Making External Server Certificates Trusted

Use

If you received your server certificate from a non-SAP certification location that is not listed in SAP Note 602993, you must import the server certificate of the non-SAP certification location or its Root Certificate into the trust store of the client.

Use Sun Microsystems’ Keytool to import the server certificate or root certificate. Keytool is a tool for the administration of keys and certificates.

Prerequisites

?     JDK / JRE 1.3.x or JDK / JRE 1.4.x (the Keytool of Sun Microsystems is shipped with JDK / JRE 1.3.x and JDK / JRE 1.4.x).

?     The client is installed on a Windows 32 platform or on a PDA with Pocket PC 2002 or Windows Mobile.

?     When you install the client on a Windows 32 platform, use either the uncompressed variant of client setup to perform the subsequent configurations, or do it on the installed client on the mobile device.

?     If the client is installed on a PDA with Pocket PC 2002 or Windows Mobile, you must already have performed the first steps described under Preconfiguring on Windows Mobile Platforms.

Procedure

...

       1.      Copy your server certificate file into the <Installation directory of SAP MI>\settings directory.

       2.      Start the entry prompt.

       3.      Switch to the <Installation directory of SAP MI>\settings directory.

       4.      Enter <JAVA_HOME>\bin\keytool -import -alias <alias-name> -file <server-certificate-file> –keystore truststore.

You can choose any alias name. We recommend that you enter the same name as for the server certificate file.

<JAVA_HOME>\bin\keytool -import -alias TestCA -file TestCA.cer –keystore truststore

       5.      As keystore password, enter access if you are asked to do so in the entry prompt.

       6.      Confirm the Trust this certificate? query with yes.

       7.      Delete the server certificate file copied in step 1. This file is no longer needed since its contents were imported into the trust store.

       8.      Check the contents of the trust store by entering the following in the entry prompt: <JAVA_HOME>\bin\keytool –list –v –keystore truststore –storepass access. In this way, you can verify that the certificate you just imported exists in the trust store.

Result

The server certificate from the non-SAP certification location or its root certificate is imported into the trust store of the client.

Make sure that the user selects the uncompressed variant of the setup, which you configured as described above, when installing the client on a Windows 32 platform. The user must use the modified CAB file in the installation on a PDA with Pocket PC 2002 or Windows Mobile.