Purpose
You have configured SSL for enabling secure connections to SAP Host Agent. In such a case you need to regularly update or extend the validity of the SAP Host Agent PSE certificate. With Focused run System Monitoring you can create custom metric for monitoring SAP Host Agent PSE certificate expiry.
Setup
Step1: Navigate to Host Template maintenance
SAP Host Agent resides at OS level of each host of systems that you are monitoring using Focused Run. Hence you need to monitor the PSE certificate for SAP Host Agents of each host in your customer network.
In our recent blog we have explained how you can configure URL Certificate monitoring in Health Monitoring in SAP Focused Run. However configuring certificate monitoring for each SAP Host Agent in your customer network using Health Monitoring will be very cumbersome.
An easier way will be to setup a custom metric in the host level system monitoring template which when activated will be automatically applied to all hosts for which the monitoring template is used.
For template maintenance you can navigate to System Monitoring Template Maintenance app on the Focused Run launch pad.
In the template maintenance app navigate down to the Host (Server) node and then to the respective template which you want to edit and click on Edit button.
Step2: Create Custom Metric
In order to create a custom metric you need to activate expert mode. For this click on the Expert Mode button as shown below.
After enabling expert mode you can click on Create button. Select Metric in the drop down from Create button.
In the Metric creation pane, under Overview tab enter the details as shown below.
Then in the Data Collection tab, provide the details as shown below.
For the URL field you need to mention the URL https://$SAP_ComputerSystem.FQDName$:1129/SAPHostControl/?wsdl in which the expression $SAP_ComputerSystem.FQDName$ will dynamically resolve the respective FQDN of the host picked up from LMDB. Hence it is important to select the check box under Placeholder and select LMDB under Placeholder type.
Then navigate to the Threshold tab and provide the threshold as shown below. In this example the threshold is Yellow if certificate is expiring in 30 days and Red if its expiring in 15 days.
Then click on Next button to navigate to the Assignment tab where we assign this metric to an existing alert. In this step just click on the Finish button to save the metric. In this step we don’t assign to any alerts yet as we are yet to create a custom alert for this custom metric.
Step3: Create custom Alert and assign to custom Metric
In the expert mode maintenance go to the Create button and then from the drop down select Alert.
Enter the details as shown below and click on Next button.
Then in the Assignments tab you will see the custom metric you just created. Select the check box for this metric and click on Finish to save the alert.
Now your custom metric is ready together with alerting active.
To activate this template update on all hosts navigate to Managed Objects tab for the template and click on Apply and Activate button.
Upon activation the new metric will be available in system monitoring as shown below.
For more details on how to setup SSL for SAP Host Agent you can refer to the SAP documentation here.
Hi Manas, great tip and great blog!
Thanks for helping the FRUN community so much. Very much appreciated!
I have a fundamental question about SSL on SAP Host Agent: Do we need to create the SAPSSLS.pse for each SAP Host installation (meaning, each host we want to monitor using SSL) and then import it into our Focused Run system to allow SSL communication? I did this test and it worked, FRUN is communicating on port 1129 using the certificate from the SAP Host Agent.
If we have 100 different hosts to be monitored, do we need to generate 100 certificates and import them all into our FRUN system? It would give us tons of work just to guarantee this SSL communication.
Sorry for the basic/obvious question
Hi Luiz,
Thanks a lot for the wonderful feedback. 🙂
Regarding your question on SSL on SAP Host Agent:
1) Do we need to create the SAPSSLS.pse for each SAP Host installation: Answer is Yes. This is required for SSL communication with host agent. (Calling Hostagent webservices using port 1129.) Each host will have its own certificate as the SNC entries will have the hostname in it.
2) import it into our Focused Run system to allow SSL communication: This is not required for Host Agent SSL communication. Why do you want to perform this step?
Note: Host agent PSE certificate as client (SAPSSLC.PSE) only needs to be imported to Respective managed system only if you are using SNC/SSO for SDA to managed system communication.
https://me.sap.com/notes/2607542
BR
Manas
Hi Manas, thank you very much for your response!
I did not receive (or I missed it) any notification, that’s why I am seeing this only now.
2) import it into our Focused Run system to allow SSL communication: This is not required for Host Agent SSL communication. Why do you want to perform this step?
As per my tests, if I don’t import the Host Agent certificate into FRUN Client PSE certificate (SAPSSLC.PSE) the RFC does not work using SSL on port 1129, it gives me a certificate error. Please, what am I missing here? 🙂
Hi Luiz,
What is authentication mode in your network configuration? If you use basic authentication using sapadm user, RFC will connect through sapadm user and password and importing certificate is not needed. However with this approach you will have to use the same password for sapadm on all hosts.
BR
Manas
Hello everyone! Quick questions on this topic:
– Is there any way to also query/monitor the expiration date of the Hostagent’s SAPSSLC.PSE and SDAGENT.PSE files?
– And in the same line, is there a way to query/monitor the expiration date of the different certificates that are being included in the Certificate List of those PSE files?
Crafting scripts around the “sapgenpse” command line tool should work, but I’m wondering if the hostagent could have other webservice shortcuts that could use to query this info and avoid the need of external scripts…
Thanks in advance! and Thanks for all the awesome FRUN tips and tricks that you are posting here!
Hi Alvaro,
What we have done for monitoring expiry of Hostagent certificates is we have created a custom metric at host level using data collector SAP URL Certificate Check that pings the Hostagent URL https://$SAP_ComputerSystem.FQDName$:1129/SAPHostControl/?wsdl.
You can use the same data provider to create custom metrics to monitor any certificate. Just you need a URL to the specific application and the URL call should use the certificate for the authentication.
You can also use Helth Monitoring HTTP Availability monitoring. While activating availability monitoring of a HTTPS URL it also checks for its certificate validity.
Hope this helps.
Thanks
Manas