Skip to Content
Author's profile photo Bill Froelich

Regenerating SMP 3.0 Agentry Certificate

During installation of the SMP 3.0 server, it will automatically generate a self-signed certificate that will be used for Agentry server authentication (among other things).  This certificate will be based on the fully qualified domain name (FQDN) at the time of the installation.  Should this change for any reason or need to reference an external name versus an internal name you will need to regenerate the certificate.

This document outlines the steps needed to regenerate the certificate using the Java keytool utility.  Please note that you will need to know the Keystore password you specified during installation of the SMP 3.0 server to perform these steps.  These commands assume the SMP Java directory is in your path and that you are executing the commands from the C:\SAP\MobilePlatform3\Server\configuration directory.

Note that with the release of SP08 the keystore filename where the certificate is stored has changed.  Please be sure to use the correct keystore name.

Keystore – pre-SP08 = smpkeystore.jks

Keystore – SP08+ = local_smpkeystore.jks

Note that in SP09 the java version the SMP server is using has changed to Java 8.  As a result I have updated the batch file to set the java directory name.

The steps are the same, only the file where it is stored has changed in SP08.

  1. Remove the existing certificate
    • keytool -keystore {keystore filename} -delete -alias smp_crt -storepass {keystore password}
  2. Create the new self-signed certificate (edit the dname information to match your organization details}
    • keytool -keystore {keystore filename} -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -dname “{C=country, ST=state, L=city, O=myorg, OU=myorgunit}, CN={New FQDN}, emailAddress={your email address}” -ext BC:ca:true -keypass {keystore password} -storepass {keystore password}
  3. Export the new certificate for use with your Agentry clients
    • keytool -keystore {keystore filename} -export -alias smp_crt -file smp_crt.cer -rfc -storepass {keystore password} -keypass {keystore password}
  4. After executing these commands restart your SMP 3.0 server to pickup the new certificate

In my case, I frequently need to regenerate my certificates due to changing networks and IP addresses so I have created the attached batch file to simplify the process.  I simply execute the batch file and it prompts me for the password and new FQDN and performs all the other steps opening Windows explorer to the configuration directory at the end so I can easily install, copy or email the new certificate out.

I have also updated the batch file to account to allow for easily setting the correct keystore name.

To use the batch file.

  1. Download and attached file (unzip if necessary)
  2. Rename from smp3-keygen.txt to smp3-keygen.bat
  3. Edit the smp3-keygen.bat file and set the following variables at the beginning of the file.
    • SMP3ROOT – location of your SMP3 installation
    • SMP3JAVA – directory name of the SMP3 java folder (sapjvm_7 or sapjvm_8 for SP09+)
    • KEYSTOREFILE – the name of the keystore where the cert will be stored (See above based on the version of the SMP3 server you are running)
    • CERTINFO (country, state, locattion, organization, org unit)
    • CERTEMAIL – your email address (included in the certificate)
  4. Run the batch file and input your new FQDN or IP address for the certificate
  5. Enter the keystore password
  6. Import or distribute the new certificate

Enjoy!

Assigned Tags

      33 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Bill

      Great post!
      Now I have a question 🙂 I'm not that hardcore when it comes to certificates so I might sound like a total tool!

      Initially the default certificate isn't accepted by for instance Ipad's. So I was thinking about creating a cert. request and have et signed by Vertias as it should then just work without the end user having to do anything but using the SAP app. right?

      Do you know how you would go about creating that?

      Best Regards

      Jesper

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      In theory yes, you should be able to obtain a certificate signed by a trusted third party and use that on your SMP server which would mean you do not need to install certificates on the devices (iPads).

      I am not sure what you mean by the default certificate isn't accepted by iPads?

      As for the process you would need to work with the third party to provide whatever they are requiring.  I have not gone through this process and expect it may be different for each vendor.  I have only used the self generated / signed certificates.

      If you are having problems getting the certificate to install on the iPad please post a question to the SCN forum and myself or others will try to assist.

      --Bill

      Author's profile photo Former Member
      Former Member

      Hi Bill

      Thank you for the reply!

      Bill: "I am not sure what you mean by the default certificate isn't accepted by iPads?"

      All I ment was that in ordre to get the agentry app working in my test enviorment I needed to install the default SMP cert. manually on my devices.

      To avoid that in bigger prod. enviroments I would think it would be easier just to create a cert. request using the keytool somehow and then get Verisign to sign it. Then I would think that the devices would be able to run the app with any manually work need.

      could you please direct me to the correct forum and I'll post my question there and hope someone have been in the same situation.

      -Jesper

      Author's profile photo Joel Prefontaine
      Joel Prefontaine

      i would also like the information posted here , as it makes it challenging to do a production environment with an openSSL cert installed to each device(s). Also, I was informed wildcard (*.company.com) is also not supported at the Agentry level. which I found our when using the 8081 and offloading SSL with F5.  Looking for a simpler way to do this.

      Author's profile photo Former Member
      Former Member

      If you get a certificate from a certificate company like verisign you will not need to install it onto all the clients.

      Stephen

      Author's profile photo Former Member
      Former Member

      Hi

      I think people are intrested in knowing how they replace the default certificate with a "propper" signed certificate.

      I know there is alot of info to find on the serviceplace about keytools and so on, but most of it is just generic documentation as in 1000page that migt help hardcore certificate people but the rest of us is kinda screwed 🙂

      Author's profile photo Joel Prefontaine
      Joel Prefontaine

      i second that request. Once the 'proper' certificate from an org such as versing comes down with one like agentry.company.com , what is the next step to get this into the Agentry store with correct alias's. If its a simple as adding to the 'trusted root' store and deleting the smp_crt, great, but it usually isn't.

      Author's profile photo Former Member
      Former Member

      Anyone who prefers a visual tool for editing the key store, check out KeyStore Explorer - Home.

      Author's profile photo Sudhir Lenka
      Sudhir Lenka

      Thank you so much Bill for such a nice document, It helped me.

      I have a question here.


      In case of a cluster environment(let's say Prod-1 & Prod-2), Do I need to generate the certificate in one of the node(Prod-1) and pest the same custom certificate in another node(Prod-2). Or I need to export the key from the primary node(Prod-1) and import it into the secondary node(Prod-2) as we do in case SMP-2.3 through AgentryKeyUtility.

      Author's profile photo Former Member
      Former Member

      The AgentryKeyUtility is not for the certificate that is used in client server encryption.  But this is was more for making sure the servers use the same internal encryption key.

      Author's profile photo Jitendra Kansal
      Jitendra Kansal

      Really helpful document . 🙂

      I was facing an error while pinging the application id in Admin cockpit saying

      Backend system cannot be reached:::Root cause:::Exception during connection execute:hostname in certificate didn't match:<localhost>!=<jk.guest.tp.custservice.de>

      (where 'jk' is my laptop host name)

      After doing some research, i came to know that smp_crt certificate has value "jk.guest.tp.custservice.de" for CN key which is causing this issue and PING call is looking for smp_crt alias which should have CN value=jk (hostname).

      With the help of steps mentioned in this doc, i am able to change CN and ping is working successfully.

      Last week i did a fresh installation of SMP3 SP06 on my laptop, during installation i selected country as 'INDIA' but my current location is in GERMANY.

      Bill Froelich

      By default, CN value of smp_crt should be the system host name. Could this be the reason of automatic renaming of smp_crt CN value as my laptop was connected to internet (Germany ISP) during installation?

      Regards,

      JK

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      Correct.  The smp_crt will be generated with the fully qualified domain name (FQDN) of the system at the time of installation.

      --Bill

      Author's profile photo Artsrun Ohanyan
      Artsrun Ohanyan

      You need to generate the SMP3 Server certificate using the SHA1withRSA signature algorithm when you are using Agentry Client for Windows Mobile.

      If you are not using Windows Mobile and wish to generate a certificate using the stronger signing algorithm, just change "SHA1withRSA" in the instructions to "SHA256withRSA".

      Author's profile photo Former Member
      Former Member

      Hi Bill,

      we use the SMP 3.0 Server SP08 and try to use your script. The first step (backup the certificate) ist ok. But in the second one (create the new certificate) we get a error: "unknwon operation -ext".

      What do we wrong.

      Thanks André

      Author's profile photo Artsrun Ohanyan
      Artsrun Ohanyan

      The SMP3 SP08 Server certificate (alias name: smp_crt) is now stored separately in local_smp_keystore.jks instead of smp_keystore.jks.

      Please attach the command line you run, and the error message you see, in case you still have any issues.

      Author's profile photo Former Member
      Former Member

      Hi,

      here is the key_gen.bat as text (i don't know how i can insert files) and the error from command tool.

      Error:

      /wp-content/uploads/2015/07/key_error_751731.png

      Script:

      @echo off

      setlocal

      REM ********************************************

      REM Define your local environment settings here

      REM ********************************************

      set SMP3ROOT=C:\SAP\MobilePlatform3

      set CERTINFO=C=DE, ST=DE, L=DRE, O=Consultant, OU=Global PS

      set CERTEMAIL=info@consultant.de

      REM ********************************************

      set PATH=%SMPROOT%\sapjvm_7\bin;%PATH%

      echo ================== WARNING ================

      echo This will replace your existing certificate with a new one, 

      echo the old keystore file will be backed up to locale_smp_keystore.jks.backup!

      echo ===========================================

      echo.

      echo -------------------------------------------

      echo Enter FQDN for Certificate

      echo -------------------------------------------

      set /p FQDN=Enter Hostname or IP address for the new SMP3 certificate?

      echo.

      echo Will generate new certificate for %FQDN%

      echo Enter Ctrl-C to abort or

      pause

      echo.

      echo -------------------------------------------

      echo.

      set /p KEYSTORE_PW=Enter keystore passphrase:

      echo -------------------------------------------c

      echo Changing to the SMP3 directory

      cd /d %SMP3ROOT%\Server\configuration

      echo.

      echo -------------------------------------------

      echo backup existing locale_smp_keystore.jks

      echo -------------------------------------------

      copy locale_smp_keystore.jks locale_smp_keystore.jks.backup

      echo -------------------------------------------

      echo remove the old smp_crt certificate

      echo -------------------------------------------

      keytool -keystore local_smp_keystore.jks -delete -alias smp_crt -storepass %KEYSTORE_PW%

      echo -------------------------------------------

      echo create the certificate for smp_crt

      echo -------------------------------------------

      keytool -keystore local_smp_keystore.jks -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -ext BC:ca:true -dname "%CERTINFO%, CN=%FQDN%, emailAddress=%CERTEMAIL%" -keypass %KEYSTORE_PW% -storepass %KEYSTORE_PW%

      echo -------------------------------------------

      echo export the certificate for clients

      echo -------------------------------------------

      keytool -keystore local_smp_keystore.jks -export -alias smp_crt -file smp_crt.cer -rfc -storepass %KEYSTORE_PW% -keypass %KEYSTORE_PW%

      echo -------------------------------------------

      echo completed. review above if there have been errors, else your

      echo keystore has been updated with a new certificate.

      echo -------------------------------------------

      pause

      start explorer %SMP3ROOT%\server\configuration

      Thanks,

      André

      Author's profile photo Artsrun Ohanyan
      Artsrun Ohanyan

      Hi,

      The certificate store file name is local_smp_keystore.jks, and not locale_smp_keystore.jks.

      Regards,

      Artsrun

      Author's profile photo Former Member
      Former Member

      OK,

      thats right, but this changed nothing. The wrong writimng was only at the backup step. The error still exists.

      André

      Author's profile photo Artsrun Ohanyan
      Artsrun Ohanyan

      Hi André,

      Please send the command line you run, and the error message you see, to my personal e-mail, and I'll investigate.

      Author's profile photo Former Member
      Former Member

      Hi Artsrun,

      i can't see your email adress because it is private. An i cant send you a message because  i can only send to "friends and connections". But you can download the command line and the error message here:

      ownCloud

      Thanx, André

      Author's profile photo Former Member
      Former Member

      Hi Bill,

      This is very helpful post..!!

      Has anyone attempted a Linux/Unix version of the script yet?

      Please share if it exists anywhere.

      Thanks

      Vishal

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      I updated the batch file to fix a typo in setting the path and make modifications for SP09 java change support.

      Author's profile photo Former Member
      Former Member

      Hello Bill ,

      I could not find file for SP09 + version regenerating certificate (May you please attached one more time with steps) it may help us .

      i tried with OlD file but its not working .

      Thanks & Regards,
      Kunal Varaiya

      Author's profile photo Former Member
      Former Member

      Hi,

      I couldn't find the files required to regenerate the certificate.
      Could you let me know where I can get the keystore files.

      Regards,
      SN

      Author's profile photo Ranjith Lingala
      Ranjith Lingala

      Hi Shilpa,

       

      Did you get files for above discussion, if yes please share it to me. I am didn't find any attachments in this blog.

       

      Author's profile photo Emanuele Matino
      Emanuele Matino

      Hello Bill,

      there isn't anymore the attachment.

      Please can you attach it again?

      Thanks.

      Author's profile photo Former Member
      Former Member

      Hi Bill,

      Please upload the mentioned bat file as attachment.

      Thanks,

      Shailesh

       

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      I have not found a way to attach a file anymore with the new community site.  If I can find a better method to distribute it I will reattach.

      Author's profile photo Brad Cadden
      Brad Cadden

      Hi Bill,

      Thanks for the informative post.

      Can you send me the batch file?

      Best regards,

      Brad

       

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      Brad,

      I don't have access to user email address to be able to send it directly (please do not post your email here).  Unfortunately, I still don't have a permanent way to post the file easily.  I will try posting it as a code snippit on this reply.  You would need to copy it out to a text editor and save as a batch file.

      Hopefully this works,

      --Bill

       

      @echo off
      setlocal
       
      REM *******************************************************************************
      REM Define your local environment settings here
      REM
      REM   SMP3ROOT - the location of your SMP3 server installation
      REM   SMPJAVA - the name of the java folder
      REM      pre-SP09 = sapjvm_7
      REM      SP09+ = sapjvm_8
      REM   KEYSTOREFILE - where the SMP certificate is located
      REM      pre-SP08 = smp_keystore.jks
      REM      SP08+ = local_smp_keystore.jks
      REM   CERTINFO - Country, State, City, Organization and Orgnaziation Unit
      REM   CERTEMAIL - Contact email for the certificate
      REM *******************************************************************************
      set SMP3ROOT=C:\SAP\MobilePlatform3
      set SMP3JAVA=sapjvm_8
      set KEYSTOREFILE=local_smp_keystore.jks
      set CERTINFO=C=US, ST=IL, L=Chicago, O=SAP, OU=P&I
      set CERTEMAILyour_email_here@company.com
      REM *******************************************************************************
       
      set PATH=%SMP3ROOT%\%SMP3JAVA%\bin;%PATH%
       
      echo ================== WARNING ================
      echo This will replace your existing certificate with a new one, 
      echo the old keystore file will be backed up to %KEYSTOREFILE%.backup!
      echo ===========================================
      echo.
      echo -------------------------------------------
      echo Enter FQDN for Certificate
      echo -------------------------------------------
      set /p FQDN=Enter Hostname or IP address for the new SMP3 certificate?
      echo.
      echo Will generate new certificate for %FQDN%
      echo Enter Ctrl-C to abort or
      pause
       
      echo.
      echo -------------------------------------------
      echo.
      set /p KEYSTORE_PW=Enter keystore passphrase:
       
      echo -------------------------------------------
      echo Changing to the SMP3 directory
       
      cd /d %SMP3ROOT%\Server\configuration
       
      echo.
      echo -------------------------------------------
      echo backup existing %KEYSTOREFILE%
      echo -------------------------------------------
      copy %KEYSTOREFILE% %KEYSTOREFILE%.backup
       
      echo -------------------------------------------
      echo remove the old smp_crt certificate
      echo -------------------------------------------
      keytool -keystore %KEYSTOREFILE% -delete -alias smp_crt -storepass %KEYSTORE_PW%
       
      echo -------------------------------------------
      echo create the certificate for smp_crt
      echo -------------------------------------------
      keytool -keystore %KEYSTOREFILE% -genkeypair -keyalg RSA -sigalg SHA256withRSA -validity 3650 -alias smp_crt -dname "%CERTINFO%, CN=%FQDN%, emailAddress=%CERTEMAIL%" -ext BC:ca:true -keypass %KEYSTORE_PW% -storepass %KEYSTORE_PW%
       
      echo -------------------------------------------
      echo export the certificate for clients
      echo -------------------------------------------
      keytool -keystore %KEYSTOREFILE% -export -alias smp_crt -file smp_crt.cer -rfc -storepass %KEYSTORE_PW% -keypass %KEYSTORE_PW%
                     
       
      rem echo -------------------------------------------
      rem echo installing the certificate
      rem echo -------------------------------------------
      rem certmgr.exe -add %SMP3ROOT%\server\configuration\smp_crt.cer -s -r localMachine root
       
      echo -------------------------------------------
      echo completed. review above if there have been errors, else your
      echo keystore has been updated with a new certificate.
      echo -------------------------------------------
       
      pause
      start explorer %SMP3ROOT%\server\configuration
      Author's profile photo Sandeep Sharma
      Sandeep Sharma

      Hi Bill ,

      Needed guidance on the certificate change - we have server 1 in PRD which user are logged on and agentry  app on their device is synched up .

       

      We are adding 2 more nodes , server 2 and server 3 - for this we generated the cert in server 1 , added FQDN for server1 , 2,3 and will import into each server.

      Our concern is does the change of cert will trigger any  initial sync for end user.( Please note our server 1 url ( url1) continues to stay open and new cluster url (url2) will be in place too , but the certs have changed ) .. With Database synced up , I needed to make sure that user when transmit data to back-end , does not get into cert error ( as that will be fixed wit client reset and our initial sync take 40 min ) . since users dint know that cluster url is in place and they would continue to use app as is and would continue to connect to url1 (unless client is reset )

      Author's profile photo Jonathan Wilson
      Jonathan Wilson

      Hi Bill,

       

      Do you have any specific commands where certificate needs to be signed by CA rather than being a self signed.

       

      Thanks,

      Ajay

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      Not really, but at a high level you would need to generate a signing request and send to the CA.  There are a number of sites on the Internet with step by steps for that process. When you get the certificate back you would then import into the keystore under the smp_crt alias.