Changing Installed Certificates Used for SAP Mobile Server and SAP Control Center HTTPS Listeners

Both SAP Mobile Server and SAP Control Center include default certificates that are used for these components' HTTPS listeners. Since all installations use the same certificates by default, you must change these certificates with production-ready ones after you install SAP Mobile Platform. SAP Mobile Server and SAP Control Center share the same keystore and truststore (that is, SMP_HOME\Servers\UnwiredServer\Repository\Security\).

To share certificates, SAP recommends that you maintain the existing certificate alias (that is, "sample1" or "sample2" depending on the profile used) in the new certificates. Then, when you replace the IIOPS default certificate with the new production certificate, you are updating change the certificate for all listeners simultaneously.

Note: Because secure DCN has automatically been configured to use these same profiles by default, you are updating certificates used for secure DCN communication. If you want DCN to use a unique profile and certificates, see Securing DCN Communications.

Generate new production-ready certificates:
1. Use your PKI system to generate SAP Mobile Server certificates and key pairs, and have them signed with the Certificate Authority (CA) certificate used in your organization.
  Ensure that you:
  - Keep the required alias for your profile type.
  - Set the CN of the certificate to *.MyDomain. The truststore and keystore files, as well as the definitions for default and default_mutual profiles are then synchronized across the cluster. As a result, there will only ever be a single certificate shared by all nodes that are members of the same cluster.
  SAP Mobile Platform is compliant with certificates and key pairs generated from most well known PKI systems.
2. For SAP Control Center: generate a new certificate with a "jetty" alias. This replaces the default self-signed certificate installed for this component specifically.
Import production-ready certificates, then update the security profile to associate these files with the SAP Mobile Server encrypted port.
1. Use keytool to import the new production certificates into the primary SAP Mobile Server keystore.
2. In the left navigation pane, select Configuration.
3. In the right administration pane, click General then SSL Configuration.
4. Optional. If you have used a different alias, rather than keep the alias of "sample1", locate the profile name row and modify the alias name to match the one used by your certificate.
5. Optional. If you are using a PKI system that includes OCSP, configure an OCSP responder. See Enabling OCSP.
Replace the default certificate for SAP Control Center's HTTPS listener. Use keytool to import the new SAP Control Center certificate with the "jetty" alias to the SCC_HOME\keystore keystore.

Enabling OCSP
(Optional) Enable OCSP (Online Certificate Status Protocol) to determine the status of a certificate used to authenticate a subject: current, expired, or unknown. OCSP configuration is enabled as part of cluster level SSL configuration. OCSP checking must be enabled if you are using the CertificateAuthenticationLoginModule and have set Enable revocation checking to true.
Using Keytool to Generate Self-Signed Certificates and Keys
Whenever possible, use a PKI system and a trusted CA to generate production-ready certificates and keys that encrypt communication among different SAP Mobile Platform components. You can then use keytool to import and export certificate to the platform's keystores and truststores. Otherwise, you can also use keytool to generate self-signed certificates and keys.

Parent topic: Preparing SSL for HTTPS Listeners

Previous topic: Determining Certificate Requirements Based on Security Profile Chosen

Next topic: Enabling and Configuring Administration Encryption for SAP Mobile Server

Related concepts

SAP Mobile Server and SAP Control Center Communications