eG Monitoring
 

Measures reported by NSSSLLogsTest

A Citrix® NetScaler® appliance communicates via a secure communication channel with other servers and clients. The NetScaler appliance uses SSL for a safe and secure transaction. If the SSL communication channels suffer a set back with an expired SSL certificate or a number of SSL handshake failures, then the NetsScaler appliance may be prone to malicious attacks. In order to secure the NetScaler appliance, administrators should constantly keep a check on the SSL certficates, handskahes and the Certificate Revocation lists. The NSSSLLogsTest test exactly helps administrators in this regard.

Using this test, administrators can figure out the success and failure count of the SSL handshakes and also be proactively warned of an impending SSL certificate expiry. In addition, this test reports the number of times the Certifcate Revocation List (CRL) was updated successfully and the number of times the CRL update failed. This way, administrators can be proactively alerted to potential security threats (if any) and secure the NetScaler appliance from malicious attacks.

For this test to run and report metrics, the NetScaler device should be configured to create a Syslog file in a remote Syslog server, where the details of all interactions with the NetScaler appliance will be logged. To know how to configure the Syslog server where this Syslog file should be created, Click here.

Outputs of the test : One set of results for the NetScaler appliance being monitored

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
sslSuccess Indicates the number of SSL handshakes that were successful on the NetScaler appliance. Number  
sslFailure Indicates the number of SSL handshakes that failed on the NetScaler appliance. Number Ideally, the value of this measure should be zero. A high value for this measure is a cause of concern as this may affect the communication between the server and client.
sslCertExpiry Indicates the number of SSL certificates that are about to expire. Number The detailed diagnosis of this measure if enabled, lists the SSL Certificate key pairs that are about to expire and the number of days for expiry.
successCRLUpdate Indicates the number of times the SSL Certificate Revocation List was updated successfully. Number From time to time, Certificate Authorities (CAs) issue certificate revocation lists (CRLs). CRLs contain information about certificates that can no longer be trusted. A certificate can be revoked if the private key is compromised or if that certificate expired and a new one is in use.

A high value for this measure indicates that the CRLs are updated continuously which implies that the NetScaler device is highly secure.
failureCRLUpdate Indicates the number of times the SSL Certificate Revocation List failed to update. Number Ideally, the value of this meaure should be zero.

A high value for this measure indicates a serious threat to the security of the NetScaler device.
VPNLicenseLimitReached Indicates the number of times the SSL VPN license limit was reached. Number