How to renew your SAP B1 Authentication Service Certificate

Hello all,

If you are like me, you don’t like paying for something that is available for free. One such example are SSL certificates. Letsencrypt.org is a great service for free SSL certificates, if you know a little scripting to automate it all. We have been using Letsencrypt certificates in B1 installations of all types and for all kinds of services for several years now: ServiceLayer, SLD (Mobile Service), B1 Integration Framework, API Gateway, etc.

With SAP Business One 10.0 FP2208 a new service was introduced: The authentication service used for IAM (Identity and Access Management).

Unfortunately, no official documentation (that I know of) has been released specifying how to update the certificate used for the service, which by default runs on port 40020.

So here is our procedure to update the certificate (which in the case of letsencrypt.org regularly renews every 60 days by default).

First of all, during upgrade of any installation, be aware that the authentication service by default uses the certificate used during the previous installation or upgrade, from the installation path (not from the currently running path). Since that is very likely at least a few months back you will probably end up with an expired certificate on the authentication service immediately after upgrade. Important to note, however, is that the same password is used for the initialization of the keystore.

So be sure to know your certificate password, it is used both in the original keystore “your-certificate.p12” as well as in the destination keystore “keycloak.jks”.

Now, with your updated certificate downloaded (or generated on the same server), you can use the following command to update the Java Keystore used by the authentication service:

/usr/sap/SAPBusinessOne/Common/sapmachine_11/bin/keytool \
  -importkeystore \
  -deststorepass "VerySecretP@ssword" \
  -destkeypass "VerySecretP@ssword" \
  -destkeystore /usr/sap/SAPBusinessOne/Common/keycloak/standalone/configuration/keycloak.jks \
  -srckeystore your-certificate.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass "VerySecretP@ssword" \
  -alias 1 \
  -noprompt

You can of course skip the backslashes if you write the command on a single line.

Once that completes successfully, just restart the authentication service:

service sapb1servertools-authentication restart

And you should be good to go.

If you want to the check the service is responding with the renewed certificate, you can use the following command:

openssl s_client \
  -showcerts \
  -servername localhost \
  -connect localhost:40020 </dev/null 2>/dev/null \
  | openssl x509 -text \
  | sed -n "s/^.*Not After : \(.*\)$/\1/p"

This is what you should be seeing, confirming that the deployed certificate is indeed valid until April 21, 2023, in this case:

I hope this information is helpful!

All the best,

Joerg.