In late February 2013 Microsoft experienced a massive failure within Microsoft’s Azure cloud service. It took nine hours (nine hours!!!) for Microsoft to determine that the Windows Storage component of Azure failed due to an expired SSL certificate.
The outage affected not only Microsoft’s own dependent services, but a slew of companies that utilize Azure to host their applications also were impacted by the outage.
Shortly after the expired certificate was updated and the Azure service was restored, Steve Martin, Microsoft’s General Manager of Windows Azure business and operations stated in his blog, “Given the scope of the outage, we will proactively provide credits to impacted customers in accordance with our SLA. The credit will be reflected on the subsequent invoice”.
Undoubtedly, this certificate expiration related outage cost Microsoft a lot of money.
Expiring digital certificates, and the resulting operational and security issues that result from certificate expiration, affect nearly all Enterprise customers. You would be hard pressed to find an IBM Tivoli Monitoring (ITM) shop that hasn’t experienced problems of some kind due to expiring digital certificates.
Three years ago Blue Medora introduced the IBM Tivoli Monitoring Agent for Remote SSL Certificates to specifically address this problem for ITM customers and over time it has become one of our most popular “Utility” agents that we provide for ITM.
In a nutshell, the ITM Agent for SSL Certificates allows you to define within a simple CSV file, all the x.509 digital certificates that are network reachable within your enterprise. It will poll those certificates twice a day (user configurable) and report back a short set of ITM attributes for each certificate you’ve defined indicting whether the certificate was found, and if so, the expiration date along with the number of days until the certificate expires. Beyond the ITM attribute, there are out-of-the-box ITM “Situations” that provide alerting when certificates near expiration or have expired.
This month, we are pleased to announce our new Oracle Enterprise Manager Cloud Control (EM12c) Plug-in for SSL Certificates that provides the exact same functionality as our ITM Agent for SSL Certificates — however, specifically extended to Oracle Enterprise Manager.
The EM12c plug-in for SSL Certificates provides the exact same set of metrics from within EM12c along with a set of out-of-the-box thresholds and corresponding incidents to, once again, provide alerting for Oracle EM customers that their certificates are near expiration or have expired. Beyond alerting, an Oracle BI Publisher report package is also included that generates a list of problematic certificates from across the enterprise. The Oracle BI Publisher for SSL Certificate report is especially useful, as it can be auto generated in PDF format weekly and emailed to the security team in charge of managing all the certificates.
If you are either an ITM or Oracle Enterprise Manager customer, I’d like to invite you to download a 30-day trial and see for yourself the value of monitoring all of your digital certificates using the same tooling you’re using to monitor your servers, applications, and databases with. As the recent Microsoft Azure outage demonstrates, expiring digital certificates represent a single point of failure that typically well exceeds the risk threshold most enterprises are willing to accept within their daily IT operations.