Document toolboxDocument toolbox

Certificates

Owned by Ben Bramley
Last updated: Mar 18, 2024
3 min read

Data Description

The PowerConnect Java agent is able to extract certificate metadata from the SAP system. This data can be leveraged for SAP certificate monitoring use cases.

Potential Use Cases

This event could be used in the following scenarios:

  • Alert on expiry of certificates

  • Visualize all certificate information including root CA

  • Alert when a new certificate is added to the SAP system

PowerConnect Administrative Console Configuration

Important: None of the configurations below requires a restart of the PowerConnect agent.

  • Login to the PowerConnect administrative console via the following URL (http://<serverhost>:<port>/powerconnect-java/index.html).

  • Then click on the Overview tab on the left. The screen will look like the screenshot below. Ensure that Certificates is checked and click Save.

image-20240315-212253.png

Certificate Permissions Configuration

By default the powerconnect user will only have permissions to monitor the TrustedCAs keystore certificates. To add other keystores do the following:

  • Login to the NWA UME Console via the following URL (http://<serverhost>:<serverport>/useradmin

  • Search for the powerconnect role you created when installing the agent (usually called powerconnect or JMXManageAll)

image-20240315-212908.png

  • Click the Assigned Actions Tab then click Modify

  • Search for each Keystore you would like to monitor, the actions permission format is keystore-view.<KeystoreName> for example: keystore-view.WebServiceSecurity

  • Select the resulting actions and click Add

  • Repeat for each Keystore then click Save

  • To see a list of your Keystores go to the Certificates and Keys: Key Storage view in the NWA Console (http://<serverhost>:<serverport>/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/FloorPlanApp?applicationID=com.sap.itsam.cfg.sec.keystore&applicationViewID=key_storage)

  • The Name column contains the list of the Keystore names

Event

The event will look like this:

There is an out of the box Splunk Dashboard available in the PowerConnect Splunk app:

  • Open the PowerConnect Splunk app

  • In the navigation bar click Java → NW → Netweaver Java: Certificate Monitoring

  • The dashboard will be displayed