Skip to Content
Technical Articles
Author's profile photo Cristiano Hansen

SSF_ALERT_CERTEXPIRE: invalid message received in email

We can use report SSF_ALERT_CERTEXPIRE to check for expired certificates in PSEs (or certificates that are about to expire):

/wp-content/uploads/2015/10/001_817053.jpg

The expected message is an email containing the PSE name that needs to be analyzed:

/wp-content/uploads/2015/10/002_817054.jpg

It is possible that, given a configuration issue, the actual message is not valid:

/wp-content/uploads/2015/10/003_817058.jpg

This can be resolved by using transaction code ALRTCATDEF.

After double clicking “Security-Relevant Alerts”, the properties present “Expiry of Certificates (SNC, SSF, SSL…)”.

The messages are defined in tab “Long and Short Text”:

/wp-content/uploads/2015/10/004_817059.jpg

If there are red lights in “Short Text (SMS, Pager)” and “Long Text (E-Mail, Fax)”, then this is the reason for the incorrect message.

It is necessary to edit it (clicking “Display/Change” button in the toolbar), adding:

“…

Certificate expires in &DAYS& days in system &SYS& (PSE type > &PSE&)

…”

for the first (short text):

Short%20Text

And:

“…

The system determined that a certificate of PSE type >&PSE&<(administered by system &SYS&) expires in &DAYS& days.

You must extend or renew this certificate immediately.

Run the report SSF_ALERT_CERTEXPIRE. This report produces a list of all installed certificates, together with their expiration dates.

Alternatively, call transaction STRUST. The message displayed contains the PSE type (a node) in which you can find the certificate in question.

…”

for the second (long text):

Long%20Text

The issue is resolved.

References

SAP Note 572035 – Warning about expired security certificates

SAP Note 588297 –  Warnings about security certificates in the system logs

KBA 1493038 – Error SALERT125 “Internal error in configuration” in Alert management using transaction ALRTCATDEF

 

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Úlfar Markús Ellenarson
      Úlfar Markús Ellenarson

      Though I have green for both short and long text in alert category SECSSFCERTEXPIRE I am still only receiving alert ID ## and not the long text in the email message body.  I am perplexed as I cannot find any sap notes about this or more information about alert category SECSSFCERTEXPIRE.

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hello Úlfar,

       

      Could you double check the steps from the blog?
      If the issue persists then you can raise an Expert Chat or an incident to address this.

       

      Kind regards,
      Cris

      Author's profile photo Nicolaas Johannes Van Zyl
      Nicolaas Johannes Van Zyl

      Hi Christiano,

      Just need to amend the text slightly, please note I left out the SID part for the screenshot image on purpose.

      Current text is:

      Certificate expires in &DAYS& in system &SYS& (PSE type > &PSE&)

      Leads to this message:

      cert%20expire%20message

      Correct text: 

      Certificate expired in &DAYS& Days in system &SYS& (PSE Type > &PSE&)

      For the long text this works:

      The system determined that a certificate of PSE type > &PSE& <(administered by system &SYS&) expires in &DAYS& Days.

      You must extend or renew this certificate immediately.
      Run the report SSF_ALERT_CERTEXPIRE.
      This report produces a list of all installed certificates, together with their expiration dates.

      Alternatively, call transaction STRUST. The message displayed contains the PSE type (a node) in which you can find the certificate in question.

      Also reference to note

      1493038 - Error SALERT125 Internal error in configuration in Alert management using transaction ALRTCATDEF

      Thanks for the good blog however 🙂

      Best Regards,

      Johan

       

       

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Nice catch Johan (after 5 years published!).

      Just updated the blog, with your suggestions.

      Cheers,

      Cris

      Author's profile photo Turgay Demirci
      Turgay Demirci

      Hi Cristiano,

      Is there any way to get certificate name in e-mail?

      Thanks