System messages contained a warning that PSE certificates were about to expire.

Introduction:

When end users use saplogon in the sapgui screen to log into the system for the first time, the system notifies them that the validity of a certificate from the list with the PSE type >SSL client (standard) expires in 29 days.

End users are angry and alarmed when they initially log in to the SAPgui screen each morning and see the warning message in the System Messages.

Enter tx code SM21 as shown below

As shown above, two PSE types such as SSL Client (Anonymous) and SSL Client (Standard) were displayed.

To find out which certificate list was about to expire, run the report SSF_ALERT_CERTEXPIRE in tcode SE38 or SA38. Hit  ‘Execute’ as displayed below.

Hit Execute as shown above.

The output showed Certificate list . Scroll down till you see the certificate list for SSL Client (Anonymous) and SSL Client (Standard).

Despite the fact that the expiry showed one month left, we still had time. Additionally, we made the decision to renew the certificate two days before it was due.

One report was scheduled in the background task each day at 3:00 am to verify the validity of the PSE certificates in order to avoid the certificate(s) from expiring. The warning period is 30 days. The system sends out a notification to all users notifying them that the certificates will expire in 30 days daily .

To prevent from the system issuing a notification to all users in SM02 messages about expiring certificates, we need to disable the Certificate check validity so that there will be no scheduled background job to check the validity of PSE certificates.  The procedure to disable the certificate check validity is described below

Solution:

Execute report  SSF_ALERT_CERTEXPIRE  using tcode se38 or sa38.

As shown above, hit “Lock AutoABAP ” button .

The message in the status bar appeared that “AUTOABAP SSFALRTEXP was locked i.e. deactivated as shown below

So the system will not issue a notification to all users in SM02 messages about expiring certificates in the future.

However, only few users or SAP BASIS Admin user  must be notified without informing  all    end- users that the PSE certificate(s) was  going to expire even after AUTOABAP was locked.

This is done by sending the message to the specific technical user in SAP mail .

The procedure is described below

Run the report  SSF_ALERT_CERTEXPIRE  using tcode SA38

Enable check box for Replacement for AutoABAP

Select check box in Warn (recipient list) as shown below and enter SAP userid . You can enter more than one userid by clicking right arrow key  as shown below

Create the variant by clicking save button or in the menu path Goto –> Variant –>Save as Variant  as shown below

Create a variant,  for example “ZCERTEXPIRE”,  System will send SAP mail to the designated user(s) listed on the recipient list to notify them of the alerts generated that their PSE certificate is about to expire.

Make sure the “Required field” must be  checked as shown above.

Then click save.

Then hit Left arrow key back to previous screen.

Click Background.

Select the Variant name from the downward arrow and then click Schedule

specify  date and Time  as shown above . Click  Schedule periodically

Select Days to 1 and click enter key.

Job will be scheduled in  SM37 as shown below

The system will send the warning message about expiring certificates in SAP mail for only selected users included in the recipient  list.

Conclusion:

End users won’t receive any more notifications about expired certificates in future .

AUTOABAP run for report SSFALRTEXP is scheduled daily to check the validity of certificates at 3:00 am and issue a warning message to all end users in the system messages in tcode SM02.  There is an option to lock the AUTOABAP  run for report SSFALRTEXP using report SSF_ALERT_CERTEXPIRE . This report SSF_ALERT_CERTEXPIRE is used in place of SSFALRTEXP to check the validity of certificates and issue a warning message to specific users or one BASIS Admin user in SAP inbox mail.

Also you can see the entry in table “TUCON”  for your information.

If you click unlock_AUTOABAP in report SSF_ALERT_CERTEXPIRE, then table entry  “Cert Check AUTOABAP OFF” will be disappeared from the table  “TUCON” as shown below

Reference:

OSS note  572035 – Warning about expired security certificates

Thanks for reading!

Follow for more such posts by clicking on FOLLOW => Prasad Rao

Please share your thoughts and feedbacks on this blog in a comment.