# Keystore Views and Certificates Monitoring

In SAP, J2EE stores certificates and keys in multiple virtual key stores called Keystore Views.

The keys and certificates in the Key Storage views can be used for encryption, identification, and verification when using AS Java functions.

The Key Storage entries themselves are stored in a distributed database.

### IT-Conductor Monitoring <a href="#keystoreviewsandcertificatesmonitoring-monitoring" id="keystoreviewsandcertificatesmonitoring-monitoring"></a>

IT-Conductor provides a convenient approach to monitoring Keystore Views and Certificates.

* All Keystore Views are discovered automatically.
* Keystore Certificates are discovered if permissions to specific Keystore Views are granted to the IT-Conductor monitoring user.
* Thresholds can be configured for monitoring Keystore View status. (This is calculated by SAP as the "worst of" status for all the entries in the view.)
* Thresholds can be configured for monitoring Certificate Expiration and Days To Expiration.

![Figure 1: Sample Keystore Views and Certificates](https://377464071-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXhp08OmU8050PePmMgDt%2Fuploads%2FPtZoe8MgUYJ7Crp1VPk0%2FKeystore%20views.png?alt=media\&token=17b3da16-14b6-4acd-b960-5fd764975fea)

### Permissions <a href="#keystoreviewsandcertificatesmonitoring-permissions" id="keystoreviewsandcertificatesmonitoring-permissions"></a>

* Access to Keystore View discovery and high-level monitoring is governed by **keystore/keystore-views** action and is included in the standard **ITCONDUCTOR\_MONITORING** role.

![Figure 2: ITCONDUCTOR\_MONITORING Assigned Actions View in Detail](https://377464071-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXhp08OmU8050PePmMgDt%2Fuploads%2FcV2jaw4Gm1HdBlfWdFqi%2FKeystore%20assigned%20action.png?alt=media\&token=87bfcf95-c9e1-49ec-b726-63b5fa57db2f)

* Access to the individual certificates has to be granted as specific actions and configured by customers as needed.

For example:  Monitoring the certificates in **SecureLoginServer** Keystore view.

![Figure 3: Sample SecureLoginServer View in Detail](https://377464071-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXhp08OmU8050PePmMgDt%2Fuploads%2FDo5gEOe9TQmSkzXixGzD%2FSecureLoginServer.png?alt=media\&token=10e04baf-f773-48e4-a048-44a73028c997)

* The IT-Conductor monitoring user needs to have specific permissions (actions) assigned for this view. Let us create a new role **ITCONDUCTOR\_CERTIFICATES** and assign the following actions:
  * **keystore-view\.SecureLoginServer / view-actions.all.all**
  * **keystore-view\.SecureLoginServer / entry-actions.all.all**

![Figure 4: Sample ITCONDUCTOR\_CERTIFICATES View in Detail (a)](https://377464071-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXhp08OmU8050PePmMgDt%2Fuploads%2FmyAkVey2CHFfN39BcRiP%2FCertificates.png?alt=media\&token=a26b34fc-5920-4348-90a0-409e05afba4d)

![Figure 5: Sample ITCONDUCTOR\_CERTIFICATES View in Detail (b)](https://377464071-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXhp08OmU8050PePmMgDt%2Fuploads%2Fut7hk6wMdDORQZy6Mz9t%2FCertificates\(2\).png?alt=media\&token=593cf809-6744-4582-92fe-d8fdbb74d0ff)

* Repeat this for all views that require their certificates to be monitored:
  * **keystore-view.\<View Name> / view-actions.all.all**
  * **keystore-view.\<View Name> / entry-actions.all.all**
* Assign the newly created role **ITCONDUCTOR\_CERTIFICATES** to the IT-Conductor monitoring user.
* IT-Conductor will discover and start monitoring individual certificates under Key Store.

![Figure 6: Sample Individual Certificates](https://377464071-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXhp08OmU8050PePmMgDt%2Fuploads%2Fv6pXjILH5jdtAHyIwRoO%2FSample%20Individual%20Certificates.png?alt=media\&token=fbf1aa43-13d8-41d8-8e2c-d1a0c0dfe0fc)

{% hint style="info" %}
**Note:** This is the only way SAP allows granting access to individual certificates. Although IT-Conductor only requires READ access, there are no such actions configured out-of-the-box by SAP. If your organization has qualified SAP J2EE developers, they can create custom actions to grant only READ access in SAP Java Studio and install them into the system. These actions can be assigned to the ITCONDUCTOR\_CERTIFICATES role instead of view-actions.all.all/ entry-actions.all.all
{% endhint %}

### Related Information <a href="#keystoreviewsandcertificatesmonitoring-moreinformation" id="keystoreviewsandcertificatesmonitoring-moreinformation"></a>

* [SAP PO Application Monitoring](https://docs.itconductor.com/user-guide/monitoring/sap/netweaver/j2ee-system/po-application-monitoring)
* [SAP J2EE Monitoring Role](https://docs.itconductor.com/user-guide/monitoring/sap/netweaver/j2ee-system/monitoring-role)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.itconductor.com/user-guide/monitoring/sap/netweaver/j2ee-system/keystore-views-and-certificates-monitoring.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.