Technical Articles
How to troubleshoot, import/renew and monitor java Keystore certificates in SAP PI 7.5 – Part1
SSL is more a mandatory requirement for any communication between SAP PI and the receiver/sender system to encrypt the messages. While doing so, often, Basis consultants are required to troubleshoot issues related to SSL connectivity in Communication Channel or asked to import certificates in NWA Keystore. There are quite a few blogs, which provides the steps to import certificates in keystore, but the information is not complete w.r.t scenarios where the certificates are applicable, so I thought of writing this blog.
Part 1 explains the basics of Keystore administration.
Part 2 briefs about different keystores and determining the keystore in to which a certificate should to be imported.
Part 3 how to enable alerts for certificates which are about to expire, which will enable you to plan the certificate renewal.
Part 1 : Keystore administration in SAP NW Java.
The Key Storage management functions of the SAP NetWeaver Administrator enable you to manage AS Java certificates and keys. You access the server credentials from multiple virtual key stores called keystore views. The keys and certificates in the Key Storage views can be used for encryption, identification, and verification purposes when using AS Java functions.
By default, SAP NW Java comes with few keystore views serving different purposes, of which, a few are,
- DEFAULT
- TicketKeystore (used for issuing logon and assertion tickets)
- UMEKeystore (contains key-pair used by the UME provider service of the AS Java))
- ICM_SSL_< instance _ID> (Contains the SSL key-pair and trusted server certificates for client authentication over SSL.)
- TrustedCAs (contains trusted server certificates)
As most the PI communication related issues will be due to third party certificate missing in TrustedCAs, we will talk about it more in the next part. In this part, to understand how a keystore works, let us take an example of renewing the SSL server certificate in ICM_SSL keystore view. This is the SSL certificate of the NW Java system.
1. Check the SSL certificate to know the keystore view and the corresponding PSE file at the OS level.
NWA-> Configuration -> SSL
2. Check the existing PSE from OS level.
Sapgenpse get_my_name –p <path to pse file>\SAPSSLS.pse
3. Take backup of existing PSE at OS level and from application level before generating CSR.
4. Generate the CSR file.
Go to the keystore view noted in the 1st step, choose the certificate private key entry and click on “Generate CSR Request”
5.Send the CSR to Certificate Authority (CA) and get the signed certificate. In our case, the CA is digicert as we were able to generate from digicert portal.
6. Import the CSR response in NWA keystore view.
Go to the keystore view noted in the 1st step, choose the certificate private key entry and click on “Import CSR Response”.
Click Browse to choose the certificate file and click Add. Following the same procedure, add all the intermediate and root certificates.
7. After the import, please check if the certificate entry is turning green from amber and check the certificate subject and validity end date is changed.
8. Go back to SSL and check the status.
Note the message:
SSL port “50101”: PSE file not updated. Export the keystore view to PSE |
The ICM_SSL_183902 view has changed. It is recommended that you select this view and perform ‘Export View to PSE’ operation. |
Click “Export Keystore view to PSE”
9. Check the certificate by launching the URL.
In the next part, we can take a look at different keystores and determining the keystore in to which a certificate should to be imported for PI integration scenarios.
I'm searching for a way to automate this. Can you tell me what the idea is about exporting the keystore view to PSE? If I renew a certificate in the PSE, it's not picked up by Java..