cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Doubts and clarification related to Certificates and SSL

Go to solution
Former Member

on ‎02-21-2014 10:24 PM

0 Kudos

Dear Experts,

After reading many blogs on SCN and SAP help content, still I have few doubts which I wants to clarify with you guys.

our basis team has installed the brand new PI 7.4(dual stack)  server, we need communicate with bank by using HTTPS(SSL), bank has provided signed(verisign) test certificates(DigitalSignature.jks and SSL.jks) to install in our QA PI server. We need to use this certificate for transport level security as well as for message level(for digital signature from mapping) . All our scenarios are Proxy to HTTP_AEE synchronous.

Bank has not asked us for any generated CSR from QA PI server before sending this certificate to us, they said you can use this certificate for DEV and QA environment, this project is Re-implementation project from SAP BC to SAP PI , so they also said you can use the same certificate(installed on BC prod) for PI prod server.

Questions

  1. Can we install the same certificate for another server if the certificate is already in use on different server? I think we can not , please confirm.
  2. Is it mandatory to generate the CSR on the PI server and send it to CA, and then CA will generate the certificate by using the CSR, and will provide the certificate to install.
  3. While importing the certificates, in "import entry" which which certificate needs to be selected if we have more than one .jks file, for eg in my case I have two certificates(DigitalSignature.jks and SSL.jks), moreover, what should be the "entry type" among X.509 Certificate,PKCS#12 Key Pair and PKCS#8 Key Pair, bank should tell this to us, in our case?
  4. Do we need more than one certificate if we have enabled SSL, I mean one separate certificate for SSL, as mentioned in this blog.
  5. Under which views our certificate should go  among ICM_SSL_< instance _ID>,TrustedCAs and service_ssl ,  if we are using SSL? and why.please explain.
  6. Do we need to enable SSL on As java, as well as As ABAP, I think we only need to enable As Java. Please confirm.

I have gone through the below mentioned blogs ans many more, so please just try to help me to get my answers.

Please help me as much you can, as my basis guy is not have any prior experience in installing certificates in PI. I have attached the certificates received from bank,

Thanks,

Farhan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-24-2014 12:15 PM
0 Kudos

Hi Farhan,

I am no expert in Certs but have worked with a few and these are my findings.

Please see the answers below to your questions.

1 - The answer is yes. We have done this. We integrated to a 3rd party system and they only had Development and Production systems. So for testing we implemented the same cert on our Dev and QA PI systems.

2. No it is not. Not 100% sure why, but some 3rd parties gives us a cert and if we install it the interface works fine without a CSR(I might be wrong)

3. We normally use X.509 Certificate.

4. Will have to test it. But one should work

5. NWA -> Certificates -> Key Storage -> TrustedCA

6. Only on Java because it is only the java stack making the connection. If you go through the ABAP stack you would have needed to load the cert in STRUST.

Hope this helps.

Regards,

Jannus Botha

Show replies
Show replies
Former Member
‎02-24-2014 7:52 PM
0 Kudos

Hi Jannus Botha,

Thanks a ton for answering my question. Highly appreciated my friend, I am sorry for being late her

Could you please help me to install these certificates in keystore. I have received two .jks files(DigitalSignature.jks and SSL.jks) from bank, but I am nor able to install it, whenever I am trying its not throwing any error, but its not installing as well. below steps in keystore I have tried.

NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->X.509 Certificate->select the .jks file->import


after that its not throwing any error, but its not installing as well under "View Entries"

Could you please me to install it. Do you think I need to convert it to some other format?

Please help me here guys, as I my deadline is very close.

Hi Roberto Viana , I followed you blog to install .jks files but still unable to archive, please help me.

Thanks,

Farhan

Former Member
‎02-24-2014 8:34 PM
0 Kudos

Hi Farhan -

You will need to convert .jks to .p12 or .der using keytool and then import it to NWA. I don't recollect the syntax of using this command line tool, but you could find plenty of information on it on the net.

Regards,

Sameej

Former Member
‎02-25-2014 7:18 AM
0 Kudos

Hi Farhan,

Yes. No problem.

Ok so there is no errors but it is not displaying the cert in the TrustedCA Tab?

This could be that is already installed. Can you please rename the file(cert) and import it again.

Please can you also confirm that the cert is 100% correct. That it has the entire certificate chain?

Try and send a message and see what error you get.

If the cert has not been installed it should give a error - ChainVerify etc.

Please check and let me know.

Regards,

Jannus Botha

Former Member
‎02-25-2014 7:50 AM
0 Kudos

Hello Sameej,

Thanks a lot for the response. I am in process to convert from .jks to .der, I will update you if this way I will get the success or if any issues.

Thanks,

Farhan

Former Member
‎02-25-2014 8:12 AM
0 Kudos

Hello Jannus Botha,

Thanks again.

  • Yes, there is no errors but still it is not displaying the cert in the TrustedCA Tab.
  • I have tried with renaming the files and importing again. However, still the same situation.
  • To check whether certs are correct, I am not how to check, also to check, it has the entire certificate chain? I am not sure how to check.
  • I have only 2 certificate file(DigitalSignature.jks and SSL.jks), do you think, I need to ask anything else apart from these two files from bank?
  • Could you please let me know the below process of importing certs are ok?

NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->X.509 Certificate->select the .jks file->import

Highly appreciated your help


Thanks,

Farhan

Former Member
‎02-25-2014 8:40 AM
0 Kudos

HI Farhan,

I am not sure about .jsk files.

But certainly you can convert in to PKCS#12 or X.509 certificate with the help of openssl command in Linux or install Cygwin.

Former Member
‎02-25-2014 8:48 AM
0 Kudos

Hello guys,

I am getting the below exception, while installing the certificates files. Any idea?

ERROR:  -> iaik.asn1.CodingException: ASN.1 creation error: iaik.asn1.CodingException: Length: Too large ASN.1 object: 109

Thanks,

Farhan

Former Member
‎02-25-2014 9:23 AM
0 Kudos

Hi Farhan,

Ok. There is always a possibility that the cert they provided is incorrect. But will confirm that now.

  1. If you open the cert what do you see?
    • We are looking for 3 Tabs
      • General (When the cert will expire etc)
      • Details (Who issued the cert, public key etc)
      • Certification Path ( This is where you can see if it has a chain or not)
    • Certification Path. You are looking for something like the following (This an example. Yours will not have these names.)
      • Verisign
        • Verisign HighAssurance CA-3
          • *.blahblahblah.com
    • If you can confirm that the cert has a chain and still valid then we are on the right path.
  2. Please follow the link below on how to import the cert.
  3. Please rename your cert with an extension ".cer" .This should make it possible to open it by double clicking on it.

Try all these and let me know. Then we will take it from there.

Regards,

Jannus Botha

Former Member
‎02-25-2014 9:57 AM
0 Kudos

Hi Jannus Botha,


Thanks a lot for the nice description. In my case the certificate is encrypted and hardly I am able to read few words and characters from them.

I tried to rename with ".cer"  extension , but still the content is encrypted. I am attaching the screenshot from both the certificate files.

I believe I will have to decrypt first it to some readable format, than only I can verify this weather this format is correct or not. Please suggest me, if you feel any better option.


Former Member
‎02-25-2014 11:19 AM
0 Kudos

Hi Farhan,

You are using a HTTP_AAE as your target communication channel correct? Do you have the URL you are sending the messages to?

Can you please insert that URL in internet explorer and click on the broken certificate icon on the right of the URL. This will give you the cert that you can download and save in internet explorer. Once you save it in internet explorer you can export it as a cert and use it in PI.

If that fails please ask the guys to send you a new certificate. Which is not encrypted.

Regards,

Jannus Botha

Former Member
‎02-26-2014 8:03 AM
0 Kudos

Dear Jannus Botha,

Sorry for being late here again, yes I am using HTTP_AAE as your target communication channel, and your approach worked for getting certificate by that way as well.

However ,I communicated to bank again to get the certificates in the form of ".crt" and they have given now.

I have just one last question and I will close this thread, as you have answered almost all my question.

Bank said, "both the files(DigitalSignature.crt and SSL.crt) are private keys,one is for SSL and one for digital signature. The public keys are kept on our(bank) side, the corresponding public key for SSL.crt is installed on our web server for SSL authentication and the corresponding public key for DigitalSignature.crt is kept on our app server for digital signature authentication.

Question

  1. Do I need to put both the private keys in TrustedCAs only or in different keystorage view? I confirmed with bank these private keys are just created by bank web server, as this just for testing purpose.  for your information we are implementing SSL for transport level security, also I have written the custom java code to access keys from keystore manager and apply digital signature from mapping level for message level security for outgoing payload.
  2. Please suggest me the right approach.

Thanks a ton for your all help my friend.

Regards,

Farhan

Former Member
‎02-26-2014 8:22 AM
0 Kudos

Hi Farhan,

That is excellent news. Would suggest that you load both certs into TrustedCAs and keystorage.

Not 100% sure how the bank configured the certs to respond but loading both should do the trick.

Just a reminder to do a monthly check when your certs expire on the production environment. So if you need to renew your certs that you are not to late.

It is no problem.

Good luck and let me know if you need any additional help.

Regards,

Jannus Botha

Former Member
‎02-26-2014 9:36 AM
0 Kudos

Thanks and Appreciated your continuous help Jannus Botha. for now I am closing this thread.


If anyone is referring this thread please read the entire thread, not just the correct answer. 


Thanks,

Farhan

Answers (1)

Answers (1)

Former Member
‎02-22-2014 3:30 PM
0 Kudos

Hello Experts,

Any help pointers on the above questions please.

Thanks,

Farhan

Show replies
Show replies
Former Member
‎02-23-2014 3:34 PM
0 Kudos

Hello Experts,

I am eagerly waiting for the response for my above questions. Please help me.

Thanks,

Farhan

Former Member
‎02-24-2014 9:41 AM
0 Kudos

Dear Experts,

A gentle reminder, for my above questions guys. Please help me.

Thanks,

Farhan

Ask a Question