How to change SMP3 Keystore and Truststore Passwords
As we know that during SMP3 installation we provide the keystore password to protect SMP3 Keystore and Truststore locations. This Keystore password should be the same as all the private key passwords associated with the all the alias in the Keystore.
All the Keystore and Truststore related information are there in a single file. i.e. smp_keystore.jks (E:\SAP\MobilePlatform3\Server\configuration)
Keystore: The location where encryption keys, digital certificates and other credentials are stored (either encrypted or unencrypted keystore file types) for SAP Mobile Platform runtime components.
Truststore: The location where Certificate Authority (CA) signing certificates are stored.
Pre-requisite: Make sure to back-up the same file (C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks)
Steps:
1. First change the Keystore password by running the below command
E:\SAP\MobilePlatform3\Server\configuration>keytool -storepasswd -new s4pAdmin -keystore smp_keystore.jks
(Where s4pAdmin is the ‘new password’)
- At prompt, enter the current password. (for me, it’s s3pAdmin)
2. For changing the each of the passwords for all private keys in the Keystore, we need to change it one by one. By default, there are 2 private key alias entries in the SMP Keystore file. i.e. smp_crt and tomcat
2.1 To change the password for alias entry smp_crt, run the below command:
E:\SAP\MobilePlatform3\Server\configuration>keytool -keypasswd -alias smp_crt -new s4pAdmin -keystore smp_keystore.jks
Keystore password: s4pAdmin (new keystore password as per step #1)
Enter key password for <smp_crt> : s3pAdmin (current password)
2.2 To change the password for alias entry tomcat, run the below command:
E:\SAP\MobilePlatform3\Server\configuration>keytool -keypasswd -alias tomcat -new s4pAdmin -keystore smp_keystore.jks
Keystore password: s4pAdmin (new keystore password as per step #1)
Enter key password for <tomcat> : s3pAdmin (current password)
3. Now, we need to configure the SMP to recognize the new password:
3.1 We have to encrypt the new password by obtaining the secret key from the–DsecretKeyproperty (E:\SAP\MobilePlatform3\Server\props.ini)
3.2 Run the below command:
java -jar tools\cipher\CLIEncrypter.jar <secretKey> <newPassword>
E:\SAP\MobilePlatform3\Server>java -jar tools\cipher\CLIEncrypter.jar Vv4bm3LniE s4pAdmin
3.3 Open com.sap.mobile.platform.server.foundation.config.encryption.properties file available E:\SAP\MobilePlatform3\Server\config_master\com.sap.mobile.platform.server.foundation.config.encryption
- Here we need to updateprivateKeystorePass to replace the existing password with the new encrypted password, keeping{enc}as the prefix.
- Save the changes.
- Restart restart the server for the changes to take effect.
Tips:
To verify if above changes have been reflected, you can use keytool generator KeyStore Explorer to open Keystore file.
(A) . To verify Keystore password:
(B) To verify the password of alias smp_crt and tomcat
- Open keytool explorer, Right click smp_crt>View Details > Private Key Details >Enter new password
- If password is wrong, you would see an error message like below:
I hope it helps.
Regards,
JK
(@jkkansal1987)
Nice document.
Hi JK.
Im am getting the following error when importing a cerficate in the keystore:
keytool error: java.io.IOException: Keystore was tampered with, or password was
incorrect
So my opinion is that the password is not correct.
To my opinion the default password is: changeit , but for a reason is not correct.
So basically I am facing the same problem... but only for the Mobile Runtime Environment.
Although the paths are different.....can the same procedure be used for changing the password for the keystore of the MBO runtime environment as decribed above?
Thanks in advance!
Kind regards,
Jacco Raymakers
Jacco Raymakers
That means you have forgot SMP3 keystore password? I suggest you to open SAP support ticket for the same?
I haven't tried with MBO runtime. So not sure if above process will work.
Regards,
JK
No, I do know the password for the SMP3.0 runtime as I have entered this during installation, but I don't know the password for the MBO runtime, which is another keystore file located at: E:\SAP\MobilePlatform3\MR30\Servers\UnwiredServer\Repository\Security\keystore.jks
OK I will open a ticket.
Thanks!
Kind Regards,
Jacco Raymakers
Jacco Raymakers
Were you able to make it?
Hi Jitendra,
I the end, yes. I opened a ticket and SAP Support provided me the password.
The value of the password of the keystore of the MBO runtime was different as I expected.
But it is strange that this password nowhere is documented. I asked how to find this password, or which tools can be used to find this password, but on these questions SAP Support gave me no answer....
Kind Regards,
Jacco Raymakers
Hi
Did you find the password? we have the same problem and we don't find anything about this problem.
Thank you
Edison
Hi Edison,
The value of the password depends on the initial version installed of SMP 3.0.
Which SP level is installed now and what was the initial version.
I only found it after contacting SAP OSS.
I do know the password value of SMP 3.0 SP04 onwards it is: mQA53kgS70
If this is not the value you have to contact SAP OSS.
One important note: this password must / may not be changed. This was the reaction of SAP.
If you change the password and after a reboot of SMP, you will run into issues.
Kind regards,
Please see also our documentation for SMP 3.0 SP07 at:
Changing Keystore and Truststore Passwords - Administration Overview - SAP Library