Test if certificate is correctly installed in keystore

2 min read

SMP 3 connects to a authentication provider using SSL. For SMP 3 to be able to connect successfully to the SSL enabled backend service, the server certificate of that backend must be installed in SMP 3. This means to install the certificate into the keystore used by SMP 3.

  • The keystore is located at the folder: /<location of SMP 3>/Server/configuration
  • The keystore file is named smp_keystore.jks

To get the server certificate, just export it in PEM format using a browser like IE, FF or Chrome. To do so, you’ll have to open the url and then export the certificate.

Retrieve the backend server certificate

Open the HTTPS URL in FF

Click on More Information…

Select View Certificate

Tab Details.

Select Export

Select as output X.509 Certificate (PEM) and Save

Add certificate to keystore

In the configuration folder of SMP the Java keystore tool will be used to add this certificate to the list of known and accepted certificates.

/<location of SMP 3>/sapjvm_7/bin/keytool -import -v -alias nw74 -keystore smp_keystore.jks -file nw74.tobias.de

The keystore tool shows the information of the certificate and asks if you really want to import the certificate. Answer as yes and the certificate is added to the trusted list.

Test the keystore

A Java class to test a SSL connection is available here: https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException

To download the class:

wget https://confluence.atlassian.com/download/attachments/225122392/SSLPoke.class?version=1&modificationDate=1288204937304&api=v2

This downloads the class file and stores it as SSLPoke.class?version=1

To make sense look good, rename the file to SSLPoke.class. The above URL also explains how to use the class and how to specify the keystore to use for verifying the connection.

java -Djavax.net.ssl.trustStore=/my/custom/truststore SSLPoke localhost 443

For testing the keystore against the public available SAP ES1 system:

/<location of SMP 3>/sapjvm_7/bin/java -Djavax.net.ssl.trustStore=/sap/MobilePlatform3/Server/configuration/smp_keystore.jks SSLPoke sapes1.sapdevcenter.com 443

If it works, the output is a simple: Successfully connected

In case the server certificate is not part of the keystore, the tool prints an error message:



Let the world know

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.