Skip to Content
Technical Articles
Author's profile photo Joerg Aldinger

How to renew your SAP B1 Authentication Service Certificate

Hello all,

If you are like me, you don’t like paying for something that is available for free. One such example are SSL certificates. Letsencrypt.org is a great service for free SSL certificates, if you know a little scripting to automate it all. We have been using Letsencrypt certificates in B1 installations of all types and for all kinds of services for several years now: ServiceLayer, SLD (Mobile Service), B1 Integration Framework, API Gateway, etc.

With SAP Business One 10.0 FP2208 a new service was introduced: The authentication service used for IAM (Identity and Access Management).

Unfortunately, no official documentation (that I know of) has been released specifying how to update the certificate used for the service, which by default runs on port 40020.

So here is our procedure to update the certificate (which in the case of letsencrypt.org regularly renews every 60 days by default).

First of all, during upgrade of any installation, be aware that the authentication service by default uses the certificate used during the previous installation or upgrade, from the installation path (not from the currently running path). Since that is very likely at least a few months back you will probably end up with an expired certificate on the authentication service immediately after upgrade. Important to note, however, is that the same password is used for the initialization of the keystore.

So be sure to know your certificate password, it is used both in the original keystore “your-certificate.p12” as well as in the destination keystore “keycloak.jks”.

Now, with your updated certificate downloaded (or generated on the same server), you can use the following command to update the Java Keystore used by the authentication service:

/usr/sap/SAPBusinessOne/Common/sapmachine_11/bin/keytool \
  -importkeystore \
  -deststorepass "VerySecretP@ssword" \
  -destkeypass "VerySecretP@ssword" \
  -destkeystore /usr/sap/SAPBusinessOne/Common/keycloak/standalone/configuration/keycloak.jks \
  -srckeystore your-certificate.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass "VerySecretP@ssword" \
  -alias 1 \
  -noprompt

You can of course skip the backslashes if you write the command on a single line.

Once that completes successfully, just restart the authentication service:

service sapb1servertools-authentication restart

And you should be good to go.

If you want to the check the service is responding with the renewed certificate, you can use the following command:

openssl s_client \
  -showcerts \
  -servername localhost \
  -connect localhost:40020 </dev/null 2>/dev/null \
  | openssl x509 -text \
  | sed -n "s/^.*Not After : \(.*\)$/\1/p"

This is what you should be seeing, confirming that the deployed certificate is indeed valid until April 21, 2023, in this case:

I hope this information is helpful!

All the best,

Joerg.

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Darius Heydarian
      Darius Heydarian

      Thank you Joerg, sharing is caring!

      This is what makes our SME Ecosystem so special in the market, we stand up for each other.

      I forwarded your feedback right away to our user assistance colleagues to check the existing documentation and will give you an update on this soon.

      Long time no see, I hope we can see again soon,
      Darius

      Author's profile photo Darius Heydarian
      Darius Heydarian

      Hi Joerg,

      we added the following new topics in the IAM guide:

      Renewing the Security Certificate

      Changing the Port Number for Authentication Service

      The topics have been published on the SAP Help Portal.

      Best regards,
      Darius

      Author's profile photo Elliott Chandler
      Elliott Chandler

      We are unable to complete the process of renewing the security certificate. When using the Components Wizard it gets to the Service Databases and the options are Keep Current Scheme which is the default - B1AS. After clicking next it says Scheme [B1AS] is not a valid Authentication Service Schema. There is an OK button and this returns to the Wizard and we cannot continue.  We have opened a case with SAP but no progress yet.

      Author's profile photo Joerg Aldinger
      Joerg Aldinger
      Blog Post Author

      Hello Elliott Chandler

      Did you try my proposed solution in the blog? It may prove to be considerably easier than the official solution of running the components wizard...

      Best regards,

      Joerg.

      Author's profile photo Elliott Chandler
      Elliott Chandler

      No because we are using SQL Server 2019

      Author's profile photo Joerg Aldinger
      Joerg Aldinger
      Blog Post Author

      That doesn't matter. You can still use the same procedure. You only need to adapt the path to keytool.exe and you can use the Windows Service Manager to restart the service...

      Best regards,

      Joerg.

      Author's profile photo Luis Alejandro Ruiz Pinilla
      Luis Alejandro Ruiz Pinilla

      good day Update our ssl certificate for server tools but the authentication service for SAP 10 2208 does not take the new ssl certificate

      Author's profile photo Joerg Aldinger
      Joerg Aldinger
      Blog Post Author

      Hello Luis,

      You can try the procedure I explained in this blog. It should help, at least if the password has not changed. Otherwise you need to open a support incident to get help with the "official procedure".

      Best regards,

      Joerg.

      Author's profile photo Luis Alejandro Ruiz Pinilla
      Luis Alejandro Ruiz Pinilla
      Hello, indeed the password is no longer the same, the incident has already been opened in support and I am waiting for an answer, Joerg thank you very much
      Author's profile photo Januar Febiyanto
      Januar Febiyanto

      Hello,

      I have the same problem in FP2208 HF1 SQL version. How to renew this certificate in SQL version?

       

      Thank you,

      Januar

      Author's profile photo Elliott Chandler
      Elliott Chandler

      For us the problem was that in our SQL password we had a $. The SAP wizard did not work when this character was in the password. We changed the SQL password and we could complete the wizard and update the certificate.

      Author's profile photo Panu Aatrokoski
      Panu Aatrokoski

      Thanks, very helpful.

      I had a problem that I used "Use a self signed certificate" option on the installation so I didn't know the password for the keystore. Therefore I couldn't just update the certificate. I did have the password for the credential store where keystore password is saved. So I was able to update the keystore password with:

      /usr/sap/SAPBusinessOne/Common/keycloak/bin/elytron-tool.sh credential-store -l /usr/sap/SAPBusinessOne/Common/keycloak/standalone/configuration/applicationCS.cs -a kspass

      Then I created new keystore by removing the old one and running this.

      keytool -importkeystore -destkeystore /usr/sap/SAPBusinessOne/Common/keycloak/standalone/configuration/keycloak.jks -srckeystore location/for/certificate.p12 -srcstoretype PKCS12

      Obviously backing up the original files first.