Info:
This article describes how to create a notification template and notification rule to inform end users and system administrators when any portion of a root chain expires before the certificate being managed.
Applies To:
All Versions of Director 6.1.2 and above, TrustAuthority / TrustForce 14
Instructions:
- In order to create the HTML version of the notification, you will need to Remote Desktop into the Director Server and Launch the Venafi Windows Administration Console from the Start Menu.
- Open the Venafi Windows Administration Console, if you haven't already, and login as a user that has Create/Write access to the Logging tree. This is typically a Master Administrator account.
- Select the "Logging Tree" from the tree selector.
- Right click on "Channels" and choose Add => Channels => SMTP
- Name the new Channel anything that suites your naming structure. Here we will call ours "Root Expires before Certificate". Click "Create"
- Click on our new SMTP Channel object called "Root Expires before Certificate" from the Tree view on the left.
- Under the SMTP Channel Settings, Host, Credentials, Sender, and TLS should be completed automatically. If not, look at another SMTP Channel for what these values should be.
Host: this is the FQDN or IP address of your email server
Credentials: These are the credentials for Director to authenticate to your email server. (May not be required, some enterprises use anonymous whitelisting by IP address. See your Email Administration Team for details).
Sender: This is the email address that will appear in the "From:" line of emails generated by this email template. Some email servers require the Sender Email be the one that is tied to the credentials used to authenticate to the email server. See Email Administration Team for details.
TLS: This tells Director whether to use SSL/TLS to authenticate/communicate with the email server. - Use the table below to complete the remaining fields on the SMTP Channel Settings
Recipient(s): $ContactEmail[$Event.Component$]$
(Note: this will return who ever the Contact is for the Certificate/Application object if detected from Network Validation or the Contact of the Discovery job if detected during Network Discovery)
CC: $AdminEMail$
(Note: this Macro will return the email address of the local account named "Admin". If this account does not exist, please enter a comma separated list of email addresses of Venafi Director administrators)Subject: Root Chain Expiration Problem Detected: $Event.Text1$ Log Delivery: Checked
(Note: This is recommended to be checked. This will place an event in the logs for every successful and failed delivery this email template attempts) - Click on the "Plaintext Message" tab and paste the following text into the Plaintext Message textbox.
Root Chain Expiration Problem Detected: $Event.Text1$
A certificate was found during a $If[$Event.ID$, 458818, Network Discovery Scan, Network Validation]$ that had a Root Chain that will expire before the certificate does.
Action must be taken to address the root chain or an outage may occur.
Certificate Found: $Event.Text1$
IP Address of Certificate: $Event.Text2$
Network Port of Certificate: $Event.Value1$
Date/Time of Detection: $DOW$, $MonthName$ $Day$, $Year$ $Time$
Contact for Certificate: $Config[$Event.Component$,"Contact"]$Details of Root Chain Certificate with early Expiration:
$Event.Data$This email is being sent to you by Venafi Encryption Director because your email address is associated with the certificate where the $If[$Event.ID$, 458818, Network Discovery Scan, Network Validation]$ detected the problem.
Event ID: $Event.ID$
- Click on the "HTML Message" tab and click on the "Show Markup" button.
- Replace the existing HTML code with the code below:
<BODY scroll=auto>
<TABLE border=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD><!-- table layer 1 --><TABLE align=center>
<TBODY>
<TR>
<TD style="PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #ededed; PADDING-LEFT: 15px; PADDING-RIGHT: 15px; PADDING-TOP: 30px"><!-- table layer 2 --><TABLE style="FONT-FAMILY: Helvetica,Arial,sans-serif; COLOR: #000000; FONT-SIZE: 16px" border=0 cellSpacing=0 cellPadding=0 width=650>
<TBODY>
<TR>
<TD style="PADDING-BOTTOM: 22px; BACKGROUND-COLOR: orange; PADDING-LEFT: 40px; PADDING-RIGHT: 40px; COLOR: white; FONT-SIZE: 18px; FONT-WEIGHT: bold; PADDING-TOP: 25px;">Root Chain Expiration Problem Detected: $Event.Text1$</TD>
</TR>
<TR>
<TD style="PADDING-BOTTOM: 50px; BACKGROUND-COLOR: #fff; PADDING-LEFT: 40px; PADDING-RIGHT: 40px; FONT-SIZE: 18px; PADDING-TOP: 30px" bgColor=#fff><P>A certificate was found during a $If[$Event.ID$, 458818, Network Discovery Scan, Network Validation]$ that had a Root Chain that will expire before the certificate does.</P>
<P> Action must be taken to address the root chain or an outage may occur.</P>
<table border="0" cellspacing="0" cellpadding="7">
<tr>
<td width="151"><strong>Certificate Found:</strong></td>
<td width="391">$Event.Text1$</td>
</tr>
<tr>
<td><strong>IP Address of Certificate:</strong></td>
<td>$Event.Text2$</td>
</tr>
<tr>
<td><strong>Network Port of Certificate:</strong></td>
<td>$Event.Value1$</td>
</tr>
<tr>
<td><strong>Date/Time of Detection:</strong></td>
<td>$DOW$, $MonthName$ $Day$, $Year$ $Time$</td>
</tr>
<tr>
<td><strong>Contact for Certificate:</strong></td>
<td>$Config[$Event.Component$,"Contact"]$</td>
</tr>
</table>
<p> </p>
<p><strong>Details of Root Chain Certificate with early Expiration:</strong></p>
<p>$Event.Data$</p></TD>
<TR>
<TD style="PADDING-BOTTOM: 40px; PADDING-LEFT: 40px; PADDING-RIGHT: 40px; COLOR: #999; FONT-SIZE: 11px; PADDING-TOP: 25px" bgColor=#ededed><p>This email is being sent to you by Venafi Encryption Director because your email address is associated with the certificate where the $If[$Event.ID$, 458818, Network Discovery Scan, Network Validation]$ detected the problem.</p>
<p>Event ID: $Event.ID$</p></TD>
</TR>
</TBODY>
</TABLE>
<!-- /table layer 2 --></TD>
</TR>
</TBODY>
</TABLE>
<!-- /table layer 1 --></TD>
</TR>
</TBODY>
</TABLE>
</BODY> - Click on the "Apply" button to save all of your changes
- Your notification template is now done. Now is time to create the Notification Rule to trigger it.
- Right click on "Notification Rules" and choose Add => Rules => Notification
- Name the new Notification Rule anything that suites your naming structure. Here we will call ours "Root Expires before Certificate". Click "Create"
- Click on our new Notification Rule object called "Root Expires before Certificate" from the Tree view on the left.
- Use the Table below to complete the Rules section of the notification rule:
If Event ID matches Discovery - Certificate Chain Error Or Event ID matches Certificate Manager - Validation Scan Certificate Chain Error - Under Target Channels click the "Add" button and select the SMTP Channel we created in Step 6.
- Click the "Apply" button to save the changes that have been made to the Notification Rule.
The notification template and rule are now configured.
Sample Notification
Comments