Dynatrace STRUST Made it Easy
This article was authored by Jetendra Pinninty, SAP and Splunk Consultant at RHONDOS.
SSL/TLS Certificates and Certificate Monitoring in SAP with STRUST
In today’s digital world, data security is not just a luxury, it's a necessity. Whether you're browsing a website, making an online purchase, or integrating enterprise systems, SSL/TLS certificates play a vital role in keeping communications secure and private.
SAP systems are no exception. They rely heavily on SSL/TLS protocols to ensure encrypted data transfer across system components, users, and external services. Let’s explore how these certificates work and how SAP’s STRUST transaction enables efficient certificate management.
What are SSL/TLS Certificates?
An SSL (Secure Sockets Layer) or TLS (Transport Layer Security) certificate enables secure, encrypted communication over the internet, especially via HTTPS. These certificates ensure that:
Sensitive data (e.g., personal details, login credentials, or financial info) is encrypted during transmission.
Data reaches only the intended recipient, without interception by unauthorized parties.
The server or system can authenticate itself, establishing trust with the client.
Without these certificates, sensitive information can be intercepted as it travels across networks, leaving users vulnerable to cyber threats.
STRUST in SAP
In SAP, the transaction code STRUST (Trust Manager) is your go-to tool for SSL/TLS certificate management. It ensures that your SAP systems communicate securely with internal and external partners by maintaining valid and trusted certificates.
Key Functionalities of STRUST:
The STRUST transaction in SAP is the central interface for managing the security infrastructure that enables encrypted and trusted communication across SAP and non-SAP systems. This includes handling SSL/TLS encryption, authentication through digital certificates, and the overall trust landscape between your SAP system and external entities. As organizations increasingly rely on secure web protocols and integrations, STRUST becomes a vital part of the Basis administrator’s toolkit.
At the heart of STRUST lies the management of Personal Security Environments (PSEs). A PSE is essentially a secure container that holds the system’s private key, its digital certificate, and a list of trusted Certificate Authorities (CAs). Each component of the SAP landscape that requires secure communication—be it WebGUI over HTTPS, SAP Gateway services, or outbound API calls—uses a dedicated PSE. STRUST provides a way to generate new PSEs, update existing ones, and assign them to specific roles like SSL Server or SSL Client, depending on how the SAP system is functioning in a given scenario.
One of the key operations performed in STRUST is generating Certificate Signing Requests (CSRs). When you need your SAP system to be recognized and trusted by other systems or browsers, the system's certificate must be signed by a reputable Certificate Authority. STRUST allows administrators to generate a CSR, which contains the public key and system identification details. This request is then sent to a CA, which returns a signed certificate that can be imported back into STRUST to finalize the secure setup.
In addition to generating CSRs, STRUST is also used to import and export certificates. This feature is critical when your SAP system needs to establish a trust relationship with an external partner or another SAP instance. By importing a partner’s certificate into your system’s trust store—or exporting your own for external use—you create a mutual trust foundation, ensuring that encrypted communications are recognized and accepted on both ends.
Maintaining the Certificate Trust List (CTL) is another core responsibility within STRUST. The CTL defines which certificate authorities your SAP system will trust. It’s similar to telling the system, “Only accept certificates that are signed by these specific entities.” This ensures that unverified or potentially malicious certificates are automatically rejected, protecting your system from man-in-the-middle attacks and unauthorized access.
Equally important is the ability to monitor certificate validity. Every certificate comes with an expiration date, and failing to renew it on time can lead to serious disruptions in services. STRUST displays validity periods for each certificate, enabling administrators to proactively track expiration dates and perform renewals well in advance. This helps prevent outages caused by expired certificates and maintains continuous secure access to essential SAP services.
The transaction also allows you to define SSL identities for the system, distinguishing between server-side and client-side roles. For example, the SSL Server PSE is used when the SAP system acts as a web server—serving Fiori apps or WebGUI through HTTPS—while the SSL Client PSE is used when the system initiates secure connections to external services or APIs. Each of these requires a properly configured and signed certificate to function correctly.
Finally, one of the most user-friendly aspects of STRUST is its ability to visualize certificate chains. It presents the hierarchy of trust in a tree format, starting with the root certificate authority, then showing any intermediate CAs, and finally the system’s own certificate. This visualization is incredibly helpful for verifying that the full trust path is intact and for diagnosing issues when SSL handshakes fail due to missing or invalid certificate links.
Why Certificate Monitoring Is Critical for the SAP Basis team?
In an SAP landscape, certificate monitoring is far more than a routine maintenance activity—it’s a critical pillar of system security, availability, and regulatory compliance. SSL/TLS certificates are foundational to securing communications across the SAP ecosystem, ensuring that data shared between users, servers, and external systems remains confidential, authenticated, and tamper-proof.
The SAP Basis team plays a frontline role in maintaining this security posture. By proactively monitoring certificates, they can ensure the system complies with internal security policies and external regulatory standards such as GDPR, HIPAA, or SOX. Certificates enable encrypted communication and also serve as digital passports that authenticate the identity of SAP systems and their connections. If a certificate expires or is misconfigured, it can break secure channels—resulting in failed API calls, disrupted integrations, and even complete system outages.
Maintaining valid certificates is essential not just for internal communication but also for establishing trust with external platforms like cloud services, payment processors, and partner systems. Each of these relationships relies on trusted Certificate Authorities and a well-maintained Certificate Trust List (CTL). An expired or untrusted certificate can instantly erode this trust, leading to communication breakdowns or even data breaches.
Moreover, regular monitoring allows the Basis team to detect unusual certificate behavior—such as early revocations or unexpected changes—which can be early indicators of security incidents like man-in-the-middle attacks or malware intrusions. Being aware of these anomalies allows teams to investigate and respond before significant damage occurs.
One of the most practical benefits of certificate monitoring is the ability to plan ahead. Every certificate comes with a finite lifespan, and tracking expiry dates ensures that renewals happen smoothly, without last-minute surprises that could lead to unplanned downtime. Proactive renewal and rotation of certificates not only mitigate risks but also ensure uninterrupted service delivery to business users and external consumers alike.
As organizations continue to integrate SAP with an ever-growing number of external platforms, certificate monitoring becomes even more essential. Whether you're connecting to a government API, a cloud data platform, or a customer-facing portal, certificates are the gatekeepers of trust and security. The Basis team’s ability to manage and monitor these certificates directly impacts the stability, reputation, and operational success of the business.
Certificate Management Made Simple with Dynatrace
Display all certificates STATUS for all Systems. Below active dashboard helps user to check/monitor certificates available in the System.
Panel Description:
SAP Certificate Status Dashboard
The SAP Certificate Status Active Board provides a comprehensive overview of the SSL/TLS certificate landscape within the SAP system. It enables efficient monitoring and management of certificate validity across various instances and application contexts, supporting proactive administration and compliance with security standards.
SAP System & Instance Overview
In SAP, an instance refers to a runtime environment within an SAP system. A single SAP system may consist of multiple instances, each operating as an independent process with its own allocated resources. These instances collaborate to manage workload distribution, enhance availability, and ensure optimal system performance.
Functionality:
Allows users to select and filter data based on specific SAP instances.
Application Context
The application context defines the intended use or function of a Personal Security Environment (PSE), which stores digital certificates and private keys. This context is crucial for identifying the security role of each certificate—such as SSL Server, SSL Client, or Web Services Security (WSSE).
Functionality:
Enables selection of a specific Application Context to filter certificates based on their use case.
Namespaces and Tables
To provide deeper integration and traceability, the panel supports reference to various STRUST-related namespaces and tables:
PROG – Transaction Namespace (STRUST)
SSFA – Table: SSFARGS
SSLC – Table: STRUSTSSL
SSLS – Table: STRUSTSSLS
WSSE – Table: STRUSTWSSE
SMIM – Table: STRUSTSMIM
Certificate Status
The panel classifies certificates based on their current validity status:
Valid – Certificate is currently valid and active.
Expired – Certificate validity has lapsed.
Expiring within 30 Days – Certificate will expire within the next 30 days.
Functionality:
Allows users to filter and monitor certificates by their status category.
Certificate Statistics
The board provides aggregated metrics to support decision-making and proactive maintenance:
Total Certificates – The total number of certificates configured in the system.
Expired – Count of currently expired certificates.
Expiring within 30 Days – Certificates approaching expiration within the next 30 days.
Expiring within 90 Days – Certificates set to expire within the next 90 days.
Certificate Details
Detailed information is available for each certificate, including:
Subject (Owner/Entity)
Application Context
Instance Name
Validity Start Date
Expiry Date
Remaining Validity Period
This information supports quick diagnostics and informed certificate lifecycle actions.
Scenarios & Key Performance Indicators (KPIs)
To support operational readiness and compliance, the panel enables:
Alert Notifications – Triggered when certificates are expired or expiring within 30/90 days.
Monitoring Total Certificates – Enables visibility across the full SAP landscape.
Archiving/Deletion – Facilitates the removal of outdated or unused certificates.
Use Case Value
Regular monitoring helps ensure that SSL/TLS certificates, which are crucial for secure communication, are valid and have not expired. This prevents potential security vulnerabilities and unauthorized access.
Monitoring certificates allows for proactive identification of certificates approaching expiration. Timely renewal or replacement prevents service disruptions that may occur if certificates expire.
Many industries and regulatory bodies have specific security standards that mandate the use of secure communication protocols and proper certificate management. Monitoring certificates helps ensure compliance with these standards.
Certificates play a role in ensuring the integrity and confidentiality of data exchanged between SAP systems and external entities. Monitoring helps maintain the security of data in transit.
Anomalies or unauthorized changes to certificates can be indicative of security incidents. Regular monitoring helps identify such incidents, allowing for prompt investigation and remediation.
SAP systems often integrate with external systems, and secure communication is crucial for these integrations. Monitoring certificates ensures that secure connections are maintained with external partners and systems.
Monitoring certificates helps prevent unauthorized access by ensuring that only valid and authorized certificates are accepted. This is crucial for protecting sensitive data within the SAP landscape.
Expiry or compromise of certificates may lead to legal and financial consequences. Monitoring certificates helps organizations avoid such consequences by maintaining a secure and compliant environment.