Create keystore and truststore

SMSSMEX requires:

  • Two separate stores that contain the certificates used to authenticate and encrypt communication.
  • The following certificates:

    • Signed certificate with the long hostname of the SMSSMEX server in the CN section (for example CN=”server.hp.com”). This certificate must be mapped to an SAP user in SAP Solution Manager.
    • Certificate of the root CA used to sign the certificate of the SAP Solution Manager.
    • Certificate of the root CA used to sign the certificate of the SMSSMEX certificate.

The keystore must contain the following certificates:

  • Root CA certificate used to sign the SMSSMEX certificate
  • SMSSMEX certificate

The truststore must contain the root certificate used to sign the certificate of the SAP Solution Manager.

Any tool can be used to create and manage the key- and truststores. The following examples use the Java JDK tool keytool to create and import a signed certificate.

  1. Create a self-signed certificate. The keypass and the storepass must be identical.

    keytool –genkey –alias <alias> -keyalg RSA –keystore <keystorefile> -storepass <password> -keypass <password> -dname “CN=<serverhost>, OU=<MYOU>, O=<MYORG>, L=<MYCITY>, ST=<MYSTATE>, C=<MY>”

    For example:

    keytool -genkey -alias ovictex -keyalg RSA -keystore "C:\Program Files\Micro Focus\SMSSMEX\config\certs\ovictex.keystore" -storepass ovictex -keypass ovictex -dname "CN=helen2006.asiapacific.hpqcorp.net, OU=TEST, O=GDCC, L=SH, ST=CN, C=CN"

  2. Create a certificate request:

    keytool –certreq –keystore <keystorefile> -alias <alias> -storepass <password>

    For example:

    keytool -certreq -keystore "C:\Program Files\Micro Focus\SMSSMEX\config\certs\ovictex.keystore" -alias ovictex -storepass ovictex

  3. Use the resulting certificate request to acquire a signed certificate from SAP Web (https://websmp102.sap-ag.de/SSLTest) with chain PKCS#7. Copy the signed response <filename>.p7b (for example, sap_rp.p7b).
  4. Download the root certificate file from https://tcs.mysap.com/invoke/tc/getCert?SAPServerCA.der.
  5. Import the root certificate from the Certificate Authority (CA) into the keystore.

    keytool –import –v –alias <alias2> –keystore <keystorefile> -storepass <password> -file <rootcertificatefile>

    For example:

    keytool -import -v -alias saproot -keystore "C:\Program Files\Micro Focus\SMSSMEX\config\certs\ovictex.keystore" -storepass ovictex -file "C:\Program Files\Micro Focus\SMSSMEX\config\certs\getCert.cer"

  6. Import the answer from the Certificate Authority into the keystore. Use the same keystore file and alias the request was created from.

    keytool –import –v –alias <alias> –keystore <keystorefile> -storepass <password> -file <certificatefile>

    For example:

    keytool -import -v -alias ovictex -keystore "C:\Program Files\Micro Focus\SMSSMEX\config\certs\ovictex.keystore" -storepass ovictex -file "C:\Program Files\Micro Focus\SMSSMEX\config\certs\sap.p7b"

    To import the certificates into the truststore, use the same command as in the step above, but instead of <keystorefile> use the filename of the truststore (if it does not exist, it will be created automatically). For example:

    keytool -import -v -alias saproot -keystore "C:\Program Files\Micro Focus\SMSSMEX\config\certs\ovictex.truststore" -storepass ovictex -file "C:\Program Files\Micro Focus\SMSSMEX\config\certs\getCert.cer"