ensure you use the correct logic at the top of the page. You will likely want the alert to trigger if ANY of the symptoms are triggered, rather than all.
- Select the Create button to build the alert
From here you can use all the built-in tools such as scheduled Reports, Views and Dashboards to manage and alert on the SSL Certificate expiry dates.
I have created a simple dashboard and uploaded over at the VMware Sample Exchange, this is nothing special but might save you a few minutes. (If you have any cool ideas for the dashboard, let me know and I’ll update the one on the Sample Exchange)
Configuring the SSL Certificate Expiry Dashboard
Once you have downloaded the dashboard from Solutions Exchange:
- Open the Dashboard
- Actions > Edit
- Select the SSL Certificates (Days Remaining) Widget and Edit
- Under Input Data, add all the SSL checks you wish to place on the dashboard:
- Don’t forget to save the dashboard after making changes
Bonus: When adding metrics to the dashboard, you can create a link to the website you are monitoring:
Once you have done this, go back to the dashboard and click the number of days remaining for the website and it will redirect you to the website in your browser to take a look at the certificate.
That’s all for this post. I hope this makes managing SSL certificates a little easier and opens up the power of remote scripting checks from vRealize Operations!