Skip to Content

During installation of the SMP 3.0 server, it will automatically generate a self-signed certificate that will be used for Agentry server authentication (among other things).  This certificate will be based on the fully qualified domain name (FQDN) at the time of the installation.  Should this change for any reason or need to reference an external name versus an internal name you will need to regenerate the certificate.

This document outlines the steps needed to regenerate the certificate using the Java keytool utility.  Please note that you will need to know the Keystore password you specified during installation of the SMP 3.0 server to perform these steps.  These commands assume the SMP Java directory is in your path and that you are executing the commands from the C:\SAP\MobilePlatform3\Server\configuration directory.

Note that with the release of SP08 the keystore filename where the certificate is stored has changed.  Please be sure to use the correct keystore name.

Keystore – pre-SP08 = smpkeystore.jks

Keystore – SP08+ = local_smpkeystore.jks

Note that in SP09 the java version the SMP server is using has changed to Java 8.  As a result I have updated the batch file to set the java directory name.

The steps are the same, only the file where it is stored has changed in SP08.

  1. Remove the existing certificate
    • keytool -keystore {keystore filename} -delete -alias smp_crt -storepass {keystore password}
  2. Create the new self-signed certificate (edit the dname information to match your organization details}
    • keytool -keystore {keystore filename} -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -dname “{C=country, ST=state, L=city, O=myorg, OU=myorgunit}, CN={New FQDN}, emailAddress={your email address}” -ext BC:ca:true -keypass {keystore password} -storepass {keystore password}
  3. Export the new certificate for use with your Agentry clients
    • keytool -keystore {keystore filename} -export -alias smp_crt -file smp_crt.cer -rfc -storepass {keystore password} -keypass {keystore password}
  4. After executing these commands restart your SMP 3.0 server to pickup the new certificate

In my case, I frequently need to regenerate my certificates due to changing networks and IP addresses so I have created the attached batch file to simplify the process.  I simply execute the batch file and it prompts me for the password and new FQDN and performs all the other steps opening Windows explorer to the configuration directory at the end so I can easily install, copy or email the new certificate out.

I have also updated the batch file to account to allow for easily setting the correct keystore name.

To use the batch file.

  1. Download and attached file (unzip if necessary)
  2. Rename from smp3-keygen.txt to smp3-keygen.bat
  3. Edit the smp3-keygen.bat file and set the following variables at the beginning of the file.
    • SMP3ROOT – location of your SMP3 installation
    • SMP3JAVA – directory name of the SMP3 java folder (sapjvm_7 or sapjvm_8 for SP09+)
    • KEYSTOREFILE – the name of the keystore where the cert will be stored (See above based on the version of the SMP3 server you are running)
    • CERTINFO (country, state, locattion, organization, org unit)
    • CERTEMAIL – your email address (included in the certificate)
  4. Run the batch file and input your new FQDN or IP address for the certificate
  5. Enter the keystore password
  6. Import or distribute the new certificate

Enjoy!

To report this post you need to login first.

31 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member

    Hi Bill

    Great post!
    Now I have a question 🙂 I’m not that hardcore when it comes to certificates so I might sound like a total tool!

    Initially the default certificate isn’t accepted by for instance Ipad’s. So I was thinking about creating a cert. request and have et signed by Vertias as it should then just work without the end user having to do anything but using the SAP app. right?

    Do you know how you would go about creating that?

    Best Regards

    Jesper

    (1) 
    1. Bill Froelich
      Post author

      In theory yes, you should be able to obtain a certificate signed by a trusted third party and use that on your SMP server which would mean you do not need to install certificates on the devices (iPads).

      I am not sure what you mean by the default certificate isn’t accepted by iPads?

      As for the process you would need to work with the third party to provide whatever they are requiring.  I have not gone through this process and expect it may be different for each vendor.  I have only used the self generated / signed certificates.

      If you are having problems getting the certificate to install on the iPad please post a question to the SCN forum and myself or others will try to assist.

      –Bill

      (0) 
      1. Former Member

        Hi Bill

        Thank you for the reply!

        Bill: “I am not sure what you mean by the default certificate isn’t accepted by iPads?”

        All I ment was that in ordre to get the agentry app working in my test enviorment I needed to install the default SMP cert. manually on my devices.

        To avoid that in bigger prod. enviroments I would think it would be easier just to create a cert. request using the keytool somehow and then get Verisign to sign it. Then I would think that the devices would be able to run the app with any manually work need.

        could you please direct me to the correct forum and I’ll post my question there and hope someone have been in the same situation.

        -Jesper

        (0) 
        1. Former Member

          i would also like the information posted here , as it makes it challenging to do a production environment with an openSSL cert installed to each device(s). Also, I was informed wildcard (*.company.com) is also not supported at the Agentry level. which I found our when using the 8081 and offloading SSL with F5.  Looking for a simpler way to do this.

          (0) 
            1. Former Member

              Hi

              I think people are intrested in knowing how they replace the default certificate with a “propper” signed certificate.

              I know there is alot of info to find on the serviceplace about keytools and so on, but most of it is just generic documentation as in 1000page that migt help hardcore certificate people but the rest of us is kinda screwed 🙂

              (0) 
              1. Former Member

                i second that request. Once the ‘proper’ certificate from an org such as versing comes down with one like agentry.company.com , what is the next step to get this into the Agentry store with correct alias’s. If its a simple as adding to the ‘trusted root’ store and deleting the smp_crt, great, but it usually isn’t.

                (0) 
  2. Sudhir Lenka

    Thank you so much Bill for such a nice document, It helped me.

    I have a question here.


    In case of a cluster environment(let’s say Prod-1 & Prod-2), Do I need to generate the certificate in one of the node(Prod-1) and pest the same custom certificate in another node(Prod-2). Or I need to export the key from the primary node(Prod-1) and import it into the secondary node(Prod-2) as we do in case SMP-2.3 through AgentryKeyUtility.

    (0) 
    1. Former Member

      The AgentryKeyUtility is not for the certificate that is used in client server encryption.  But this is was more for making sure the servers use the same internal encryption key.

      (0) 
  3. Jitendra Kansal

    Really helpful document . 🙂

    I was facing an error while pinging the application id in Admin cockpit saying

    Backend system cannot be reached:::Root cause:::Exception during connection execute:hostname in certificate didn’t match:<localhost>!=<jk.guest.tp.custservice.de>

    (where ‘jk’ is my laptop host name)

    After doing some research, i came to know that smp_crt certificate has value “jk.guest.tp.custservice.de” for CN key which is causing this issue and PING call is looking for smp_crt alias which should have CN value=jk (hostname).

    With the help of steps mentioned in this doc, i am able to change CN and ping is working successfully.

    Last week i did a fresh installation of SMP3 SP06 on my laptop, during installation i selected country as ‘INDIA’ but my current location is in GERMANY.

    Bill Froelich

    By default, CN value of smp_crt should be the system host name. Could this be the reason of automatic renaming of smp_crt CN value as my laptop was connected to internet (Germany ISP) during installation?

    Regards,

    JK

    (0) 
    1. Bill Froelich
      Post author

      Correct.  The smp_crt will be generated with the fully qualified domain name (FQDN) of the system at the time of installation.

      –Bill

      (0) 
  4. Artsrun Ohanyan

    You need to generate the SMP3 Server certificate using the SHA1withRSA signature algorithm when you are using Agentry Client for Windows Mobile.

    If you are not using Windows Mobile and wish to generate a certificate using the stronger signing algorithm, just change “SHA1withRSA” in the instructions to “SHA256withRSA”.

    (1) 
  5. Former Member

    Hi Bill,

    we use the SMP 3.0 Server SP08 and try to use your script. The first step (backup the certificate) ist ok. But in the second one (create the new certificate) we get a error: “unknwon operation -ext”.

    What do we wrong.

    Thanks André

    (0) 
    1. Artsrun Ohanyan

      The SMP3 SP08 Server certificate (alias name: smp_crt) is now stored separately in local_smp_keystore.jks instead of smp_keystore.jks.

      Please attach the command line you run, and the error message you see, in case you still have any issues.

      (0) 
      1. Former Member

        Hi,

        here is the key_gen.bat as text (i don’t know how i can insert files) and the error from command tool.

        Error:

        /wp-content/uploads/2015/07/key_error_751731.png

        Script:

        @echo off

        setlocal

        REM ********************************************

        REM Define your local environment settings here

        REM ********************************************

        set SMP3ROOT=C:\SAP\MobilePlatform3

        set CERTINFO=C=DE, ST=DE, L=DRE, O=Consultant, OU=Global PS

        set CERTEMAIL=info@consultant.de

        REM ********************************************

        set PATH=%SMPROOT%\sapjvm_7\bin;%PATH%

        echo ================== WARNING ================

        echo This will replace your existing certificate with a new one, 

        echo the old keystore file will be backed up to locale_smp_keystore.jks.backup!

        echo ===========================================

        echo.

        echo ——————————————-

        echo Enter FQDN for Certificate

        echo ——————————————-

        set /p FQDN=Enter Hostname or IP address for the new SMP3 certificate?

        echo.

        echo Will generate new certificate for %FQDN%

        echo Enter Ctrl-C to abort or

        pause

        echo.

        echo ——————————————-

        echo.

        set /p KEYSTORE_PW=Enter keystore passphrase:

        echo ——————————————-c

        echo Changing to the SMP3 directory

        cd /d %SMP3ROOT%\Server\configuration

        echo.

        echo ——————————————-

        echo backup existing locale_smp_keystore.jks

        echo ——————————————-

        copy locale_smp_keystore.jks locale_smp_keystore.jks.backup

        echo ——————————————-

        echo remove the old smp_crt certificate

        echo ——————————————-

        keytool -keystore local_smp_keystore.jks -delete -alias smp_crt -storepass %KEYSTORE_PW%

        echo ——————————————-

        echo create the certificate for smp_crt

        echo ——————————————-

        keytool -keystore local_smp_keystore.jks -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -ext BC:ca:true -dname “%CERTINFO%, CN=%FQDN%, emailAddress=%CERTEMAIL%” -keypass %KEYSTORE_PW% -storepass %KEYSTORE_PW%

        echo ——————————————-

        echo export the certificate for clients

        echo ——————————————-

        keytool -keystore local_smp_keystore.jks -export -alias smp_crt -file smp_crt.cer -rfc -storepass %KEYSTORE_PW% -keypass %KEYSTORE_PW%

        echo ——————————————-

        echo completed. review above if there have been errors, else your

        echo keystore has been updated with a new certificate.

        echo ——————————————-

        pause

        start explorer %SMP3ROOT%\server\configuration

        Thanks,

        André

        (0) 
              1. Former Member

                Hi Artsrun,

                i can’t see your email adress because it is private. An i cant send you a message because  i can only send to “friends and connections”. But you can download the command line and the error message here:

                ownCloud

                Thanx, André

                (0) 
  6. Former Member

    Hi Bill,

    This is very helpful post..!!

    Has anyone attempted a Linux/Unix version of the script yet?

    Please share if it exists anywhere.

    Thanks

    Vishal

    (0) 
  7. Former Member

    Hello Bill ,

    I could not find file for SP09 + version regenerating certificate (May you please attached one more time with steps) it may help us .

    i tried with OlD file but its not working .

    Thanks & Regards,
    Kunal Varaiya

    (0) 
    1. Bill Froelich
      Post author

      I have not found a way to attach a file anymore with the new community site.  If I can find a better method to distribute it I will reattach.

      (0) 
    1. Bill Froelich
      Post author

      Brad,

      I don’t have access to user email address to be able to send it directly (please do not post your email here).  Unfortunately, I still don’t have a permanent way to post the file easily.  I will try posting it as a code snippit on this reply.  You would need to copy it out to a text editor and save as a batch file.

      Hopefully this works,

      –Bill

       

      @echo off
      setlocal
       
      REM *******************************************************************************
      REM Define your local environment settings here
      REM
      REM   SMP3ROOT - the location of your SMP3 server installation
      REM   SMPJAVA - the name of the java folder
      REM      pre-SP09 = sapjvm_7
      REM      SP09+ = sapjvm_8
      REM   KEYSTOREFILE - where the SMP certificate is located
      REM      pre-SP08 = smp_keystore.jks
      REM      SP08+ = local_smp_keystore.jks
      REM   CERTINFO - Country, State, City, Organization and Orgnaziation Unit
      REM   CERTEMAIL - Contact email for the certificate
      REM *******************************************************************************
      set SMP3ROOT=C:\SAP\MobilePlatform3
      set SMP3JAVA=sapjvm_8
      set KEYSTOREFILE=local_smp_keystore.jks
      set CERTINFO=C=US, ST=IL, L=Chicago, O=SAP, OU=P&I
      set CERTEMAILyour_email_here@company.com
      REM *******************************************************************************
       
      set PATH=%SMP3ROOT%\%SMP3JAVA%\bin;%PATH%
       
      echo ================== WARNING ================
      echo This will replace your existing certificate with a new one, 
      echo the old keystore file will be backed up to %KEYSTOREFILE%.backup!
      echo ===========================================
      echo.
      echo -------------------------------------------
      echo Enter FQDN for Certificate
      echo -------------------------------------------
      set /p FQDN=Enter Hostname or IP address for the new SMP3 certificate?
      echo.
      echo Will generate new certificate for %FQDN%
      echo Enter Ctrl-C to abort or
      pause
       
      echo.
      echo -------------------------------------------
      echo.
      set /p KEYSTORE_PW=Enter keystore passphrase:
       
      echo -------------------------------------------
      echo Changing to the SMP3 directory
       
      cd /d %SMP3ROOT%\Server\configuration
       
      echo.
      echo -------------------------------------------
      echo backup existing %KEYSTOREFILE%
      echo -------------------------------------------
      copy %KEYSTOREFILE% %KEYSTOREFILE%.backup
       
      echo -------------------------------------------
      echo remove the old smp_crt certificate
      echo -------------------------------------------
      keytool -keystore %KEYSTOREFILE% -delete -alias smp_crt -storepass %KEYSTORE_PW%
       
      echo -------------------------------------------
      echo create the certificate for smp_crt
      echo -------------------------------------------
      keytool -keystore %KEYSTOREFILE% -genkeypair -keyalg RSA -sigalg SHA256withRSA -validity 3650 -alias smp_crt -dname "%CERTINFO%, CN=%FQDN%, emailAddress=%CERTEMAIL%" -ext BC:ca:true -keypass %KEYSTORE_PW% -storepass %KEYSTORE_PW%
       
      echo -------------------------------------------
      echo export the certificate for clients
      echo -------------------------------------------
      keytool -keystore %KEYSTOREFILE% -export -alias smp_crt -file smp_crt.cer -rfc -storepass %KEYSTORE_PW% -keypass %KEYSTORE_PW%
                     
       
      rem echo -------------------------------------------
      rem echo installing the certificate
      rem echo -------------------------------------------
      rem certmgr.exe -add %SMP3ROOT%\server\configuration\smp_crt.cer -s -r localMachine root
       
      echo -------------------------------------------
      echo completed. review above if there have been errors, else your
      echo keystore has been updated with a new certificate.
      echo -------------------------------------------
       
      pause
      start explorer %SMP3ROOT%\server\configuration
      (0) 
  8. Sandeep Sharma

    Hi Bill ,

    Needed guidance on the certificate change – we have server 1 in PRD which user are logged on and agentry  app on their device is synched up .

     

    We are adding 2 more nodes , server 2 and server 3 – for this we generated the cert in server 1 , added FQDN for server1 , 2,3 and will import into each server.

    Our concern is does the change of cert will trigger any  initial sync for end user.( Please note our server 1 url ( url1) continues to stay open and new cluster url (url2) will be in place too , but the certs have changed ) .. With Database synced up , I needed to make sure that user when transmit data to back-end , does not get into cert error ( as that will be fixed wit client reset and our initial sync take 40 min ) . since users dint know that cluster url is in place and they would continue to use app as is and would continue to connect to url1 (unless client is reset )

    (0) 

Leave a Reply