Central SSL Certificate Monitoring in SAP Focused Run

Purpose

You can configure monitors to monitor the SSL certificate of a URL using Health Monitoring functionality in SAP Focused Run system. This monitor measures the remaining validity (in days) of a SSL certificate for a https call to a URL. The URL is called by Simple Diagnostics Agent of a designated host in your customer network.

In our previous blog, we have shown how you can monitor availability of critical OS processes via Health Monitoring.

The Health Monitoring app also provides a separate section called as URL Certificate Monitor where in you can centrally monitor expiry of SSL certificates of any https URL.

To navigate to URL Certificates monitor you can click on the URL Certificate button as shown below in the navigation panel of the app.

Setup

To configure URL Certificate monitors , navigate to the Configuration area, expand the Metrics node and click on the change button.

In the popup window click on the Add Metric.

In the Metric Configuration window enter the following details in the General tab.

FieldDescription
Metric NameA meaningful name to the monitor
URLURL whose certificate to be monitored.
Proxy URL (Optional)The Proxy URL if the URL is accessible via a proxy URL
Customer NetworkThe Customer Network to which this URL belongs. The designated SDA from this customer network will be performing the check.
Technical System (Optional)You can optionally link this monitor to a specific cloud service you have registered in your LMDB. This is the Cloud Service you would have created if you are using AIM scenario for Cloud Service Monitoring. Select from the drop down.
Collection IntervalFrequency of data collection. Select from available options.
ThresholdThreshold for remaining days for expiry. By default 200 Days for Yellow and 100 days for Red.

Additionally and optionally in the Alert Settings tab you can activate alerting and notification settings as shown below.

That’s it, now your monitor is active. To monitor navigate to the URL Certificate tab in the Health Monitoring App .

You can also refer to this SAP documentation to know more about various features available with Focused Run Health Monitoring.

System monitoring custom metric for errors in table locking of TBTCO

From availability perspective, you want to detect as quickly as possible if you are suffering from locking errors of table TBTCO. TBTCO table is used for printing. If the locking error situation occurs the printing function will fail, and even worse, it can impact the complete SAP ABAP system.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for errors in table locking of TBTCO

Create a custom metric following the steps in this blog. The template to be adjusted is the technical instance SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_METRIC_ERR_LOCK_TBTCO:

In the data collection:

Data to enter: diagnostics agent (push). Select ABAP read SysLog. Filter on message text .*TBTCO* and severity Red. This captures severe errors for TBTCO like the locking error.

Define the threshold for alerting:

And assign the metric to the ABAP Instance not available alert group:

Monitoring critical OS processes through Health Monitoring

SAP Focused Run Health Monitoring helps us to extend monitoring capabilities to Non SAP world. It provides us with many monitoring functionalities like URL Availability & Performance monitoring, URL Certificate Monitoring, OS Script Monitoring, OS Process Monitoring & Logfile Monitoring . We can activate these monitoring functionalities whether its a SAP or Non SAP application

With OS Process Monitoring functionality we can monitor the availability of critical OS level processes on any host.

With System Monitoring templates you can also activate custom metric for monitoring OS processes however this will be applicable for all system/hosts for which you activate the template.

For monitoring critical OS processes for specific hosts you need to setup using Health Monitoring functionality.

To access Health Monitoring functionality you can navigate to Health Monitoring app in the Focused Run launch pad.

Prerequisite

The only prerequisite for configuring OS process monitor in Health Monitoring is that you should have registered the host and deployed Simple Diagnostic Agent (SDA) on the host where you want to monitor the critical process.

Setup

For setting up the OS process monitor you need to navigate to the settings page of the Health Monitoring App.

In the settings area expand the metrics node and click on the pencil button (Edit Metric) for OS Processes.

In the OS Process edit metric screen click on Add Metric button to start creating the OS Process Metric.

In Add Metric screen enter the following details

FieldDescription
Process NameName of the OS process. This parameter needs to be maintained as a regular expression. SDA will use this expression for searching for the respective OS process at OS level.
User (Optional)You can further restrict the search for processes running through a specific user. You need to enter the name as a regular expression
Command Line (Optional)You can further restrict by the specific command line with which the process is running . This is specifically useful if there are multiple processes running with the same name but you want to monitor the process which is running with a specific argument or parameter. This also needs to be maintained as regular expression.
HostnameName of the host where the process to be monitored. You can select from a list of all hosts connected (also SDA deployed) to the Focused Run system.

In the General Settings tab you can also specify the data collection frequency and the threshold. By default 5 minutes frequency and Already Rated threshold is set.

Optionally you can update the alert settings for this metric in the Alert Settings tab. By default alerting is active with medium severity.

After entering all details, to activate the metric click on Save button.

You can monitor all you OS process metrics in the OS Processes tab of the Health Monitoring App.

System monitoring custom metric for message server disconnects

From availability perspective, you want to detect as quickly as possible if you are suffering from message server disconnects.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for message server disconnects

Create a custom metric following the steps in this blog. The template to be adjusted is the technical instance SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_MESSAGE_SERVER_DISCONNECT:

In the data collection:

Data to enter: diagnostics agent (push). Select ABAP read SysLog. Filter on message number Q0L, Q0M and Q0N. Any of those indicate message server errors. For more information on system log messages, read this blog.

Define the threshold for alerting:

And assign the metric to the ABAP Instance not available alert group:

System monitoring custom metric for user lock status

From security perspective, you want to validate that 2 important users are locked in the main system clients: SAP* and DDIC.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for user lock status

Create a custom metric following the steps in this blog. The template to be adjusted is the technical system SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name ZUSER_LOCK_STATUS:

In the data collection:

Data to enter: RFC diagnostics agent (push). User Lock status Data collector. Enter as parameters the user ID (DDIC) and the COLLECTOR_CONTEXT_ID as TECHNICAL_SYSTEM.

Set the threshold as a text threshold:

Set the red rating in case the string contains the word ‘not locked’ and set to green in case it contains the word ‘locked’.

Now assign it to Alert group for locked users:

Save the metric.

Repeat the same for SAP*.

Cloud monitoring overview

The integration and cloud monitoring function of SAP Focused Run consists of 2 main functions:

  • Cloud monitoring between on premise and cloud SAP products
  • Interface monitoring between SAP systems (read more on interface monitoring in this blog)

This blog will give an overview of the Cloud monitoring between SAP on premises systems and SAP cloud solutions.

Questions that will be answered in this blog are:

  • How does the Cloud monitoring in SAP Focused Run look like?
  • How much details and history can I see in SAP Focused Run interface monitoring?
  • Can I link an Cloud monitoring event to and alert?
  • Which Cloud monitoring scenarios are supported?

Cloud monitoring

To start the cloud monitoring click on the FIORI tile:

Select the cloud scenarios:

You now reach the scenario overview screen:

Click on the tile for details (we will take Ariba as example):

Click on the red line between the on premise and the cloud system:

Click on the red errors number for the error overview:

Click on specific error:

Supported cloud scenarios

Not all cloud products and scenarios of SAP are supported via SAP Focused Run Cloud monitoring. On the SAP Focused Run Expert Portal the following scenarios are currently published:

Read the scenario details carefully! Inside the details there might be less monitored than you were expecting.

Could monitoring setup

The setup for cloud monitoring will be explained in a future blog.

Interface monitoring: web service monitoring

The generic interface monitoring setup in SAP Focused Run is explained in this blog. This blog will zoom into monitoring of web services.

Web services monitoring automates the monitoring in transaction SRT_MONI, which is extensively explained in this blog.

This monitoring does not check the connection availability of the web service. To make that happen, you would need to install a custom program from this blog, that writes an entry to SM21. From the SM21 entry, you can create a custom monitoring metric that alerts on the connection issue. How to setup custom metrics is explained in this blog.

Data collection and alerting setup

In the configuration for interface monitoring in the Technical System settings, goto the monitoring part and activate the data collection for Web Service Errors:

In the monitoring settings, you can filter on specific criteria, or leave everything blank to report on everything:

In the alerting part check you can choose between amount of entries and number of error entries:

And set the filters for the alerting:

The filter for monitoring and alerting can be different. It could be you want to monitor all errors, but only activate specific important ones.

Save your monitoring data collection and alerting settings.

Graphical modelling

In the graphical modelling add the filter between two systems for the web service monitoring:

Also here: first scroll down to see the OK button. Press first OK before pressing Save, or you might loose the data and have to re-enter it. This it bit annoying in the UI.

Monitoring usage

The end result looks as follows:

You can click on the errors or success messages and zoom all the way down to individual messages:

Interface monitoring: qRFC monitoring

The generic interface monitoring setup in SAP Focused Run is explained in this blog. This blog will zoom into monitoring of qRFC connections, which are frequently used in communication from ECC to EWM and SCM systems.

OSS notes for bug fixing

Please make sure bug fix OSS note 3014667 – Wrong parameter for QRFC alerts is applied before starting with qRFC monitoring.

Data collection and alerting setup

In the configuration for interface monitoring in the Technical System settings, goto the monitoring part and activate the data collection for qRFC Errors:

In the monitoring settings, you can filter on specific queues, direction and RFC name, or leave everything blank to report on everything:

In the alerting part check you can choose between age of qRFC entries and number of entries:

And set the filters for which ones, and the metric threshold for CRITICAL errors:

The filter for monitoring and alerting can be different. It could be you want to monitor all errors, but only activate specific important ones.

Save your monitoring data collection and alerting settings.

Queued RFC’s are normally back and forth between 2 systems. If this is the case you have to make the settings for both systems.

Graphical modelling

In the graphical modelling add the filter between two systems for the qRFC monitoring:

Also here: first scroll down to see the OK button. Press first OK before pressing Save, or you might loose the data and have to re-enter it. This it bit annoying in the UI.

Queued RFC’s are normally back and forth between 2 systems. If this is the case you have to make the settings for both systems. You model first one direction and then model the direction back:

Monitoring usage

The end result in operations looks as follows:

You can see here qRFC is modelled back and forth between 2 systems. The blue line indicates messages in process. The red line is clicked on. Here you can see both messages in process and errors. Click on the red error number gives the details:

Interface monitoring: ODATA gateway monitoring

The generic interface monitoring setup in SAP Focused Run is explained in this blog. This blog will zoom into monitoring of ODATA gateway connections.

We assume in this use case that end users are using the ODATA in FIORI apps. In case ODATA is consumed by external applications like Tibco, Mulesoft, Mirai, Mendix, etc., you have to replace USER with the corresponding application.

Model end users in LMDB

Before we can start the scenario modelling, we first need to model the end users in LMDB as a Unspecific Standalone Application System), just like we did for TIBCO in this blog.

Name the ‘system’ USER:

Make sure the status is Active.

Add this new system USER to the Technical System list in the Integration Monitoring setup.

The system will be display only.

Data collection and alerting setup

In the configuration for interface monitoring in the Technical System settings, goto the monitoring part and activate the data collection for Gateway Errors:

In the monitoring settings, you can filter on specific items if wanted, or leave everything blank to report on any error:

In the tab alerting setup the alerting:

The filter for monitoring and alerting can be different. It cloud be you want to monitor all errors, but only activate specific important ones.

Save your monitoring data collection and alerting settings.

Graphical modelling

In the graphical modelling add the backend system and the system created for USER:

Now add the link starting with USER towards the backend system:

Save your changes.

Also here: first scroll down to see the OK button. Press first OK before pressing Save, or you might loose the data and have to re-enter it. This it bit annoying in the UI.

Monitoring usage

The end result in operations looks as follows:

In the graphical overview click on the red line. The screen with the exceptions opens. Click on the red number to see the overview:

Here you can see the trends and zoom into the specific errors:

Interface monitoring: RFC monitoring

The generic interface monitoring setup in SAP Focused Run is explained in this blog. This blog will zoom into monitoring of RFC connections.

RFC’s between SAP systems

RFC’s with fixed user ID

The basic setup of monitoring RFC’s was explained as example for the generic interface monitoring setup in this blog already.

Trusted RFC’s

This RFC was an RFC with a fixed user ID. If you have to setup an RFC monitoring for a trusted RFC (for example between Netweaver Gateway system and ECC system), then you have to take care of the user ID’s and rights. The system from which the SM59 test will run, will use that Focused Run user ID to log on to the other system. If your user ID’s are unique for each system you have to create the user ID in the other systems with the rights to be able to execute a ping and logon for the test.

End result RFC checks

The end results of the RFC is list of RFC’s with the latency time, availability and logon test overview:

Transactional RFC towards external system

To monitor transactional RFC (type T) towards an external system like TIBCO, Mulesoft, etc, you first need to model the external system in the LMDB. To do this goto the LMDB maintenance FIORI app:

Then select Single Customer Network and select the option Technical Systems. In this section choose the Type Unspecific Standalone Application System:

And press Create:

Fill out the details and Save. Make sure the status is Active.

Now the system can be added in the configuration of technical systems in the Interface monitoring configuration:

Now you can model the tRFC interface connection monitoring: