Introduction:
When end users use saplogon in the sapgui screen to log into the system for the first time, the system notifies them that the validity of a certificate from the list with the PSE type >SSL client (standard) expires in 29 days.
End users are angry and alarmed when they initially log in to the SAPgui screen each morning and see the warning message in the System Messages.
Enter tx code SM21 as shown below
As shown above, two PSE types such as SSL Client (Anonymous) and SSL Client (Standard) were displayed.
To find out which certificate list was about to expire, run the report SSF_ALERT_CERTEXPIRE in tcode SE38 or SA38. Hit 'Execute' as displayed below.
Hit Execute as shown above.
The output showed Certificate list . Scroll down till you see the certificate list for SSL Client (Anonymous) and SSL Client (Standard).
Despite the fact that the expiry showed one month left, we still had time. Additionally, we made the decision to renew the certificate two days before it was due.
One report was scheduled in the background task each day at 3:00 am to verify the validity of the PSE certificates in order to avoid the certificate(s) from expiring. The warning period is 30 days. The system sends out a notification to all users notifying them that the certificates will expire in 30 days daily .
To prevent from the system issuing a notification to all users in SM02 messages about expiring certificates, we need to disable the Certificate check validity so that there will be no scheduled background job to check the validity of PSE certificates. The procedure to disable the certificate check validity is described below
Solution:
Execute report SSF_ALERT_CERTEXPIRE using tcode se38 or sa38.
As shown above, hit "Lock AutoABAP " button .
The message in the status bar appeared that "AUTOABAP SSFALRTEXP was locked i.e. deactivated as shown below
So the system will not issue a notification to all users in SM02 messages about expiring certificates in the future.
However, only few users or SAP BASIS Admin user must be notified without informing all end- users that the PSE certificate(s) was going to expire even after AUTOABAP was locked.
This is done by sending the message to the specific technical user in SAP mail .
The procedure is described below
Run the report SSF_ALERT_CERTEXPIRE using tcode SA38
Enable check box for Replacement for AutoABAP
Select check box in Warn (recipient list) as shown below and enter SAP userid . You can enter more than one userid by clicking right arrow key as shown below
Create a variant, for example "ZCERTEXPIRE", System will send SAP mail to the designated user(s) listed on the recipient list to notify them of the alerts generated that their PSE certificate is about to expire.
Make sure the "Required field" must be checked as shown above.
Then click save.
Then hit Left arrow key back to previous screen.
Click Background.
Select the Variant name from the downward arrow and then click Schedule
specify date and Time as shown above . Click Schedule periodically
Select Days to 1 and click enter key.
Job will be scheduled in SM37 as shown below
The system will send the warning message about expiring certificates in SAP mail for only selected users included in the recipient list.
Conclusion:
End users won't receive any more notifications about expired certificates in future .
AUTOABAP run for report SSFALRTEXP is scheduled daily to check the validity of certificates at 3:00 am and issue a warning message to all end users in the system messages in tcode SM02. There is an option to lock the AUTOABAP run for report SSFALRTEXP using report SSF_ALERT_CERTEXPIRE . This report SSF_ALERT_CERTEXPIRE is used in place of SSFALRTEXP to check the validity of certificates and issue a warning message to specific users or one BASIS Admin user in SAP inbox mail.
Also you can see the entry in table "TUCON" for your information.
If you click unlock_AUTOABAP in report SSF_ALERT_CERTEXPIRE, then table entry "Cert Check AUTOABAP OFF" will be disappeared from the table "TUCON" as shown below
Reference:
OSS note 572035 - Warning about expired security certificates
Thanks for reading!
Follow for more such posts by clicking on FOLLOW => aprao
Please share your thoughts and feedbacks on this blog in a comment.
When end users use saplogon in the sapgui screen to log into the system for the first time, the system notifies them that the validity of a certificate from the list with the PSE type >SSL client (standard) expires in 29 days.
End users are angry and alarmed when they initially log in to the SAPgui screen each morning and see the warning message in the System Messages.
Enter tx code SM21 as shown below
As shown above, two PSE types such as SSL Client (Anonymous) and SSL Client (Standard) were displayed.
To find out which certificate list was about to expire, run the report SSF_ALERT_CERTEXPIRE in tcode SE38 or SA38. Hit 'Execute' as displayed below.
Hit Execute as shown above.
The output showed Certificate list . Scroll down till you see the certificate list for SSL Client (Anonymous) and SSL Client (Standard).
Despite the fact that the expiry showed one month left, we still had time. Additionally, we made the decision to renew the certificate two days before it was due.
One report was scheduled in the background task each day at 3:00 am to verify the validity of the PSE certificates in order to avoid the certificate(s) from expiring. The warning period is 30 days. The system sends out a notification to all users notifying them that the certificates will expire in 30 days daily .
To prevent from the system issuing a notification to all users in SM02 messages about expiring certificates, we need to disable the Certificate check validity so that there will be no scheduled background job to check the validity of PSE certificates. The procedure to disable the certificate check validity is described below
Solution:
Execute report SSF_ALERT_CERTEXPIRE using tcode se38 or sa38.
As shown above, hit "Lock AutoABAP " button .
The message in the status bar appeared that "AUTOABAP SSFALRTEXP was locked i.e. deactivated as shown below
So the system will not issue a notification to all users in SM02 messages about expiring certificates in the future.
However, only few users or SAP BASIS Admin user must be notified without informing all end- users that the PSE certificate(s) was going to expire even after AUTOABAP was locked.
This is done by sending the message to the specific technical user in SAP mail .
The procedure is described below
Run the report SSF_ALERT_CERTEXPIRE using tcode SA38
Enable check box for Replacement for AutoABAP
Select check box in Warn (recipient list) as shown below and enter SAP userid . You can enter more than one userid by clicking right arrow key as shown below
Create a variant, for example "ZCERTEXPIRE", System will send SAP mail to the designated user(s) listed on the recipient list to notify them of the alerts generated that their PSE certificate is about to expire.
Make sure the "Required field" must be checked as shown above.
Then click save.
Then hit Left arrow key back to previous screen.
Click Background.
Select the Variant name from the downward arrow and then click Schedule
specify date and Time as shown above . Click Schedule periodically
Select Days to 1 and click enter key.
Job will be scheduled in SM37 as shown below
The system will send the warning message about expiring certificates in SAP mail for only selected users included in the recipient list.
Conclusion:
End users won't receive any more notifications about expired certificates in future .
AUTOABAP run for report SSFALRTEXP is scheduled daily to check the validity of certificates at 3:00 am and issue a warning message to all end users in the system messages in tcode SM02. There is an option to lock the AUTOABAP run for report SSFALRTEXP using report SSF_ALERT_CERTEXPIRE . This report SSF_ALERT_CERTEXPIRE is used in place of SSFALRTEXP to check the validity of certificates and issue a warning message to specific users or one BASIS Admin user in SAP inbox mail.
Also you can see the entry in table "TUCON" for your information.
If you click unlock_AUTOABAP in report SSF_ALERT_CERTEXPIRE, then table entry "Cert Check AUTOABAP OFF" will be disappeared from the table "TUCON" as shown below
Reference:
OSS note 572035 - Warning about expired security certificates
Thanks for reading!
Follow for more such posts by clicking on FOLLOW => aprao
Please share your thoughts and feedbacks on this blog in a comment.
- SAP Managed Tags:
3 Comments
