Skip to Content
Author's profile photo Former Member

Configuring SSL Connection to SAP Systems in SAP NetWeaver Gateway Productivity Accelerator

Hi,

Following the release of the SAP NetWeaver Gateway Productivity Accelerator and the blog post by Martin Bachmann, more and more people keep asking me how to configure their Gateway system within the GWPA tool, in HTTPS protocol. So I figured it might be worthwhile to post a short explanation that hopefully clarify what needs to be done in order to add a SAP NW Gateway secured connection.

Follow these 3 steps:
• Export the server certificate (that is the root certificate of the Gateway server)
• Import the server certificate to the list of trusted CAs (Certificate Authorities) in your JRE
• Add the connection in SAP NetWeaver Gateway Productivity Accelerator in Eclipse

Step 1: Exporting the certificate/wp-content/uploads/2013/05/lock2_218084.png

Easiest way I’ve found to export the certificate is to go to your browser and just export it from there: enter some URL of a service on the SAP NW Gateway system you would like to configure. Click on the lock icon on the address bar and then on View certificates (if using Chrome, after clicking the lock icon go to the Connections tab and then Certificate information). Select the Certification Path tab and click on the root certificate before clicking on View Certificate. Then, go to the Details tab and click on Copy to File…

Follow the wizard (select the Base-64 encoded X.509 (.CER) format, and choose the file system location to export to).

/wp-content/uploads/2013/05/cert_218086.png

Step 2: Importing the certificate to the CA list

This is a rather simple step, but a bit tricky as you need to make sure you import the certificate into the correct JRE installation in case you have multiple JREs on your machine. To check which JRE installation is used by your Eclipse instance, go to Eclipse Preferences (Java > Installed JREs). I used the Portecle tool which is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more. You can get it from: http://portecle.sourceforge.net/

Open the Portecle tool and Open the Keystore File of your JRE (cacerts) should be located in <JRE installation path> ..\jre\lib\security.

Enter the password to the keystore: changeit

Then go to Tools > Import Trusted Certificate, and select the exported certificate from where you have saved it. Save and close the tool.

Step 3: Add the connection in SAP NetWeaver Gateway Productivity Accelerator in Eclipse

After installing the Productivity Accelerator, in Eclipse Preferences, add the system connection using HTTPS and SSL port.

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Uri Nizan
      Uri Nizan

      Hi Gal,

      This is a great post. Thanks.

      Just one comment...

      In some cases you won't be able to save the cacerts file in the original location (it is rea-only).

      So, the workaround is to save the cacerts file in a temporaty location (e.g. on the desktop) open it from there, import the certificate, save it, and then copy it back to the jre/lib/security folder.

      Don't forget to restart Eclipse.

      Thanks,

      Uri

      Author's profile photo Ashik Keshava
      Ashik Keshava

      Hello Gal,

      Thanks for sharing such a good post.

      I  tried the above steps to import the certificate, unfortunately when I tried to add New SAP Netveawer Gateway

      connection from the eclipse( or HANA Studio)  still I can see "SSL Connection failed" message.

      Any inputs for this would be helpful.

      Thanks and Regards,

      Ashik

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Ashik,

      Can you also give the error message from the Eclipse ErrorLog?

      From the top of my mind, it can be that you did not import the root certificate, or you did import the root certificate but not to the JRE that is being used by your Eclipse instance, or in case your JRE is installed in Program Files, you need to first copy the cacerts file elsewhere and copy it back after the import (see above comment).

      Author's profile photo Ashik Keshava
      Ashik Keshava

      Thanks , It is working fine now.

      I had imported the certificate to different version of JRE.

      Author's profile photo Uri Nizan
      Uri Nizan

      Hi Ashik,

      Make sure you imported the certificate to the correct Java runtime folder. Sometimes there is more than one on a machine.

      Check which one your Eclipse is using by going to the Eclipse preferences and look for Java Installed JREs.

      Make sure that both the root certificate of the server you are connecting to and the next certificate in the hierarchy are imported to your cacerts file.

      And restart Eclipse after you import the certificates.

      Hope this helps.

      --Uri

      Author's profile photo Former Member
      Former Member

      Thanks! Your post just saved my day. I was strugling with exceptions:

      javax.net.ssl.SSLHandshakeException

      sun.security.validator.ValidatorException: PKIX path
      building failed: sun.security.provider.certpath.SunCertPathBuilderException:
      unable to find valid certification path to requested target

      I got them when i was running my SAPUI5 app on localhost when it called Gateway services. After adding the Gateway ssl certificate to my default Java engine problem was solved.

      And it was a lot easier following your method than the one described here https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide

      The only thing I had to do differently was to save cacerts to a different location and then overwrite the orginal cacerts with the new version by manually copy/paste.

      Author's profile photo Shakul Jugran
      Shakul Jugran

      Thanks a lot for a very helpful post Gal! You just saved me a day 🙂

      Author's profile photo Carlos Roggan
      Carlos Roggan

      I've been waiting long time for such post...;-) Thanks a lot, Gal !

      Author's profile photo Carlos Roggan
      Carlos Roggan

      Hello everybody,

      I have a little tip:

       

      In my case, the Eclipse preference page showed a wrong VM.

      Why? I had passed the VM to be used as command-line-parameter to Eclipse in my Windows-shortcut.

      I don’t know why it wasn’t properly shown in the preference page. In some other
      Eclipse-installations it was properly shown.

      I got to know the really used java VM, when I checked the error message (in the error
      log) in detail:

      VM_ErrorDetail.JPG

      Author's profile photo Carlos Roggan
      Carlos Roggan

      And I have a second tip – why not?

      The Portecle tool is cool, but I couldn't used it, so I had to use the keytool on the command line.
      It is uncomfortable, but not too complicated.

      Briefly, you have to provide the path to the file and the path to the keystore of your java

      The keytool.exe can be found in the jre\bin folder of your java installation.

      Open command prompt and navigate to this location.

      Then type the command.

      The command which I used for adding the certificate was:

      keytool.exe -import -file C:\certificate.cer -alias devcenter C:\...\jre\lib\security\cacerts

      Explanation of tokens:

      1) path to keytool.exe
      2) – import  What to do: import
      3) – file  the path to the certificate file
      4) –alias xxx  specify the desired alias name. this makes it easier to recognize it later.
      5) the (full) path to the keystore, where the certificate will be stored in.

      After executing the command, one can verify if the certificate was really stored by executing this command:

      C:\java\jre\bin\keytool.exe -list -keystore C:\java\jre\lib\security\cacerts

      Author's profile photo Sumit Jindal
      Sumit Jindal

      For those who don't want/can't install any tool on their laptop:

      I had a company laptop so it gave problem in installing Portecle tool & hence i required to find some other way out. Hence, i found the below link & the instructions mentioned, which were damn simple to follow & didn't even require any kind of tool installation at all & my purpose was solved:

      How to add or list certificates from keystore or trustStore in Java - Keytool Example