Skip to Content
Product Information

SAP Cloud Integration – Automated Notification of Keystore Entries Reaching Expiry


Cloud Integration Keystore Monitor allows a tenant administrator to manage the tenant keystore and its entries. A keystore contains entries uniquely identified by an alias where each entry has its own lifecycle. Renewal of an entry is important task to be done before expiry, else it will lead to message failure for productive scenarios using specific certificates/key-pairs entries. The tenant administrator can be notified for those entries which are about to expire, so that he can take in-time actions for renewal of the same.

Within keystore monitor, expired keys and certificates are highlighted showing expiration date. In addition, an Integration Flow can be modeled to get notifications via mail for entries reaching their expiry. This document provides steps to model a scenario triggered via scheduler which looks across all entries of the tenant keystore and sends a mail with information about those entries reaching their expiry.

Scenario Description

Cloud Integration provides various REST APIs with technical protocol as Open Data Protocol (OData) with which you can access data. These APIs can be consumed via https://<tmnUrl>/api/v1 where <tmn> is the address of the tenant management node. Here we will use API for accessing keystore entries via https://<tmnUrl>/api/v1/KeystoreEntries .Overall scenario looks as below:

Create an integration flow with Start Timer Event. Using Request-Reply step call OData APIs to fetch details of the tenant keystore entries via OData receiver channel. Fetch Alias Name and ValidNotAfter for entity KeystoreEntries. Below find the configuration of OData Receiver channel:

Make sure the Page Size field value is null since entries in a keystore are not so many in numbers.

The response of the OData call will be a file containing all keystore entries with their Alias & Validity date. Now add a General Splitter step to split using XPath /KeystoreEntries/KeystoreEntry and pass split entries to a Local Integration Process.

In Local Integration Process, define a Content Modifier and store the values of keystore entry Alias and Validity Time in a header.

Additionally, add a message containing Alias & Validity Time information about keystore entry in body of Content Modifier. This message will be send via mail notification. You can choose to customize this information as per your need.

Now add a script to fetch Validity Time from header and compare with current date. Output of script shall be number of days left for Keystore entry to expire. You can find a sample code below:

     def map = message.getHeaders();

     String getCertExpirydate = map.get(“CertExpiryDate”);

     Date CertExpirydate = new SimpleDateFormat(“yyyy-MM-dd“).parse(getCertExpirydate);

     Date dateNow = new Date(System.currentTimeMillis());

     long dateDiff = CertExpirydate.getTime() – dateNow.getTime();

     def daysToExpire = TimeUnit.DAYS.convert(dateDiff, TimeUnit.MILLISECONDS);

     message.setHeader(“daysToExpire”, daysToExpire);

Add a router step to route those entries whose expiry is in less than defined number of days (e.g. daysToExpire < 4) and send an email to specific participants informing them about the expiry.

You must be Logged on to comment or reply to a post.
  • Hello
    Thanks a lot for your blog. it's perfect.
    I have created the package, deploy.. and everything is green.. But I don't receive any email with the alert...
    How can I verify in which part is not working properly?

  • Hello Amar

    Thanks for you helping.
    I have obtained the error in Content Modifier

    Error Details
    org.apache.camel.CamelExecutionException: Exception occurred during execution on the exchange: Exchange[ID-vsa5107462-40927-1541369381630-22-5], cause: org.apache.camel.language.simple.types.SimpleParserException: expected symbol functionEnd but was eol

    What does it mean?. any idea?


      Hello Toni

      Seems some issue with conversion. Can you recheck Header configuration in Content Modifier step and you are using right Type for Header defined as well as body is correct.




  • Hello Amar,

    Now, I have problems with script:

    Error Details
    javax.script.ScriptException: org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed: script__Script.groovy: 5: unable to resolve class SimpleDateFormat @ line 5, column 28. Date CertExpirydate = new SimpleDateFormat(���yyyy-MM-dd���).parse(getCertExpirydate)
    Somehting is wrong
    • Hello Toni

      Kindly confirm if you copied the script code from above blog and pasted it. If this is the case, copy/paste sometime changes format for special characters and they are no more recognized during runtime when corresponding jars are created.

      Kindly write that specific line of code and recheck.





  • Hello Amar,


    No I have obtained an other error, in my script:

    javax.script.ScriptException: groovy.lang.MissingPropertyException: No such property: message for class: new__Script, cause: groovy.lang.MissingPropertyException: No such property: message for class: new__Script


    What does it means?


    Best regards


      Hello Hilmar

      Do you mean any Where-Used list for certificates/Keystore entires from the entire set. In case yes, this is not possible as of now.

      Feel free to file your request to Mandy Krimmel regarding the same.


      Warm Regards



    Hello Deepak

    Sorry for wrong link. Here is the correct one: Can you recheck.




    • Hello Swati

      The Content Modifier used in Local integration process is to read each Certificate/Keypair and store the same in header/property. In addition use this to create body of the mail being sent to Administrator so that Administrator easily know which entry is reaching expiry and accordingly take appropriate actions for renewal of the same.



    • Hello Anil

      You would need AuthGroup.Administrator role on the tenant to call the APIs or deploy a credential with a user having this role and then use this credential in your flow.




  • Hi Amar,

    Thank you for your helpful blog, everything working fine for me. Right now with the above approach i am getting four mails if there are four items expires in same date. I am looking to send only one mail for all four expire items. Can i achieve this with help of Gather with splitter ? or can you suggest what would better approach.



    • Hello Swati

      Straight forward using Gather & Join would not be enough since Gather is meant for collecting data coming from multiple routes.

      Easiest would be store/append certificate in SFTP and then have another flow which pulls data from SFTP and send it collectively to mail receiver.




    • Hi Shubham

      Actually in my blog description, I write as:

      In Local Integration Process, define a Content Modifier and store the values of keystore entry Alias and Validity Time in a header.

      However you have defined Property in Content Modifier and hence you need to change your script code instead of def map = message.getHeaders(); 


      def propertiesMap=message.getProperties();
      Hope it helps !
      • Hi Kumar Amar ,


        Thanks for your response.

        I am again receiving the below error :

        Error Details
        java.lang.NoSuchMethodException: No signature of method: java.lang.Long.–() is applicable for argument types: (java.lang.Long) values: [1601041902697] Possible solutions: is(java.lang.Object), or(java.lang.Number), abs(), abs(), any(), wait(long)
        Could you please now help me in this.
        Groovy script is not at all working.
        • Hello Shubam

          Kindly check someone at your end for Groovy script code. I used the below code and it works for me.

          import java.util.HashMap;
          import java.text.SimpleDateFormat;
          import java.util.Date;
          import java.util.concurrent.TimeUnit;
          import groovy.json.JsonSlurper;
          import java.util.HashMap;
          import java.nio.file.Files;
          import java.nio.file.Paths;
          import java.nio.file.StandardOpenOption;
          import java.util.Map;
          import java.util.concurrent.ExecutorService;
          import java.util.concurrent.Executors;
          import java.util.concurrent.Callable;
          import org.slf4j.Logger;
          import org.slf4j.LoggerFactory;
          import groovy.json.JsonOutput

          def Message processData(Message message) {

          def map = message.getHeaders();
          String getCertExpirydate = map.get("CertExpiryDate");
          Date CertExpirydate = new SimpleDateFormat("yyyy-MM-dd").parse(getCertExpirydate);
          Date dateNow = new Date(System.currentTimeMillis());
          long dateDiff = CertExpirydate.getTime() - dateNow.getTime();
          def daysToExpire = TimeUnit.DAYS.convert(dateDiff, TimeUnit.MILLISECONDS);

          message.setHeader("daysToExpire", daysToExpire);

          return message;




  • Hi Kumar Amar,

    It's a great blog.

    Similarly, Is it possible to trigger the public key expiry notification from the pubring deployed as security Material in the CPI Tenant? Pubring contains around 20 public keys, We have a requirement to notify if any of the key is going to expire.

    Thanks in advance,

    Poushali Bhandari


    • Hi Poushali

      Thanks for your inputs. Unfortunately this is not possible. I will inform about your requirement to my development team.




  • Is this solution valid for cloud foundry as well. As there is no certifiacte to user mapping for cloud foundry, is there any way we can use this solution in cloud foundry tenants.

    • Hello Harish

      Yes this is valid for getting notification for Certificates reaching expiry within the Keystore.

      As anyways there is no concept of Certificate to User Mapping in Cloud Foundry, this is not a valid query as such.