A connection between SAP Cloud Platform Integration (CPI) and anapplication (S/4HANA Cloud, OnPrem apps, other cloud apps) via HTTPS requires the root certificate in the client keystore on the CPI tenant.  On CPI, this keystore is the system.jks.  You can view these certs in the Operations View->Manage Keystore.

SAP Note 2591290 describes a critical change event for S/4HANA Cloud.  S/4HANA Cloud is going to use a new root certificate for the S/4HANA Cloud systems starting February 4th ,2018. I thought I would take a few minutes to write a quick blog to help you understand the process of updating the CPI keystore.

NOTE: I have created a jks (2591290_Digicert.jks) file for SAP Note 2591290.  You can find the jks file here and skip right to the step of Uploading to the CPI tenant Keystore below in the blog.  The password for the jks file is “S4hana”.

Note: that there are many excellent blogs on this topic already which I give credit to for this approach:

• Keystore monitor blog
• SAP Note 2354153- SunCertPathBuilderException in SAP Cloud Platform Integration message processing

My goal here is to provide a consolidated list of steps when you need to update CPI keystore (i.e. system.jks) with a new root certificate to connect to another system via HTTPS for your interfaces.

The CPI tenant uses a keystore, “system.jks”, to connect to external systems via SSL.  This is similar to your browser’s root certificate authority store and for another comparison would be equivalent to an SSL Client PSE in an ABAP system.  The calling system needs to trust the authority that signed the server certificate.

The process is really two steps:

1. Convert the root certificate into a Java keystore file (*.jks)  This step may be skipped if you are reading to address SAP Note 2591290 and have downloaded the jks file above.
2. Upload the jks file to the CPI tenant

Convert the root certificate into a Java keystore file (*.jks)

In this example, we’ll assume that we need to add the root certificate from SAP Note 2591290.

The first step is to download the root certificate, which will most likely be a *.crt file.  For our case at DigiCert (link in the aforementioned note), just right click on the certificate and save it as a *.crt file.

Now, CPI expects a *.jks file to add to its trusted store.  Therefore, in order to convert the .crt file into .jks we need to use an external tool.  The blog linked above goes into this detail but I used the free keystore explorer which can be downloaded here: http://keystore-explorer.org/downloads.html

After installing, open the KeyStore Explorer

Click on “Create a new Keystore”

Select JKS as the New KeyStore Type

Then, drag the *.crt file from your CA into the new KeyStore in the explorer window.

Click on the “Import” button to import the certificate into the keystore

Click OK on the Alias

File->Save As

Enter a password when prompted

Click OK

Click OK to close the certificate

Select File->Save As… then enter a file name with .jks extension

Uploading the Certificate to the CPI tenant KeyStore

Log into the CPI tenant

Click on the “Operations View” option from the menu on left hand side

Click on Keystore

Click on Add

Select your jks file, enter the password and add the file

Certificate now is in system.jks which is the trusted root cert authority of CPI tenant.

That’s all for this blog–again the majority of this information can be found already on the SAP Community–this is a consolidated blog to try and help address a specific issue of updating root certs in CPI keystore using the CPI web UI with the certs from SAP Note 2591290.

Certificates can be added at any time to the CPI tenant, without impacting current interfaces/users.

I hope you found this blog helpful, please let me know your feedback / questions.

Thanks,

Marty