Skip to Content
Technical Articles
Author's profile photo Alexander Bundschuh

Best practices Cloud Integration Content in SAP Process Orchestration – Setting up system.jks

This is a blog within a series of best practices blogs for cloud integration content in SAP Process Orchestration. For an overview of all blogs published within this series so far, refer to the overview blog.

The following blog shows how to setup the System Java Keystore on SAP Process Orchestration. We assume that you have already set up the integration content and hence the required security settings on SAP Cloud Platform Integration. The same security settings have to be maintained on SAP Process Orchestration, such as uploading system java key store, known host file for trusted sftp servers, user credentials, OAuth authentication, etc. Note, that the required security settings depend on your particular scenario. So, the approach would be to download the security artifacts from the SAP Cloud Platform Integration tenant, and upload the same to SAP Process Orchestration. Otherwise, if you start from scratch, you simply need to create a new system.jks file, and add your certificates to the same. The upload to SAP Process Orchestration is the same.

Access your SAP Cloud Platform Integration tenant, and switch to the Operations view by selecting Monitor from the navigation pane.

In the Operations view, scroll down to the Manage Security section, and click on the Keystore tile.

In the Manage Keystore view, click on the Download button. This will trigger the download of the system.jks file including all entries within your key store.

SAP Cloud Platform Integration supports the System Java Keystore file in the JCEKS format whereas the Java keystore of SAP Process Orchestration supports the JKS format. So, you need to change the type. Open the before downloaded system.jks file using KeyStore Explorer for instance. You can download the KeyStore Explorer from the web.

Enter the password that secures the system.jks file.

Change the type from JCEKS to JKS by selecting Tools –> Change Type –> JKS from the main menu. Re-enter your password, confirm the upcoming pop-up and save.

Launch the SAP NetWeaver Administrator on your SAP Process Orchestration system, and navigate to the key store via Configuration –> Security –> Certificates and Keys.

In the Key Storage, select the igw_default_keystore key storage view, and select button Import Entries From File.

Select the file type Java Key Store, navigate to your system.jks, enter the password of your system.jks, and select button Import. This will add all certificates and private keys within your system.jks into the key store below the selected key storage view.

Note: for setting up SSL, the root certificates of the receiver side servers have to be included into TrustedCAs as well.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Krish Gopalan
      Krish Gopalan

      Hi Alex,

      We have been trying to configure a scenario for CPI. Our iflow uses the Alias, but we keep getting the error "cause: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog".


      see the following note that tells me my alias may not be right

      Just wondering when we import the security artifact to IGW_default_keystore, we noticed that our Keypair certificate from CPI gets broken into three and then added with suffix _1 and _2 for the chain. Is that the right way? Are we missing anything here?


      .When we followed the process listed above, the private key pair was broken into individual certs . We had to upload the original privatekey pair to the IGW_DEFAULT_KEYSTORE to make this work. is this the way to handle for private key pair? 



      Author's profile photo Alexander Bundschuh
      Alexander Bundschuh
      Blog Post Author

      Hi Krish,

      I guess this blog is outdated, in the meantime you can directly add certificates and key pairs to the cloud integration key store



      Author's profile photo Sudhansu Behera
      Sudhansu Behera

      Hi Alex,

      Thanks for the blog.

      I checked the url from your previous response and found this url where "Downloading a Keystore" is described -

      Excerpt from the above url-


      The public part of the keystore is downloaded (in a file with the name PublicContentKeystore.jks).

      The file is not password protected. You can open it with a third-party keystore editor (for example, KeyStore Explorer).


      The file PublicContentKeystore.jks seems to be password protected. Could you please tell me how to get the password for the file ?

      Screenshot from Keystore explorer:



      Screenshot from NWA:

      In the NWA - Certificate and Keys-  password is required for the file to be imported - PublicContentKeystore.jks