Skip to Content
Author's profile photo Former Member

How to Load keys and certificates in SAP PI 7.3, SAP PO 7.3 EHP1 NWA’s Key Storage

In order to support signing and encryption in integration scenarios with SAP Process Orchestration (PO) and/or SAP Process Integration (PI) it is often necessary to load and access public/private keys and certificates from the Key Storage. This blog describes the steps required in order to use that functionality from the Key Storage of SAP NetWeaver. The keys and certificates will be used by a custom adapter module running on SAP PO 7.3 EHP1, but the same procedure can be applied when using standard PI adapters.


Assumptions:

  • Integration scenario is Java-only (Advanced Adapter Engine)
  • Keys / Certificates are supplied with the correct size and supported format.
  • Loaded Key pairs (keystore) are of the type .JKS
  • PI and administrator access right to the SAP NetWeaver Administrator tools.


Step 1.  Go to the NetWeaver Administrator page: http://<host>:<port>/nwa

/wp-content/uploads/2013/01/pic_b_170729.png

Step 2. Log in to NWA.

/wp-content/uploads/2013/01/pic_c2_170732.png

Step 3. From NWA, enter “keys” as search query and press Enter.

/wp-content/uploads/2013/01/pic_c_170730.png

Step 4. You should now see a window like the one below. Click on Key Storage.

/wp-content/uploads/2013/01/pic_d_170733.png

Step 5. On the Key Storage View select “TrustedCA” from the top rows. We are only interested in this type of entry.

/wp-content/uploads/2013/01/pic_e_170736.png

Step 6. Click on Import Entry” and select PKCS # 12 Key Pair” as entry type. << Please select the corresponding entry type depending on your own requirements.

/wp-content/uploads/2013/01/pic_f_170734.png

/wp-content/uploads/2013/01/pic_g_170738.png

Step 7. Browse to the key/certificate stored on your local file system or network, and specify the corresponding password. Click Import” and verify if key was succesfully imported by pressing the tab “View Entriesthe new key to search. A new entry with your key name must appear on the list.

/wp-content/uploads/2013/01/pic_h_171842.png

Step 8. From now on your applications (including adapter modules and custom adapters) running on top of the SAP NetWeaver Java Application Server can use (certificates, public and private keys) keys stored on the “TrustedCA’s” keystore.

/wp-content/uploads/2013/01/pic_i_170741.png

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Andy Silvey
      Andy Silvey

      Hi Roberto,

       

      nice blog.

       

      Andy.

      Author's profile photo Former Member
      Former Member

      Hi Roberto,

       

      I referred your blog to perform the same activity and observed that my certificate has an invalid period. After creating the new entries, I see the status as red with expiry date problem.

       

      Would I need to ask for the FTPs certificate with new valid date or can i moved ahead with the config?

       

      Regards

      Alice

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Rebecca,

       

      In my case I also faced the same situation with an almost expired certificate. My experience is that as long as the ceritifcate or key is not really expired, you can carry on with your developments. However, it's good to warn your certificate provider about the expiration date of the certificate so you can replace it on time.

       

      Cheers, Roberto

      Author's profile photo Former Member
      Former Member

      Thanks Roberto

      Author's profile photo Former Member
      Former Member

      It is important to note that it is recommended to restart the service in case the SSL certificates are not recognized

       

      Follow the steps in the NWA to restart SSL Provider:

       

      1-Operation Management-> Systems-> Start & Stop

      2-JAVA-EE Services> SSL Provider-> Restart

       

      Best Regards.

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Maximiliano,

       

      Thanks for the additional tip! 🙂

       

      Regards, Roberto

      Author's profile photo Former Member
      Former Member

      No hay nada mejor que encontrar este comentario a las 4 am. cuando no habia basis para reiniciar PI. Groso!

       

      Saludos

      Author's profile photo Former Member
      Former Member

      Hi Roberto,

      i want to know if the key can be stored in the NWA key storage used for PGPEncryption and PGPDecryption adapter modules

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Yes, I guess the NWA keystore can be used for that purpose too but I don't know if the newest B2B addon modules (such as PGP) also provides that functionality from within the module itself.

      Author's profile photo Former Member
      Former Member

      Hi Roberto,

       

      I tried as you instruct, but I got the following error during import new PKCS#12 key pair:

       

      ERROR:  -> ID21108: java.security.InvalidAlgorithmParameterException: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.

       

      What for a problem?

       

      Regards

      Rene

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Rene,

       

      What kind of file are you trying to load when doing the upload? In this example I was using .jks.

       

      Kr, Roberto

      Author's profile photo Former Member
      Former Member

      Hi Roberto,

       

      thank you for your reply!

       

      jks file?

       

      What I did includs the following steps:

      1. I got the public and private key from customer.

      2. according to the thread http://wiki.scn.sap.com/wiki/display/XI/Generating+SSH+Keys+for+SFTP+Adapters+-+Type+1

       

      I imported the public key into the puttygen and export OpenSSH key with name: sftp_test.pem.

       

      3. in cygwin with OpenSSL utiltiy I converted sftp.test.pem into x509testcert.pem

      It looks like:

      -----BEGIN CERTIFICATE-----

      MIIDWzCCAkOgAwIBAgIJAMmf/MVoYYy5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV

      BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX

      aWRnaXRzIFB0eSBMdGQwHhcNMTMwOTI2MDgzNzIwWhcNMjMwOTI0MDgzNzIwWjBF

      MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50

      ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIB

      CAKCAQEAvZdaSuKy75WRL6HL1rwChCsH0bMfmNGn3b7kakuu/HFlBJ5k2c5HkhuA

      mEFObo9Lb4dMVYVlJa1y8+8cwS4TtGKXeBypVAhyyrVuR30RR/1uK64OH4ppBWaH

      db8AATH33Ld+RRpkP47ufVutNj9HYU01Ivp41XBmUYuZGuPH63sBz0vT0UuezS5d

      QIh07fRwDFkuMu57kPhm/vupSry7WVBisp9mKCC2JbbW+uysDHwoD179J63q1lkY

      iOkEMkZE2yXn9DWjXE6B3JYf6UKqMQcQmH6Z8emz3jR6EFitwRSJp8mC7UeFRh1i

      VBOJ4BG38D8lADzI1HKClHhf8bdLgQIBJaNQME4wHQYDVR0OBBYEFCBVXPeI6rOh

      7TmtUgkAIiUDFnrqMB8GA1UdIwQYMBaAFCBVXPeI6rOh7TmtUgkAIiUDFnrqMAwG

      A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIotAD3Ucb71hR2nL0FayYPH

      jm6WaQ8vBgKXstyLD9Fma5LuB85b2TmC9UG2+hgs+3gk7t1iqsKU7V37ZfURBAjM

      AYAsLQdFy0ytd5KvFNMf/9nROpb0fcOHSakY44vHa7U8HeBOek3NDuE8Quu6FNND

      yCQdJ25XPEjBX/8ie2NqkRcrnKz6yrKostTMWzyvasb6g9t9oW2CO6HiLRshrKxY

      JyjcFnkdRpzv27Fas830ZW51HP5JTt+dAV2cDSEBVcUJ0AryLFDwQLBnHSLXKJc0

      Jd+dXWaeswCaGhAMaeNtW3og92Ertgf+Dm6VW6XBC8T0xuc7FhIT146egYiau6M=

      -----END CERTIFICATE-----

       

      4. converted x509testcert.pem into sftp_test.p12.

       

      5. import sftp_test.p12 into NW keystore and get the above error:

      ERROR:  -> ID21108: java.security.InvalidAlgorithmParameterException: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.

       

      What for a problem I could make?

       

      Thanks and nice Weekend

      Rene