As you know, tomcat is the embedded web application server in B1if. This document aims to guide you through how to generate and install a SSL certificate for B1if, which resolves the warning about "invalid certificate", when accessing the B1if with HTTPS in the browser.
In order to enable a secure connection with HTTPS to a web application hosted in tomcat, a SSL connector need to be configured in tomcat. For more detail about the SSL configuration in Tomcat 7.0, you can refer to this link: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
The embedded tomcat in Integration framework of SAP Business One is by default enabled for HTTPS connection with port 8443 during its installation. You can connect to B1if with HTTPS in browser with the URL below: HTTPS://<Your_B1if_Server>:8443/B1iXcellerator/exec/dummy/com.sap.b1ip.system.cc/bfd/AdminConsole.bf...
Likely, the browser will popup a warning about “Invalid Certificate” and asks your choice to proceed or not. You can ignore this error and proceed in browser. To resolve this error, you need to generate and install a valid certificate of B1if Server in the client machine, where you open B1if or your client application connect to the B1if Web Service with HTTPS.
Similarly, without a valid certificate installed, you will get an error “Unable to setup the SSL connection” in your DotNet Application when you want to connect to a B1if Web Service with Basic Secure Authentication via a DotNet Application.
In the configuration file of your B1if ($Your_B1if_Installaiton_Path/IntegrationServer/Tomcat/conf/server.xml), you can find a configuration section of about its default secure connector with HTTPS for port 8443.
<!-- Define a SSL HTTP/1.1 Connector on port 8443.This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="200" scheme="HTTPS" secure="true" clientAuth="false" sslProtocol="TLS"keystoreFile="./webapps/B1iXcellerator/.keystore" keyAlias="tomcat" keystorePass="*******" server=" "/>
The important default configurations of SSL connector from SAP are:
All this default configuration is set up during B1if installation.
Please find the definitions from wikipedia as below for your reference:
HTTPS: HTTP Secure - Wikipedia, the free encyclopedia
SSL/TSL: Transport Layer Security - Wikipedia, the free encyclopedia
Keystore: http://en.wikipedia.org/wiki/Keystore
Public/Private Key: Public-key cryptography - Wikipedia, the free encyclopedia
Certificate: Public key certificate - Wikipedia, the free encyclopedia
This is optional. Apply the instruction below, only if you would like to have your own keystore with keystorePass for the tomcat of your B1if rather than the default settings from SAP. The B1if tomcat is using Java Keystore to store the private key and certificate.
keytool is a key and certificate management utility in JDK (%JAVA_HOME%\bin\keytool). It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.
More detail about keytool can be found here: http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
Command to generate key store with JKS type for B1if:
keytool -genkeypair -alias tomcat -validity 3650 -keyalg RSA -dname "cn=<Your_B1if_Server>, ou=B1i, o=SAP, c=DE" -storetype jks -keystore <Your_Working_Folder>\B1i.keystore -keypass <new password for private key> -storepass <new password for keystore> Important notes:
For example:
keytool -genkeypair -alias tomcat -validity 3650 -keyalg RSA -dname "cn=MELV50804327B, ou=B1i, o=SAP, c=DE" -storetype jks -keystore "C:\Program Files (x86)\SAP\Integration Framework for SAP Business One 9.0\IntegrationServer\Tomcat\webapps\B1iXcellerator\B1i.keystore" -keypass mykeypass -storepass mystorepass
Hereby, a JKS keystore file named “B1i.keystore” with 10 years validity will be generated for my B1if server name “MELV50804327B”.
2.Copy the keystore file to the B1iXcellerator folder
<<$Your_B1if_Installaiton_Path/IntegrationServer/Tomcat/webapps/B1iXcellerator/>>
You may skip this step, if the keystore file is already output to <</B1iXcellerator/>> folder.
3.Update the keystoreFile and keystorePass fields accordingly in the configuration section of secure connector of port 8443 mentioned above in configuration file <<server.xml>>
keystoreFile="./webapps/B1iXcellerator/B1i.keystore" keyAlias="tomcat" keystorePass="<Your Keystore Password>"
4.Restart the Integration Service of SAP Business One from window services.
As a result, now your keystoreFile and keystorePass is used in the tomcat.
Command to export the certificate:
keytool -exportcert -alias tomcat -file <Your_Working_Folder>\B1i.cer -keystore <B1i keystore file path> -storetype jks -storepass <Your key store password>
Install the certificate:
Then copy the certificate file named B1i.cer to your client machine or B1if server machine, where your DotNet application consuming B1if Web Service is running, or where you would like to access the B1if with HTTPS via browser.
Double click to install the certificate with Trusted Root option in the wizard.
Now you can open B1if with browser with HTTPS, there should be no more warning about “Invalid certificate”.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
10 | |
7 | |
6 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 |