Test if certificate is correctly installed in keystore
SMP 3 connects to a authentication provider using SSL. For SMP 3 to be able to connect successfully to the SSL enabled backend service, the server certificate of that backend must be installed in SMP 3. This means to install the certificate into the keystore used by SMP 3.
- The keystore is located at the folder: /<location of SMP 3>/Server/configuration
- The keystore file is named smp_keystore.jks
To get the server certificate, just export it in PEM format using a browser like IE, FF or Chrome. To do so, you’ll have to open the url and then export the certificate.
Retrieve the backend server certificate
Open the HTTPS URL in FF
Click on More Information…
Select View Certificate
Select as output X.509 Certificate (PEM) and Save
Add certificate to keystore
In the configuration folder of SMP the Java keystore tool will be used to add this certificate to the list of known and accepted certificates.
/<location of SMP 3>/sapjvm_7/bin/keytool -import -v -alias nw74 -keystore smp_keystore.jks -file nw74.tobias.de
The keystore tool shows the information of the certificate and asks if you really want to import the certificate. Answer as yes and the certificate is added to the trusted list.
Test the keystore
A Java class to test a SSL connection is available here: https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException
To download the class:
This downloads the class file and stores it as SSLPoke.class?version=1
To make sense look good, rename the file to SSLPoke.class. The above URL also explains how to use the class and how to specify the keystore to use for verifying the connection.
java -Djavax.net.ssl.trustStore=/my/custom/truststore SSLPoke localhost 443
For testing the keystore against the public available SAP ES1 system:
/<location of SMP 3>/sapjvm_7/bin/java -Djavax.net.ssl.trustStore=/sap/MobilePlatform3/Server/configuration/smp_keystore.jks SSLPoke sapes1.sapdevcenter.com 443
If it works, the output is a simple: Successfully connected
In case the server certificate is not part of the keystore, the tool prints an error message: