How to generate and install a SSL certificate for B1if tomcat?
As you know, tomcat is the embedded web application server in B1if. This document aims to guide you through how to generate and install a SSL certificate for B1if, which resolves the warning about “invalid certificate”, when accessing the B1if with HTTPS in the browser.
In order to enable a secure connection with HTTPS to a web application hosted in tomcat, a SSL connector need to be configured in tomcat. For more detail about the SSL configuration in Tomcat 7.0, you can refer to this link: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
The embedded tomcat in Integration framework of SAP Business One is by default enabled for HTTPS connection with port 8443 during its installation. You can connect to B1if with HTTPS in browser with the URL below: HTTPS://<Your_B1if_Server>:8443/B1iXcellerator/exec/dummy/com.sap.b1ip.system.cc/bfd/AdminConsole.bfd?!defdoc=/com.sap.b1i.vplatform.ide/ui/vIDE.xml
Likely, the browser will popup a warning about “Invalid Certificate” and asks your choice to proceed or not. You can ignore this error and proceed in browser. To resolve this error, you need to generate and install a valid certificate of B1if Server in the client machine, where you open B1if or your client application connect to the B1if Web Service with HTTPS.
Similarly, without a valid certificate installed, you will get an error “Unable to setup the SSL connection” in your DotNet Application when you want to connect to a B1if Web Service with Basic Secure Authentication via a DotNet Application.
In the configuration file of your B1if ($Your_B1if_Installaiton_Path/IntegrationServer/Tomcat/conf/server.xml), you can find a configuration section of about its default secure connector with HTTPS for port 8443.
<!– Define a SSL HTTP/1.1 Connector on port 8443.This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation –>
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol” SSLEnabled=”true” maxThreads=”200″ scheme=”HTTPS” secure=”true” clientAuth=”false” sslProtocol=”TLS”keystoreFile=”./webapps/B1iXcellerator/.keystore” keyAlias=”tomcat” keystorePass=”*******” server=” “/>
The important default configurations of SSL connector from SAP are:
- keystore file of B1if
All this default configuration is set up during B1if installation.
What is HTTPS, SSL/TSL, Keystore, Public Key/Private Key, and Certificate?
Please find the definitions from wikipedia as below for your reference:
Public/Private Key: Public-key cryptography – Wikipedia, the free encyclopedia
How to Generate your own keystore with keystorePass, and apply to the tomcat of your B1if rather than the default settings from SAP?
This is optional. Apply the instruction below, only if you would like to have your own keystore with keystorePass for the tomcat of your B1if rather than the default settings from SAP. The B1if tomcat is using Java Keystore to store the private key and certificate.
- Generate your own keystore with JKS type (Java Keystore) with keytool.
keytool is a key and certificate management utility in JDK (%JAVA_HOME%\bin\keytool). It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.
More detail about keytool can be found here: http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
Command to generate key store with JKS type for B1if:
keytool -genkeypair -alias tomcat -validity 3650 -keyalg RSA -dname “cn=<Your_B1if_Server>, ou=B1i, o=SAP, c=DE” -storetype jks -keystore <Your_Working_Folder>\B1i.keystore -keypass <new password for private key> -storepass <new password for keystore> Important notes:
- cn(common name) should be replaced with your B1if Server name or IP, which afterwards you would like to use in browser or DotNet client application.
- You should remember your passwords for keypass and keystore, which will be used afterwards to generate the certificate.
keytool -genkeypair -alias tomcat -validity 3650 -keyalg RSA -dname “cn=MELV50804327B, ou=B1i, o=SAP, c=DE” -storetype jks -keystore “C:\Program Files (x86)\SAP\Integration Framework for SAP Business One 9.0\IntegrationServer\Tomcat\webapps\B1iXcellerator\B1i.keystore” -keypass mykeypass -storepass mystorepass
Hereby, a JKS keystore file named “B1i.keystore” with 10 years validity will be generated for my B1if server name “MELV50804327B”.
2.Copy the keystore file to the B1iXcellerator folder
You may skip this step, if the keystore file is already output to <</B1iXcellerator/>> folder.
3.Update the keystoreFile and keystorePass fields accordingly in the configuration section of secure connector of port 8443 mentioned above in configuration file <<server.xml>>
keystoreFile=”./webapps/B1iXcellerator/B1i.keystore” keyAlias=”tomcat” keystorePass=”<Your Keystore Password>”
4.Restart the Integration Service of SAP Business One from window services.
As a result, now your keystoreFile and keystorePass is used in the tomcat.
How to Export the certificate from the tomcat of B1if, and then install to the client machine?
Command to export the certificate:
keytool -exportcert -alias tomcat -file <Your_Working_Folder>\B1i.cer -keystore <B1i keystore file path> -storetype jks -storepass <Your key store password>
- <B1i keystore file path>: If you already generate and use your own keystore in B1if, then please use your own keystore. Otherwise you can use the default keystore from SAP (replace “*******” with actual string). keystoreFile=”./webapps/B1iXcellerator/.keystore” keyAlias=”tomcat” keystorePass=”*******”
- <Your key store password>: as above.
Install the certificate:
Then copy the certificate file named B1i.cer to your client machine or B1if server machine, where your DotNet application consuming B1if Web Service is running, or where you would like to access the B1if with HTTPS via browser.
Double click to install the certificate with Trusted Root option in the wizard.
Now you can open B1if with browser with HTTPS, there should be no more warning about “Invalid certificate”.