ABAP system certificate monitoring

In system monitoring you can monitor if ABAP system certificates are expiring or are already expired. For centrally monitoring SSL certificates, read this blog.

SAP provides a standard metric for this based on configuration validation rule SAP ABAP PSE CERTIFICATES CHECK. This rule is taking all certificates that are to be expired in the next 7 days and all expired certificates.

This rule has two setbacks:

  • 7 days upfront warning might be too short
  • It reports all expired certificates that are already years expired and don’t harm the system

New rules

For the improved setup we will defined 2 new rules:

  • To be expired certificates, with date selection -30 till tomorrow
  • Expired certificates, with date selection today till next 30 days.

Start with creating the policy in configuration validation (more on configuration validation in this blog):

Add a new policy Z_ABAP_PSE_TO_BE_EXP for the to be expired, and give it this syntax:

Add a new policy Z_ABAP_PSE_EXP for the expired ones:

Both are basically a copy of the standard SAP one with the changed dates.

Please note you need to change both the dates in the Compliant and Non-Compliant section.

Create custom metric

Now you can create a custom metric using the newly created rule. For full description on how to create custom metrics, read this blog. Create the custom metric in the ABAP system template:

Refer to the newly create custom CoVa (configuration validation) rule:

And set the threshold:

For the to be expired certificates, we only want warning.

We repeat the same for the expired certificates, but now we make it a red alert by setting the thresholds differently.

Make sure both are now activated for monitoring:

Trouble shooting

There might be false alerts raised for this metric. This is for both the custom and standard SAP metric. The source is usually the data collection.

SAP note 3138046 – False Alert ABAP PSE certificates expiring in Focused Run describes the checks to perform.

Go to the configuration and configuration validation FIORI tile:

Select the system and search for the PSE certificates data collection details: