Skip to Content

With the new Keystore Monitor available with 24-June-2017 release (2.29*), you can maintain your keys and certificates yourself. This blog describes how to use this monitor to import certificates of systems you want to connect, how to add keys and how to download certificates from your cloud integration tenant for importing into backends to connect.

Maintain Keys and Certificates in Keystore Monitor

For connecting sender or receiver systems the tenant administrator needs to maintain keys and certificates in different systems, sender, receiver and the cloud integration tenant. The new keystore monitor available in cluster 2.x in the cloud integration tenant can now be used to execute the certificate management by yourself, without the need to create service requests to the cloud operations team.

The new Keystore Monitor separates the keys and certificates into SAP owned entries and entries owned by the tenant administrator. There is a clear separation based on user roles, SAP is not allowed to change the content of the tenant administrator and the tenant administrator is not allowed to change or delete SAP owned entries.

Keystore Monitor in Web

The monitor is available in Operations View in Web. In section Manage Security, you find the Keystore tile, which directly informs you about the number of keys and certificates available in the tenant keystore.

In the first version of the monitor you are able to see all entries contained in the tenant keystore, also the SAP owned keys and certificates are visible and the public part of them can be downloaded. Furthermore, you can upload externally created keystores with key pairs and certificates and download public content of the keystore. Expired keys and certificates are highlighted showing the expiration date.

A sample setup of an outbound communication using client certificates using the new monitor is described in the blog ‘How to Setup Secure Outbound HTTP Connection using Keystore Monitor’.

Naming Conventions

To separate the entries in the keystore specific naming conventions were introduced. Tenant Administrators are therefore not allowed to create aliases with prefix sap_, this prefix and the aliases hcicertificate, hcicertificate1 and hcimsgcertificate are reserved for SAP owned artifacts.

Migration of existing Keystores

In the past (prior to release 2.29*) there was no separation between entries owned by the tenant administrator and owned by SAP. Then the keystore was typically maintained by SAP, via service requests customers could get their own certificates and keys added to the tenant keystore. In case there already is such a keystore with certificates and/or key pairs deployed in the cloud integration tenant these entries will automatically be migrated to the new keystore monitor as soon as there is a change done to the keystore entries.

The migration is done according to the naming conventions mentioned above, meaning all keys and certificates in SAP namespace will be converted into SAP owned entries, which cannot be changed by customers. Keys and certificates not matching the SAP naming conventions will be converted into customer owned artifacts and will be from now on managed by the customer tenant administrator.

Furthermore, during the migration three SAP owned CA root certificates, which enable the communication to SAP cloud systems, like Ariba and CRM, are added to the tenant keystore. If the Tenant Administrator detects that one of the three SAP CA root certificates is also available as customer owned certificate, the Tenant Administrator can delete this duplicate entry.

Note: Before the migration the number of available entries in the keystore is not known and so the keystore tile on the overview screen does not show the number of entries. After the first change in the new Keystore Monitor the number of entries in the keystore tile will show the correct number of entries.

Adding Entries from a Keystore

In the first version of the Keystore Monitor only externally created keystores can be merged into the tenant keystore. For maintaining external keystores you can, for example, use the keystore explorer described in the cloud integration documentation chapter ‘Creating X.509 Keys’.

To add root certificates from backends or additional private keys first import them into a keystore via external tool and upload this keystore afterwards in Keystore Monitor via Add action at the top of the monitor. An upload dialog will appear asking for the keystore to upload and the password of the keystore.

Furthermore, you select if the entries shall be added or the whole keystore is to be replaced. When selecting Add it is also possible to choose Overwrite to overwrite entries with the same alias.

Note: With the Replace and Overwrite option existing entries will be overwritten, so be careful using these options. Overwrite will also overwrite private key pairs with public certificate in case the alias is the same.

After the import a confirmation screen will be shown summarizing which entries were added or overwritten and which entries could not be imported, for example because they are using the SAP prefix or because an alias with the same name already exists.

Downloading Keystore or Keystore entries

To get root certificates to be imported into backend keystores the download option form Keystore Monitor can be used. Either download the whole keystore or download single certificates or the certificate chain for a key pair.

Download of Keystore

Downloading the whole keystore is available via Download action at the top of the monitor. The public part of the keystore will be downloaded into a file with the name system.jks. The file is saved without password and can be opened and changed with any external keystore editor. It can also be used for importing into the keystore of another tenant.

Download of Single Entries

Downloading single certificates or the certificate chain of the private key pairs can be done using the single line actions. Download is available for SAP owned artifacts as well to enable customers to use the provisioned private key pair to setup connections to external systems.

Download Options for Certificate

Selecting Download for a certificate will create a certificate file with the name <alias>.cer in the download directory. This certificate file can be imported into other keystores or backend systems, if required.

Download Options for Key Pair

Download / Download Certificate Chain for a Key Pair will create a file with the name <alias>.p7b in the download directory. The file contains the whole certificate chain assigned to the private key, which can be used for client certificate authentication.

Via external tools, for example the Certificates Snap-in of Microsoft Management Console (Certmgr.msc), which is usually available on Windows systems, you can open the certificate chain. The entry on the top is the root certificate. Opening it in the Details tab there is the option Copy to File, which will start the export of the certificate into a *.cer file, which can be imported into receiver backend systems.

  

Furthermore, Download Certificate option is available (with 28-July-2017 release), which will download the public certificate of the key pair file with the name <alias>.cer. This file can be imported into backends during connection setup.

Download Options for id_rsa and id_dsa Key Pair (option available with 28-July-2017 release)

In addition to the already described options Download Certificate Chain and Download Certificate for an id_rsa and id_dsa key pair the option Download Public OpenSSH Key is available. This option will create an id_rsa.pub or id_dsa.pub file in the download directory. The file contains the certificate in openSSH format, which can be used to to setup the connection to the sftp server.

Detailed setup of sftp connection using the keystore is described in Blog ‘How to setup secure sftp communication‘.

Backup/Restore of Keystore

The backup and restore feature is described in detail in Blog Configure Backup and Restore using Keystore Monitor.

Deleting entries from Keystore

Delete single entries is available as action on the single line items. SAP owned certificates and key pairs cannot be deleted, hence there is no option to delete them.

Authorizations

To secure the use of Keystore Monitor in Web, two roles are available.

With the role NodeManager.read the user is able to see the entries in keystore and to download public content, but creation of entries and changes are not possible. For changing role NodeManager.deploysecuritycontent is required.

Role NodeManager.read is available in the group roles AuthGroup.IntegrationDeveloper and AuthGroup.ReadOnly, and role NodeManager.deploysecuritycontent is contained in group role AuthGroup.Administrator.

APIs

For all the actions in the tenant keystore OData APIs are available. The APIs are described in more detail in the SAP Cloud Platform Integration documentation chapter ‘API documentation – OData API’.

Keystore Deployment in Eclipse

The keystore deployment that was available in eclipse for managing certificates is not available anymore. Also downloading keystores was disabled with the introduction of the Keystore Monitor in Web.

Future Features in Keystore Monitor

In coming updates, additional feature will be added to the Keystore Monitor, like:

  • Viewing details of the certificates and keys
  • Adding/Editing single certificates and keys
  • Creating Private Keys
  • Downloading Signing Requests/Uploading Signing Responses

The blog will be updated regularly.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Franklin Ayres

    Hello Mandy,

     

    Really good blog! I just want to add what I did because I believe it is not so clear. I downloaded the KeyStore Explorer 5.2.2, created a new KeyStore type JCEKS and imported all the certificates I needed in my case the Tax Agency for Spain eDocuments.

    After that I add my created KeyStore in HCI Monitor – Manage Security – Keystore using the password I defined when I created my own KeyStore.

     

    Thank you and best regards,

    Franklin Ayres

    (0) 
  2. EMMANUEL JORAND

    I did the mistake of import our keystore in TEST tenant keystore with Overwrite option…

    I want to replace it with the keystore of Prod tenant, but, this keystore downloaded requires a password…

    Do you have an idea ?

    (0) 
    1. Mandy Krimmel Post author

       

      Hi,

      if you use the downloaded keystore from keystore monitor, password is empty, but in case you have a keystore that was downloaded before the new monitor was available via deployed artifacts page, you need to know the password that was set when uploading the keystore in earlier times.

      If this keystore was formerly maintained by SAP Cloud Operations you should open a ticket on LOD-HCI-PI-OPS and ask them for the keystore entries you need.

      Best regards,

      Mandy

      (1) 
  3. Eric BOUZON

    Hi,

    We try to install the SAP Cloud Platform for the new process SII in Spain. We need to upload some certificates but we don’t find the entry.

    In the messsage of Franklin we found “After that I add my created KeyStore in HCI Monitor – Manage Security – Keystore using the password I defined when I created my own KeyStore. Could you please give us the link to allow us to upload the certificates?

    We received some links form SAP but we don’t find the right one.

    You also talk about Keystore Monitor in Web. Where can we find it?

    Thanks for your help. We have sent a lot of messages to the SAP support but we did not have clear answers.

    Eric Bouzon

     

    (0) 
    1. Mandy Krimmel Post author

       

      Hello,

      I do not quite understand your question.

      Where to find the keystore monitor: Open the CPI Overview Page of your tenant: https://<tenant name you got during onboarding>/itspaces, there select the monitoring section from left upper corner, then scroll down to section Manage Security.

      Hope this helps.

      BR,

      Mandy

      (0) 
  4. Eric BOUZON

    Hello Mandy,

    Thank you for your answer, it is very helpfull. I used the https://xxxxx-tmn.hci.eu1.hana.ondemand.com/itspaces where xxxxx is our environment name but I have the message ‘You are not authorized to access the page “shell/null” or the page does not exist; contact your application or tenant administrator.’ Do you think something missing in our configuration?

    Thanks for your help.

    Best regards

    Eric

     

    (0) 
    1. Mandy Krimmel Post author

       

      Hello Eric,

      I would ask you to open a ticket on LOD-HCI-PI-OPS with your tenant info and the userID you are trying to connect. They should be able to help you getting access to your tenant.

      Best regards,

      Mandy

      (0) 
  5. Franklin Ayres

    Hello Mandy,

    Today we finished the configuration on HCI QA tenant. We discovered if you download the Key Store from HCI DEV and Add it on HCI QA it upload everything as Certificate and not as Key Pair for some entries we have for example.

    Why? I deleted and then I uploaded manually the Key Store I created with the Key Pair and it upload as Key Pair…

     

    Thank you and best regards,

    Franklin

    (0) 
    1. Mandy Krimmel Post author

       

      Hi Franklin,

      only public content will be downloaded from keystore (as described in the blog), private key pairs are not allowed to be downloaded for security reasons. So, if you open the downloaded keystore you will see that only public certificates are contained. Uploading it into another tenant will only upload this public content.

      In future you can create the private key directly in the system, but this is not available yet.

      I hope this clarifies.

      Regards,

      Mandy

      (0) 

Leave a Reply