Technical Articles
How to renew your SAP B1 Authentication Service Certificate
Hello all,
If you are like me, you don’t like paying for something that is available for free. One such example are SSL certificates. Letsencrypt.org is a great service for free SSL certificates, if you know a little scripting to automate it all. We have been using Letsencrypt certificates in B1 installations of all types and for all kinds of services for several years now: ServiceLayer, SLD (Mobile Service), B1 Integration Framework, API Gateway, etc.
With SAP Business One 10.0 FP2208 a new service was introduced: The authentication service used for IAM (Identity and Access Management).
Unfortunately, no official documentation (that I know of) has been released specifying how to update the certificate used for the service, which by default runs on port 40020.
So here is our procedure to update the certificate (which in the case of letsencrypt.org regularly renews every 60 days by default).
First of all, during upgrade of any installation, be aware that the authentication service by default uses the certificate used during the previous installation or upgrade, from the installation path (not from the currently running path). Since that is very likely at least a few months back you will probably end up with an expired certificate on the authentication service immediately after upgrade. Important to note, however, is that the same password is used for the initialization of the keystore.
So be sure to know your certificate password, it is used both in the original keystore “your-certificate.p12” as well as in the destination keystore “keycloak.jks”.
Now, with your updated certificate downloaded (or generated on the same server), you can use the following command to update the Java Keystore used by the authentication service:
/usr/sap/SAPBusinessOne/Common/sapmachine_11/bin/keytool \
-importkeystore \
-deststorepass "VerySecretP@ssword" \
-destkeypass "VerySecretP@ssword" \
-destkeystore /usr/sap/SAPBusinessOne/Common/keycloak/standalone/configuration/keycloak.jks \
-srckeystore your-certificate.p12 \
-srcstoretype PKCS12 \
-srcstorepass "VerySecretP@ssword" \
-alias 1 \
-noprompt
You can of course skip the backslashes if you write the command on a single line.
Once that completes successfully, just restart the authentication service:
service sapb1servertools-authentication restart
And you should be good to go.
If you want to the check the service is responding with the renewed certificate, you can use the following command:
openssl s_client \
-showcerts \
-servername localhost \
-connect localhost:40020 </dev/null 2>/dev/null \
| openssl x509 -text \
| sed -n "s/^.*Not After : \(.*\)$/\1/p"
This is what you should be seeing, confirming that the deployed certificate is indeed valid until April 21, 2023, in this case:
I hope this information is helpful!
All the best,
Joerg.
Thank you Joerg, sharing is caring!
This is what makes our SME Ecosystem so special in the market, we stand up for each other.
I forwarded your feedback right away to our user assistance colleagues to check the existing documentation and will give you an update on this soon.
Long time no see, I hope we can see again soon,
Darius
Hi Joerg,
we added the following new topics in the IAM guide:
Renewing the Security Certificate
Changing the Port Number for Authentication Service
The topics have been published on the SAP Help Portal.
Best regards,
Darius
We are unable to complete the process of renewing the security certificate. When using the Components Wizard it gets to the Service Databases and the options are Keep Current Scheme which is the default - B1AS. After clicking next it says Scheme [B1AS] is not a valid Authentication Service Schema. There is an OK button and this returns to the Wizard and we cannot continue. We have opened a case with SAP but no progress yet.
Hello Elliott Chandler
Did you try my proposed solution in the blog? It may prove to be considerably easier than the official solution of running the components wizard...
Best regards,
Joerg.
No because we are using SQL Server 2019
That doesn't matter. You can still use the same procedure. You only need to adapt the path to keytool.exe and you can use the Windows Service Manager to restart the service...
Best regards,
Joerg.
good day Update our ssl certificate for server tools but the authentication service for SAP 10 2208 does not take the new ssl certificate
Hello Luis,
You can try the procedure I explained in this blog. It should help, at least if the password has not changed. Otherwise you need to open a support incident to get help with the "official procedure".
Best regards,
Joerg.
Hello, indeed the password is no longer the same, the incident has already been opened in support and I am waiting for an answer, Joerg thank you very much
Hello,
I have the same problem in FP2208 HF1 SQL version. How to renew this certificate in SQL version?
Thank you,
Januar
For us the problem was that in our SQL password we had a $. The SAP wizard did not work when this character was in the password. We changed the SQL password and we could complete the wizard and update the certificate.
Thanks, very helpful.
I had a problem that I used "Use a self signed certificate" option on the installation so I didn't know the password for the keystore. Therefore I couldn't just update the certificate. I did have the password for the credential store where keystore password is saved. So I was able to update the keystore password with:
Then I created new keystore by removing the old one and running this.
Obviously backing up the original files first.