SSL Certificates Renewal (By Keytool Method) for OpenText, Vertex, BODS (Data Services) Interfaces connecting to SAP

Hello Everyone,

Recently, We have renewed the SSL certificates for OpenText, Vertex, BODS (Data Services) Interfaces hosted on windows environment and connecting to SAP S4HANA system. All above mentioned Interfaces are well known and widely used with SAP systems. The SSL certificate renewal process is quite similar for all above mentioned interfaces, as tomcat is being used to provide SSL functionality. We will be using keytool to generate the CSR and install the certificate in windows.

Steps:

1. First step is to figure out, how the existing SSL setup has been done. Check the installation directories of applications (OpenText, Vertex, BODS). also checkout the tomcat\conf folder is maintained under which windows drive. You will find server file with extension XML.This is the file where this entire process plays around.

2.The server.xml file looks like below if you open it in notepad. Basically you need to find section where .jks or .p12 file is mentioned with path.

sample paths to get server.xml file for interfaces :

Data services(BODS)D:\SAP BusinessObject\Tomcat\conf\<sever.xml>

OpenText –  C:\Program Files\ Apache Software Foundation\ Tomact 8.5\conf\<sever.xml>

Vertex-  E:\Vertex\Oseries\Tomact\conf\<sever.xml>

Note. Above mentioned paths are given for example purpose, It may change in your environment, so check accordingly before proceeding.

3. Now we will need keytool application to generate the CSR and install the certificates.Use the ‘keytool.exe‘ tool within the ‘javasdk\bin‘ or ‘java\bin‘ or ‘sapjvm\bin‘ folder, so check accordingly in your windows server.

4. Now to generate CSR, you have use command prompt/ cmd of your windows server (where application is installed) in administrator mode.

5. Before running below keytool command, navigate to path where keytool application is present. For simplicity lets create one SSL2 folder in C drive and we will be using the same folder to place new files which is getting generated now onwards.

After that run below command:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias <your Alias> -ext SAN=dns:<your required dns>,keystore <C:\SSL2\XYZ.jks> -storetype JKS -dname “EMAILADDRESS=<Email Details>,CN=<your data>,O=<your data >,L=<>,C=<your data>”

Note: CN, O, L,C details you will find in your old certificate under details tab under subject.

This will ask to give keystore password, I would prefer to give same password which is used for previous .jks file, hence kindly give the same password which is maintained in server.xml file. Refer 1st screenshot of this blog i.e step 2.

Note: As per above screenshot my keytool executable file is present under  E:\SAP BusinessObject\SAP BusinessObject Enterprise XI 4.0\win64_x64\sapjvm\bin file path hence, I navigated to this path then ran the command.

6. Next step is to generate the certificate request. Use below command for the same.

keytool -certreq -file C:\SSL2\ABC.csr -keystore C:\SSL2\XYZ.jks -alias <Your Alias> -ext SAN=dns<your required dns>,”EMAILADDRESS=<Email Details>,CN=<your data>,O=<your data >,L=<>,C=<your data>”

Note: In above screenshot, multiple dns entries have been added. so consider accordingly as per your requirement.

Here, use the same keystore password which you have used in step 5.

7. Important point is to note down the alias name, which you had used to create .jks and .csr file. It should be the same and same needs to be used at the time of certificate import to .jks.

8. Step 6 will generate the ABC.csr file at SSL2 folder in C drive, share the same file to the certification authority and get it signed. certification Authority will generate the certificate and share with you.Validate the SAN (dns), validity of the new certificate.Get the Root and intermediate certificate exported from this certificate and place them at SSL2 Folder itself.

9. In order to import the certificate. Basically you have to import Root, Intermediate and Server certficate to the  XYZ.jks file, which was generated in step 5.

10. Use below commands to import the certificate to XYZ.jks file, which is ultimately being used in server.xml file to provide SSL functionality.

Commands:

  1. keytool -import -trustcacerts -alias ROOT -file C:\SSL2\<Root_certficate_name.cer > -keystore C:\SSL2\XYZ.jks
  2. keytool -import -trustcacerts -alias Intermediate -file C:\SSL2\<Intermediate_certficate_name.cer> -keystore C:\SSL2\XYZ.jks
  3. keytool -import -trustcacerts -alias <Your alias> -file C:\SSL2\<Your_New_certfiacte.cer> -keystore C:\SSL2\XYZ.jks

11. After executing 1st Root certificate command it will give you the prompt for keystore password, here use the password which was being used throughout to generate csr. and next Prompt will be that Trust this certificate? wherein you have  to write yes

12. This way you have to add all three certificate to your XYZ.jks file.

Note: For Root and Intermediate certificate addition the message you will get is ‘Certificate was added to keystore’ and for last server certficate you will get the message that ‘Certificate reply was installed in keystore’

13. Now next step is to maintain this XYZ.jks file in server.xml file. Make sure you are taking backup of server.xml file before editing the same. To edit the file open notepad in administrator mode and then edit the file.

14.After maintaining the XYZ.jks file and keystore password in server.xml file, you need to take tomcat service restart in windows to take the affect of new SSL certificate. Maintain the cerficate in SAP strust SSL folders as well for SSL handshake.

15. Access the concern interface https url to validate the certificate. In case of OpenText you can validate the tomcat url, for Vertex its application url and for BODS use CMC or data management console url to validate the change.

Useful Keytool commands:

To List the certificates added into XYZ.jks file

keytool -list -keystore <path/XYZ.jks> -storepass <Keystore_password>

To delete any certificate from XYZ.jks file
keytool -delete -alias <your_alias> -keystore <path/XYXZ.jks> -storepass <Keystore_password>

Requesting all readers to drop your feedback or thoughts in comments, also post your questions, if you have any, I will try to answer to the best of my knowledge and research.

Do follow my profile to see more useful contents related to SAP BASIS and HANA topics in near future.