How to Load keys and certificates in SAP PI 7.3, SAP PO 7.3 EHP1 NWA’s Key Storage
In order to support signing and encryption in integration scenarios with SAP Process Orchestration (PO) and/or SAP Process Integration (PI) it is often necessary to load and access public/private keys and certificates from the Key Storage. This blog describes the steps required in order to use that functionality from the Key Storage of SAP NetWeaver. The keys and certificates will be used by a custom adapter module running on SAP PO 7.3 EHP1, but the same procedure can be applied when using standard PI adapters.
Assumptions:
- Integration scenario is Java-only (Advanced Adapter Engine)
- Keys / Certificates are supplied with the correct size and supported format.
- Loaded Key pairs (keystore) are of the type .JKS
- PI and administrator access right to the SAP NetWeaver Administrator tools.
Step 1. Go to the NetWeaver Administrator page: http://<host>:<port>/nwa
Step 2. Log in to NWA.
Step 3. From NWA, enter “keys” as search query and press Enter.
Step 4. You should now see a window like the one below. Click on Key Storage.
Step 5. On the Key Storage View select “TrustedCA” from the top rows. We are only interested in this type of entry.
Step 6. Click on “Import Entry” and select “PKCS # 12 Key Pair” as entry type. << Please select the corresponding entry type depending on your own requirements.
Step 7. Browse to the key/certificate stored on your local file system or network, and specify the corresponding password. Click “Import” and verify if key was succesfully imported by pressing the tab “View Entries” the new key to search. A new entry with your key name must appear on the list.
Step 8. From now on your applications (including adapter modules and custom adapters) running on top of the SAP NetWeaver Java Application Server can use (certificates, public and private keys) keys stored on the “TrustedCA’s” keystore.
Hi Roberto,
nice blog.
Andy.
Hi Roberto,
I referred your blog to perform the same activity and observed that my certificate has an invalid period. After creating the new entries, I see the status as red with expiry date problem.
Would I need to ask for the FTPs certificate with new valid date or can i moved ahead with the config?
Regards
Alice
Hi Rebecca,
In my case I also faced the same situation with an almost expired certificate. My experience is that as long as the ceritifcate or key is not really expired, you can carry on with your developments. However, it's good to warn your certificate provider about the expiration date of the certificate so you can replace it on time.
Cheers, Roberto
Thanks Roberto
It is important to note that it is recommended to restart the service in case the SSL certificates are not recognized
Follow the steps in the NWA to restart SSL Provider:
1-Operation Management-> Systems-> Start & Stop
2-JAVA-EE Services> SSL Provider-> Restart
Best Regards.
Hi Maximiliano,
Thanks for the additional tip! 🙂
Regards, Roberto
No hay nada mejor que encontrar este comentario a las 4 am. cuando no habia basis para reiniciar PI. Groso!
Saludos
Hi Roberto,
i want to know if the key can be stored in the NWA key storage used for PGPEncryption and PGPDecryption adapter modules
Yes, I guess the NWA keystore can be used for that purpose too but I don't know if the newest B2B addon modules (such as PGP) also provides that functionality from within the module itself.
Hi Roberto,
I tried as you instruct, but I got the following error during import new PKCS#12 key pair:
ERROR: -> ID21108: java.security.InvalidAlgorithmParameterException: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.
What for a problem?
Regards
Rene
Hi Rene,
What kind of file are you trying to load when doing the upload? In this example I was using .jks.
Kr, Roberto
Hi Roberto,
thank you for your reply!
jks file?
What I did includs the following steps:
1. I got the public and private key from customer.
2. according to the thread http://wiki.scn.sap.com/wiki/display/XI/Generating+SSH+Keys+for+SFTP+Adapters+-+Type+1
I imported the public key into the puttygen and export OpenSSH key with name: sftp_test.pem.
3. in cygwin with OpenSSL utiltiy I converted sftp.test.pem into x509testcert.pem
It looks like:
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIJAMmf/MVoYYy5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTMwOTI2MDgzNzIwWhcNMjMwOTI0MDgzNzIwWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIB
CAKCAQEAvZdaSuKy75WRL6HL1rwChCsH0bMfmNGn3b7kakuu/HFlBJ5k2c5HkhuA
mEFObo9Lb4dMVYVlJa1y8+8cwS4TtGKXeBypVAhyyrVuR30RR/1uK64OH4ppBWaH
db8AATH33Ld+RRpkP47ufVutNj9HYU01Ivp41XBmUYuZGuPH63sBz0vT0UuezS5d
QIh07fRwDFkuMu57kPhm/vupSry7WVBisp9mKCC2JbbW+uysDHwoD179J63q1lkY
iOkEMkZE2yXn9DWjXE6B3JYf6UKqMQcQmH6Z8emz3jR6EFitwRSJp8mC7UeFRh1i
VBOJ4BG38D8lADzI1HKClHhf8bdLgQIBJaNQME4wHQYDVR0OBBYEFCBVXPeI6rOh
7TmtUgkAIiUDFnrqMB8GA1UdIwQYMBaAFCBVXPeI6rOh7TmtUgkAIiUDFnrqMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIotAD3Ucb71hR2nL0FayYPH
jm6WaQ8vBgKXstyLD9Fma5LuB85b2TmC9UG2+hgs+3gk7t1iqsKU7V37ZfURBAjM
AYAsLQdFy0ytd5KvFNMf/9nROpb0fcOHSakY44vHa7U8HeBOek3NDuE8Quu6FNND
yCQdJ25XPEjBX/8ie2NqkRcrnKz6yrKostTMWzyvasb6g9t9oW2CO6HiLRshrKxY
JyjcFnkdRpzv27Fas830ZW51HP5JTt+dAV2cDSEBVcUJ0AryLFDwQLBnHSLXKJc0
Jd+dXWaeswCaGhAMaeNtW3og92Ertgf+Dm6VW6XBC8T0xuc7FhIT146egYiau6M=
-----END CERTIFICATE-----
4. converted x509testcert.pem into sftp_test.p12.
5. import sftp_test.p12 into NW keystore and get the above error:
ERROR: -> ID21108: java.security.InvalidAlgorithmParameterException: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.
What for a problem I could make?
Thanks and nice Weekend
Rene