Keystore Views and Certificates Monitoring

Owned by David Stavisski
Last updated: Aug 26, 2021 by Danica Esteban
3 min read

In SAP, J2EE stores certificates and keys in multiple virtual key stores called Keystore Views.

The keys and certificates in the Key Storage views can be used for encryption, identification, and verification purposes when using AS Java functions.

The Key Storage entries themselves are stored in a distributed database.


On This Page

Monitoring

IT-Conductor™ provides a convenient approach in monitoring Keystore Views and Certificates:

  • All Keystore Views are discovered automatically.
  • Keystore Certificates are discovered if permissions to specific Keystore Views are granted to the IT-Conductor™ monitoring user.
  • Thresholds can be configured for monitoring Keystore View status (This is calculated by SAP as "worst of" status for all the entries in the view.)
  • Thresholds can be configured for monitoring Certificate Expiration Expiration and Days To Expiration.


 

Figure 1: Sample Keystore Views and Certificates

Permissions

  • Access to Keystore View discovery and high-level monitoring is governed by keystore/keystore-views action and is included in the standard ITCONDUCTOR_MONITORING role.

Figure 2: ITCONDUCTOR_MONITORING Assigned Actions View in Detail


  • Access to the individual certificates has to be granted as specific actions and configured by customers as needed.

For example:  Monitoring the certificates in SecureLoginServer keystore view:

Figure 3: Sample SecureLoginServer View in Detail

  • The IT-Conductor™ monitoring user needs to have specific permissions (actions) assigned for this view. Let us create a new role ITCONDUCTOR_CERTIFICATES and assign the following actions:
    • keystore-view.SecureLoginServer / view-actions.all.all
    • keystore-view.SecureLoginServer / entry-actions.all.all

Figure 4: Sample ITCONDUCTOR_CERTIFICATES View in Detail (a)


Figure 5: Sample ITCONDUCTOR_CERTIFICATES View in Detail (b)

  • Repeat this for all views that require its certificates to be monitored:
    • keystore-view.<View Name>view-actions.all.all
    • keystore-view.<View Name> / entry-actions.all.all


  • Assign the newly created role ITCONDUCTOR_CERTIFICATES  to IT-Conductor monitoring user.
  • IT-Conductor™ will discover and start monitoring individual certificates under Key Store:

Figure 6: Sample Individual Certificates


Note

This is the only way SAP allows granting access to individual certificates. Although IT-Conductor™ only requires READ access, there are no such actions configured out-of-the-box by SAP. If your organization has qualified SAP J2EE developers, they can create custom actions to grant only READ access in SAP Java Studio and install them into the system. These actions can be assigned to ITCONDUCTOR_CERTIFICATES role instead of view-actions.all.all/ entry-actions.all.all


More Information

Do you have a question about the content on this page? E-mail us at support@itconductor.com.