Keystore Views and Certificates Monitoring

In SAP, J2EE stores certificates and keys in multiple virtual key stores called Keystore Views.

The keys and certificates in the Key Storage views can be used for encryption, identification, and verification when using AS Java functions.

The Key Storage entries themselves are stored in a distributed database.

IT-Conductor Monitoring

IT-Conductor provides a convenient approach to monitoring Keystore Views and Certificates.

  • All Keystore Views are discovered automatically.

  • Keystore Certificates are discovered if permissions to specific Keystore Views are granted to the IT-Conductor monitoring user.

  • Thresholds can be configured for monitoring Keystore View status. (This is calculated by SAP as the "worst of" status for all the entries in the view.)

  • Thresholds can be configured for monitoring Certificate Expiration and Days To Expiration.


  • Access to Keystore View discovery and high-level monitoring is governed by keystore/keystore-views action and is included in the standard ITCONDUCTOR_MONITORING role.

  • Access to the individual certificates has to be granted as specific actions and configured by customers as needed.

For example: Monitoring the certificates in SecureLoginServer Keystore view.

  • The IT-Conductor monitoring user needs to have specific permissions (actions) assigned for this view. Let us create a new role ITCONDUCTOR_CERTIFICATES and assign the following actions:

    • keystore-view.SecureLoginServer / view-actions.all.all

    • keystore-view.SecureLoginServer / entry-actions.all.all

  • Repeat this for all views that require their certificates to be monitored:

    • keystore-view.<View Name> / view-actions.all.all

    • keystore-view.<View Name> / entry-actions.all.all

  • Assign the newly created role ITCONDUCTOR_CERTIFICATES to the IT-Conductor monitoring user.

  • IT-Conductor will discover and start monitoring individual certificates under Key Store.

Note: This is the only way SAP allows granting access to individual certificates. Although IT-Conductor only requires READ access, there are no such actions configured out-of-the-box by SAP. If your organization has qualified SAP J2EE developers, they can create custom actions to grant only READ access in SAP Java Studio and install them into the system. These actions can be assigned to the ITCONDUCTOR_CERTIFICATES role instead of view-actions.all.all/ entry-actions.all.all

Related Information

Last updated