cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

rcmd command to execute within period of time

smunawar
Inactive

Hi,

I am request for help on the AMD command below,

What is the command to run rcmd "show ssldecr status*" or rcmd "show ssldecr keys" within period of time, for example: daily or weekly or monthly and how to verify the data is correct.

In addition I've got information from rcmd -h and tried to execute rcmd -t 10 "show ssldecr status*" or rcmd -t 10 "show ssldecr keys" (meaning: execute command within 10sec) but I am confuse because the data couldn't verified and no date or what ever timing information provided by the AMD.

Kindly advise if anyone here have experience generating data within period of time, appreciate your help.

9 REPLIES 9

david_alonso
Dynatrace Pro
Dynatrace Pro

hello,

What are you trying to do and why, maybe this is not the approach. On the CAS on the system Status you have already information of how the SSL Decription is working.

Anyway, the bow where you are working is linux. you can use the cron, for this. Modify your crontab to get your the script exectuted. About verifying the content you can use a shell/perl script to put the date and send it to a log file or even check the result for this before seding it to a log (on the keys look for the keys wrong and ok but not macthed, on the status lookfor the sessions with errors).

Regards,

Hi David, Thank you for your response.

The purpose of this request is because on 25th Oct 2015 there are Microsoft Patching applied by System Team on the target servers discovered by AMD Server, once the patched completed the CAS sending email alert every 5 minutes for the unsupported ciphers.

We want to compare by executing the rcmd "show ssldecr status*" on the Linux console to retrieve data for one weeks before and after the patching applied.

If we have full details of information then we might ask System Team to remove the particular Microsoft patching from the lists to prevent unsupported ciphers but if we can provide details on it.

When you are saying use shell/Perl script and put as cron in crontab I assume every time we are executing rcmd "show ssldecr status*" on the Linux console and receive the details info given is a real time data, kindly confirm if my assumption is correct.

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Munawar,

Indeed three is no built-in mechanism to troubleshoot decryption status per SSL servers over the time.
You can create bash script with:

#!/bin/bash
while [ 1 ]; do
echo "#########################" >> /usr/adlex/log/decryption_status.log
date -u >> /usr/adlex/log/decryption_status.log
rcmd 'show ssldecr status *' > /root/AMD_SSL_status_$HOSTNAME.txt
sleep 300
done

300 stays for 300 seconds of idle time ...

Then save it as .sh file, make it executable:

chmod +x /path/to/your/script.sh

and run in background:

nohup /path/to/your/script.sh &

Alternatively you can remove the loop and stay with:

echo "#########################" >> /usr/adlex/log/decryption_status.log
date -u >> /usr/adlex/log/decryption_status.log
rcmd 'show ssldecr status *' > /root/AMD_SSL_status_$HOSTNAME.txt

and put it in the cron.

No matter what solution you will choose you need to take care about decryption_status.log that will be increasing in size. You need to edit /etc/logrotate.d file and append:

/var/log/adlex/decryption_status.log {
rotate 10
weekly
copytruncate
compress
delaycompress
}

to the end of the file.

Hi Adam,

Thanks for this response. Is there a way to "clear" information on a regular basis?

For example, I want to follow if there is some unsupported cipher used by the application. At a time, if there is Diffie-Hellman for instance, we would modify the Apache configuration to remove the DH cipher suite server and I want to follow if there is still some DH traffic or not. I can see it using "rcmd 'show ssldecr status serverIPaddress'" but I won't see if the H has disappeared or not unless I restart the AMD. It would be better if we can flush the history at a time, then wait a bit, run the command and send the result to our reporting tool, so we can automatically see if there is some unsupported traffic or not and the evolution.

Not sure I'm clear here...

Kind regards,

Sandrine

If I understand you correctly below command will give you an answer if there any any unsupported ciphers used:

rcmd 'show ssldecr status *' | grep -ie "- .*"

and the following:

rcmd 'show ssldecr status *' | grep -ie "\(- .*\|for server\)"

will add server IP address context.

Is it what you're looking for?

Hi Adam,

Not exactly. I want to see if there is a change. Meaning I want to "clean" or "purge" the results, as happening when restarting the AMD (ndstop ndstart) and then launch the 'show ssldecr status *'

These stats will be cleared after the restart ...

Here is the point! We don't want to restart the AMD each time we need to have an update on those information...

Then I don't see any other way than storing the results periodically and compare with previous value ...