Skip to Content

In order to support signing and encryption in integration scenarios with SAP Process Orchestration (PO) and/or SAP Process Integration (PI) it is often necessary to load and access public/private keys and certificates from the Key Storage. This blog describes the steps required in order to use that functionality from the Key Storage of SAP NetWeaver. The keys and certificates will be used by a custom adapter module running on SAP PO 7.3 EHP1, but the same procedure can be applied when using standard PI adapters.


Assumptions:

  • Integration scenario is Java-only (Advanced Adapter Engine)
  • Keys / Certificates are supplied with the correct size and supported format.
  • Loaded Key pairs (keystore) are of the type .JKS
  • PI and administrator access right to the SAP NetWeaver Administrator tools.


Step 1.  Go to the NetWeaver Administrator page: http://<host>:<port>/nwa

/wp-content/uploads/2013/01/pic_b_170729.png

Step 2. Log in to NWA.

/wp-content/uploads/2013/01/pic_c2_170732.png

Step 3. From NWA, enter “keys” as search query and press Enter.

/wp-content/uploads/2013/01/pic_c_170730.png

Step 4. You should now see a window like the one below. Click on Key Storage.

/wp-content/uploads/2013/01/pic_d_170733.png

Step 5. On the Key Storage View select “TrustedCA” from the top rows. We are only interested in this type of entry.

/wp-content/uploads/2013/01/pic_e_170736.png

Step 6. Click on Import Entry” and select PKCS # 12 Key Pair” as entry type. << Please select the corresponding entry type depending on your own requirements.

/wp-content/uploads/2013/01/pic_f_170734.png

/wp-content/uploads/2013/01/pic_g_170738.png

Step 7. Browse to the key/certificate stored on your local file system or network, and specify the corresponding password. Click Import” and verify if key was succesfully imported by pressing the tab “View Entriesthe new key to search. A new entry with your key name must appear on the list.

/wp-content/uploads/2013/01/pic_h_171842.png

Step 8. From now on your applications (including adapter modules and custom adapters) running on top of the SAP NetWeaver Java Application Server can use (certificates, public and private keys) keys stored on the “TrustedCA’s” keystore.

/wp-content/uploads/2013/01/pic_i_170741.png

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Rebecca Alice

    Hi Roberto,

     

    I referred your blog to perform the same activity and observed that my certificate has an invalid period. After creating the new entries, I see the status as red with expiry date problem.

     

    Would I need to ask for the FTPs certificate with new valid date or can i moved ahead with the config?

     

    Regards

    Alice

    (0) 
    1. Roberto Viana Post author

      Hi Rebecca,

       

      In my case I also faced the same situation with an almost expired certificate. My experience is that as long as the ceritifcate or key is not really expired, you can carry on with your developments. However, it’s good to warn your certificate provider about the expiration date of the certificate so you can replace it on time.

       

      Cheers, Roberto

      (0) 
  2. Maximiliano Colman

    It is important to note that it is recommended to restart the service in case the SSL certificates are not recognized

     

    Follow the steps in the NWA to restart SSL Provider:

     

    1-Operation Management-> Systems-> Start & Stop

    2-JAVA-EE Services> SSL Provider-> Restart

     

    Best Regards.

    (0) 
    1. Roberto Viana Post author

      Yes, I guess the NWA keystore can be used for that purpose too but I don’t know if the newest B2B addon modules (such as PGP) also provides that functionality from within the module itself.

      (0) 
  3. Rene Dong

    Hi Roberto,

     

    I tried as you instruct, but I got the following error during import new PKCS#12 key pair:

     

    ERROR:  -> ID21108: java.security.InvalidAlgorithmParameterException: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.

     

    What for a problem?

     

    Regards

    Rene

    (0) 
      1. Rene Dong

        Hi Roberto,

         

        thank you for your reply!

         

        jks file?

         

        What I did includs the following steps:

        1. I got the public and private key from customer.

        2. according to the thread http://wiki.scn.sap.com/wiki/display/XI/Generating+SSH+Keys+for+SFTP+Adapters+-+Type+1

         

        I imported the public key into the puttygen and export OpenSSH key with name: sftp_test.pem.

         

        3. in cygwin with OpenSSL utiltiy I converted sftp.test.pem into x509testcert.pem

        It looks like:

        —–BEGIN CERTIFICATE—–

        MIIDWzCCAkOgAwIBAgIJAMmf/MVoYYy5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV

        BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX

        aWRnaXRzIFB0eSBMdGQwHhcNMTMwOTI2MDgzNzIwWhcNMjMwOTI0MDgzNzIwWjBF

        MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50

        ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIB

        CAKCAQEAvZdaSuKy75WRL6HL1rwChCsH0bMfmNGn3b7kakuu/HFlBJ5k2c5HkhuA

        mEFObo9Lb4dMVYVlJa1y8+8cwS4TtGKXeBypVAhyyrVuR30RR/1uK64OH4ppBWaH

        db8AATH33Ld+RRpkP47ufVutNj9HYU01Ivp41XBmUYuZGuPH63sBz0vT0UuezS5d

        QIh07fRwDFkuMu57kPhm/vupSry7WVBisp9mKCC2JbbW+uysDHwoD179J63q1lkY

        iOkEMkZE2yXn9DWjXE6B3JYf6UKqMQcQmH6Z8emz3jR6EFitwRSJp8mC7UeFRh1i

        VBOJ4BG38D8lADzI1HKClHhf8bdLgQIBJaNQME4wHQYDVR0OBBYEFCBVXPeI6rOh

        7TmtUgkAIiUDFnrqMB8GA1UdIwQYMBaAFCBVXPeI6rOh7TmtUgkAIiUDFnrqMAwG

        A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIotAD3Ucb71hR2nL0FayYPH

        jm6WaQ8vBgKXstyLD9Fma5LuB85b2TmC9UG2+hgs+3gk7t1iqsKU7V37ZfURBAjM

        AYAsLQdFy0ytd5KvFNMf/9nROpb0fcOHSakY44vHa7U8HeBOek3NDuE8Quu6FNND

        yCQdJ25XPEjBX/8ie2NqkRcrnKz6yrKostTMWzyvasb6g9t9oW2CO6HiLRshrKxY

        JyjcFnkdRpzv27Fas830ZW51HP5JTt+dAV2cDSEBVcUJ0AryLFDwQLBnHSLXKJc0

        Jd+dXWaeswCaGhAMaeNtW3og92Ertgf+Dm6VW6XBC8T0xuc7FhIT146egYiau6M=

        —–END CERTIFICATE—–

         

        4. converted x509testcert.pem into sftp_test.p12.

         

        5. import sftp_test.p12 into NW keystore and get the above error:

        ERROR:  -> ID21108: java.security.InvalidAlgorithmParameterException: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.

         

        What for a problem I could make?

         

        Thanks and nice Weekend

        Rene

        (0) 

Leave a Reply