Configuring SSL Connection to SAP Systems in SAP NetWeaver Gateway Productivity Accelerator
Hi,
Following the release of the SAP NetWeaver Gateway Productivity Accelerator and the blog post by Martin Bachmann, more and more people keep asking me how to configure their Gateway system within the GWPA tool, in HTTPS protocol. So I figured it might be worthwhile to post a short explanation that hopefully clarify what needs to be done in order to add a SAP NW Gateway secured connection.
Follow these 3 steps:
• Export the server certificate (that is the root certificate of the Gateway server)
• Import the server certificate to the list of trusted CAs (Certificate Authorities) in your JRE
• Add the connection in SAP NetWeaver Gateway Productivity Accelerator in Eclipse
Step 1: Exporting the certificate
Easiest way I’ve found to export the certificate is to go to your browser and just export it from there: enter some URL of a service on the SAP NW Gateway system you would like to configure. Click on the lock icon on the address bar and then on View certificates (if using Chrome, after clicking the lock icon go to the Connections tab and then Certificate information). Select the Certification Path tab and click on the root certificate before clicking on View Certificate. Then, go to the Details tab and click on Copy to File…
Follow the wizard (select the Base-64 encoded X.509 (.CER) format, and choose the file system location to export to).
Step 2: Importing the certificate to the CA list
This is a rather simple step, but a bit tricky as you need to make sure you import the certificate into the correct JRE installation in case you have multiple JREs on your machine. To check which JRE installation is used by your Eclipse instance, go to Eclipse Preferences (Java > Installed JREs). I used the Portecle tool which is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more. You can get it from: http://portecle.sourceforge.net/
Open the Portecle tool and Open the Keystore File of your JRE (cacerts) should be located in <JRE installation path> ..\jre\lib\security.
Enter the password to the keystore: changeit
Then go to Tools > Import Trusted Certificate, and select the exported certificate from where you have saved it. Save and close the tool.
Step 3: Add the connection in SAP NetWeaver Gateway Productivity Accelerator in Eclipse
After installing the Productivity Accelerator, in Eclipse Preferences, add the system connection using HTTPS and SSL port.
Hi Gal,
This is a great post. Thanks.
Just one comment...
In some cases you won't be able to save the cacerts file in the original location (it is rea-only).
So, the workaround is to save the cacerts file in a temporaty location (e.g. on the desktop) open it from there, import the certificate, save it, and then copy it back to the jre/lib/security folder.
Don't forget to restart Eclipse.
Thanks,
Uri
Hello Gal,
Thanks for sharing such a good post.
I tried the above steps to import the certificate, unfortunately when I tried to add New SAP Netveawer Gateway
connection from the eclipse( or HANA Studio) still I can see "SSL Connection failed" message.
Any inputs for this would be helpful.
Thanks and Regards,
Ashik
Hi Ashik,
Can you also give the error message from the Eclipse ErrorLog?
From the top of my mind, it can be that you did not import the root certificate, or you did import the root certificate but not to the JRE that is being used by your Eclipse instance, or in case your JRE is installed in Program Files, you need to first copy the cacerts file elsewhere and copy it back after the import (see above comment).
Thanks , It is working fine now.
I had imported the certificate to different version of JRE.
Hi Ashik,
Make sure you imported the certificate to the correct Java runtime folder. Sometimes there is more than one on a machine.
Check which one your Eclipse is using by going to the Eclipse preferences and look for Java Installed JREs.
Make sure that both the root certificate of the server you are connecting to and the next certificate in the hierarchy are imported to your cacerts file.
And restart Eclipse after you import the certificates.
Hope this helps.
--Uri
Thanks! Your post just saved my day. I was strugling with exceptions:
javax.net.ssl.SSLHandshakeException
sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I got them when i was running my SAPUI5 app on localhost when it called Gateway services. After adding the Gateway ssl certificate to my default Java engine problem was solved.
And it was a lot easier following your method than the one described here https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide
The only thing I had to do differently was to save cacerts to a different location and then overwrite the orginal cacerts with the new version by manually copy/paste.
Thanks a lot for a very helpful post Gal! You just saved me a day 🙂
I've been waiting long time for such post...;-) Thanks a lot, Gal !
Hello everybody,
I have a little tip:
In my case, the Eclipse preference page showed a wrong VM.
Why? I had passed the VM to be used as command-line-parameter to Eclipse in my Windows-shortcut.
I don’t know why it wasn’t properly shown in the preference page. In some other
Eclipse-installations it was properly shown.
I got to know the really used java VM, when I checked the error message (in the error
log) in detail:
And I have a second tip – why not?
The Portecle tool is cool, but I couldn't used it, so I had to use the keytool on the command line.
It is uncomfortable, but not too complicated.
Briefly, you have to provide the path to the file and the path to the keystore of your java
The keytool.exe can be found in the jre\bin folder of your java installation.
Open command prompt and navigate to this location.
Then type the command.
The command which I used for adding the certificate was:
keytool.exe -import -file C:\certificate.cer -alias devcenter C:\...\jre\lib\security\cacerts
Explanation of tokens:
1) path to keytool.exe
2) – import What to do: import
3) – file the path to the certificate file
4) –alias xxx specify the desired alias name. this makes it easier to recognize it later.
5) the (full) path to the keystore, where the certificate will be stored in.
After executing the command, one can verify if the certificate was really stored by executing this command:
C:\java\jre\bin\keytool.exe -list -keystore C:\java\jre\lib\security\cacerts
For those who don't want/can't install any tool on their laptop:
I had a company laptop so it gave problem in installing Portecle tool & hence i required to find some other way out. Hence, i found the below link & the instructions mentioned, which were damn simple to follow & didn't even require any kind of tool installation at all & my purpose was solved:
How to add or list certificates from keystore or trustStore in Java - Keytool Example