Periodic Certificate Validation

ThingWorx Edge Java SDK > Using ThingWorx Platform and the ThingWorx Edge Java SDK > Security for Edge Java SDK Applications > Periodic Certificate Validation

A client can perform periodic certificate checks to make sure that the platform certificates are valid. If the current date and time are within the validity period specified in the certificate, then the certificate is considered unexpired, and further validation steps can proceed.

If the certificates are invalid, then the Edge device disconnects from the platform, and a java.security.cert.CertificateExpiredException is thrown and logged by the client.

The following section describes how to configure parameters for the periodic certificate validation.

Configuration Parameters for Periodic Certificate Validation

Periodic certificate validation can be enabled and configured through the ClientConfigurator. To enable periodic certificate validation on the ThingWorx Edge, the following functions must be invoked with the appropriate values:

• ClientConfigurator.setPeriodicCertificateValidationEnabled must be invoked and passed a Boolean value. The default value is true.

For example, config.setPeriodicCertificateValidationEnabled(true);

• ClientConfigurator.ignoreSSLErrors must be invoked and passed a Boolean value. The default value is false. If this is set to true, all SSL errors (specifically expired certificates) will be ignored.

For example, config.ignoreSSLErrors(false);

• ClientConfigurator.setPeriodicCertificateValidationInterval must be invoked with an integer describing the certificate validation interval in seconds. This integer value must be greater than zero. By default the integer value is set to 3600 seconds. Setting this interval too short may negatively impact performance.

For example, config.setPeriodicCertificateValidationInterval(3600);

For more details, refer to ClientConfigurator Component.

The following example shows the console log output if the certificates are valid:

2027-10-31 19:59:23.182-0400 [L: INFO] [O: c.t.c.c.e.ClientCommunicationEndpoint] [M: validateSSLCertificates] [T: Client-EndpointMonitor-1] Validating Peer SSL Certificates. Connection: 0-0. Endpoint: DispatchingClientEndpoint [id: 0, isConnected: true, open connections: 1, max connections: 1].

2027-10-31 19:59:23.183-0400 [L: INFO] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: Client-EndpointMonitor-1] Validating SSL certificate: O=ThingWorx,C=US,ST=Pennsylvania,CN=localhost

2027-10-31 19:59:23.198-0400 [L: INFO] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: Client-EndpointMonitor-1] SSL certificate is valid: O=ThingWorx,C=US,ST=Pennsylvania,CN=localhost

2027-10-31 19:59:44.123-0400 [L: INFO] [O: c.t.c.c.t.t.Tunnel] [M: isCertificateValid] [T: pool-1-thread-1] Validating Peer SSL Certificates for Tunnel [tID=1626148920, proto=TCP, path=/Thingworx/WSTunnelServer, host=172.21.0.1, port=22, startupTimeout=90000, readTimeout=10, idleTimeout=300000, chunkSize=16384, ignoreSSLErrors=false, isDone=java.util.concurrent.Semaphore@660d6257[Permits = 0], isAppConnected=true, errorMsg=null, startupExpiration=1825027258123, closed=false, lastActive=1825027168207, connectTimeout=10000, platformURI=wss://10.85.25.243:8443/Thingworx/WS, numConnects=0]

2027-10-31 19:59:44.124-0400 [L: INFO] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: pool-1-thread-1] Validating SSL certificate: O=ThingWorx,C=US,ST=Pennsylvania,CN=localhost

2027-10-31 19:59:44.124-0400 [L: INFO] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: pool-1-thread-1] SSL certificate is valid: O=ThingWorx,C=US,ST=Pennsylvania,CN=localhost

The console log output if the certificates have expired:

2027-10-31 20:00:03.259-0400 [L: INFO] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: Client-EndpointMonitor-1] Validating SSL certificate: O=ThingWorx,C=US,ST=Pennsylvania,CN=localhost

2027-10-31 20:00:03.261-0400 [L: ERROR] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: Client-EndpointMonitor-1] Failed to validate SSL certificates. This certificate has expired.
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 31 20:00:00 EDT 2027
< Stack Trace >

2027-10-31 20:00:09.124-0400 [L: INFO] [O: c.t.c.c.t.t.Tunnel] [M: isCertificateValid] [T: pool-1-thread-1] Validating Peer SSL Certificates for Tunnel [tID=1626148920, proto=TCP, path=/Thingworx/WSTunnelServer, host=172.21.0.1, port=22, startupTimeout=90000, readTimeout=10, idleTimeout=300000, chunkSize=16384, ignoreSSLErrors=false, isDone=java.util.concurrent.Semaphore@660d6257[Permits = 0], isAppConnected=true, errorMsg=null, startupExpiration=1825027258123, closed=false, lastActive=1825027192345, connectTimeout=10000, platformURI=wss://10.85.25.243:8443/Thingworx/WS, numConnects=0]

2027-10-31 20:00:09.124-0400 [L: INFO] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: pool-1-thread-1] Validating SSL certificate: O=ThingWorx,C=US,ST=Pennsylvania,CN=localhost

2027-10-31 20:00:09.125-0400 [L: ERROR] [O: c.t.c.c.s.PeriodicCertificateValidation] [M: validateSSLCertificates] [T: pool-1-thread-1] Failed to validate SSL certificates. This certificate has expired.
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 31 20:00:00 EDT 2027
< Stack Trace >

SteamSensor Example

Here is an example that will help you understand how to invoke SteamSensor with Periodic Certificate Validation:

$ java -Djavax.net.ssl.trustStore="../../relative-or-explicit-path-to-truststore/truststore.jks" -Dlogback.configurationFile=../../relative-or-explicit-path-to-logback.xml/logback.xml -jar ./steamsensor.jar -n -h localhost -p 8443 -k xxxxxxxx-Application-Key-xxxxxxxxxxx -t SteamSensor -l 3