Adding A New Root Certificate for SSL to CPI tenant
A connection between SAP Cloud Platform Integration (CPI) and anapplication (S/4HANA Cloud, OnPrem apps, other cloud apps) via HTTPS requires the root certificate in the client keystore on the CPI tenant. On CPI, this keystore is the system.jks. You can view these certs in the Operations View->Manage Keystore.
SAP Note 2591290 describes a critical change event for S/4HANA Cloud. S/4HANA Cloud is going to use a new root certificate for the S/4HANA Cloud systems starting February 4th ,2018. I thought I would take a few minutes to write a quick blog to help you understand the process of updating the CPI keystore.
NOTE: I have created a jks (2591290_Digicert.jks) file for SAP Note 2591290. You can find the jks file here and skip right to the step of Uploading to the CPI tenant Keystore below in the blog. The password for the jks file is “S4hana”.
Note: that there are many excellent blogs on this topic already which I give credit to for this approach:
- Keystore monitor blog
- SAP Note 2354153- SunCertPathBuilderException in SAP Cloud Platform Integration message processing
My goal here is to provide a consolidated list of steps when you need to update CPI keystore (i.e. system.jks) with a new root certificate to connect to another system via HTTPS for your interfaces.
The CPI tenant uses a keystore, “system.jks”, to connect to external systems via SSL. This is similar to your browser’s root certificate authority store and for another comparison would be equivalent to an SSL Client PSE in an ABAP system. The calling system needs to trust the authority that signed the server certificate.
The process is really two steps:
- Convert the root certificate into a Java keystore file (*.jks) This step may be skipped if you are reading to address SAP Note 2591290 and have downloaded the jks file above.
- Upload the jks file to the CPI tenant
Convert the root certificate into a Java keystore file (*.jks)
In this example, we’ll assume that we need to add the root certificate from SAP Note 2591290.
The first step is to download the root certificate, which will most likely be a *.crt file. For our case at DigiCert (link in the aforementioned note), just right click on the certificate and save it as a *.crt file.
Now, CPI expects a *.jks file to add to its trusted store. Therefore, in order to convert the .crt file into .jks we need to use an external tool. The blog linked above goes into this detail but I used the free keystore explorer which can be downloaded here: http://keystore-explorer.org/downloads.html
After installing, open the KeyStore Explorer
Click on “Create a new Keystore”
Select JKS as the New KeyStore Type
Then, drag the *.crt file from your CA into the new KeyStore in the explorer window.
Click on the “Import” button to import the certificate into the keystore
Click OK on the Alias
Enter a password when prompted
Click OK to close the certificate
Select File->Save As… then enter a file name with .jks extension
Uploading the Certificate to the CPI tenant KeyStore
Log into the CPI tenant
Click on the “Operations View” option from the menu on left hand side
Click on Keystore
Click on Add
Select your jks file, enter the password and add the file
Certificate now is in system.jks which is the trusted root cert authority of CPI tenant.
That’s all for this blog–again the majority of this information can be found already on the SAP Community–this is a consolidated blog to try and help address a specific issue of updating root certs in CPI keystore using the CPI web UI with the certs from SAP Note 2591290.
Certificates can be added at any time to the CPI tenant, without impacting current interfaces/users.
I hope you found this blog helpful, please let me know your feedback / questions.