In system monitoring you can monitor if ABAP system certificates are expiring or are already expired. For centrally monitoring SSL certificates, read this blog.
SAP provides a standard metric for this based on configuration validation rule SAP ABAP PSE CERTIFICATES CHECK. This rule is taking all certificates that are to be expired in the next 7 days and all expired certificates.
This rule has two setbacks:
- 7 days upfront warning might be too short
- It reports all expired certificates that are already years expired and don’t harm the system
For the improved setup we will defined 2 new rules:
- To be expired certificates, with date selection -30 till tomorrow
- Expired certificates, with date selection today till next 30 days.
Start with creating the policy in configuration validation (more on configuration validation in this blog):
Add a new policy Z_ABAP_PSE_TO_BE_EXP for the to be expired, and give it this syntax:
Add a new policy Z_ABAP_PSE_EXP for the expired ones:
Both are basically a copy of the standard SAP one with the changed dates.
Please note you need to change both the dates in the Compliant and Non-Compliant section.
Create custom metric
Now you can create a custom metric using the newly created rule. For full description on how to create custom metrics, read this blog. Create the custom metric in the ABAP system template:
Refer to the newly create custom CoVa (configuration validation) rule:
And set the threshold:
For the to be expired certificates, we only want warning.
We repeat the same for the expired certificates, but now we make it a red alert by setting the thresholds differently.
Make sure both are now activated for monitoring:
There might be false alerts raised for this metric. This is for both the custom and standard SAP metric. The source is usually the data collection.
SAP note 3138046 – False Alert ABAP PSE certificates expiring in Focused Run describes the checks to perform.
Go to the configuration and configuration validation FIORI tile:
Select the system and search for the PSE certificates data collection details: