Managing Keystore and Truststore Certificates

SAP Mobile Platform uses a shared keystore and truststore to store private and public keys.

Keystore

The keystore contains private keys and their associated certificates for use by SAP Mobile Platform to identify itself to clients (using the server certificate) or to back-end systems (using the techical user certificates). The keystore also contains public certificates of trusted entities, typically the CA signing certificates of the back-end systems it will connect to, and the certificate used to sign client user certificates.

Administrators can make changes to the keystore using the keytool utility located in SMP_HOME\sapjvm_7\bin.

Truststore

The truststore contains certificates from external parties, or from certificate authorities trusted to identify other parties.

• Certificate Alias
  A certificate alias is the name given to a CA certificate located in the keystore.
• Generating Certificates and Keys
  Use a PKI system and a trusted CA to generate production-ready certificates and keys that encrypt communication among different SAP Mobile Platform components. You can then use the keytool utility to import and export certificate to the keystore.
• Changing Installed Certificates Used for HTTPS Listeners
  SAP Mobile Platform Server includes a default self-signed certificate. You must change this default certificate with a production-ready certificate after you install SAP Mobile Platform. For shared certificates, SAP recommends that you maintain the existing certificate alias when importing the new certificates. Then, when you replace the default certificate with the new production certificate, you are updating change the certificate for all listeners simultaneously.
• Changing Keystore and Truststore Passwords
  The SAP Mobile Platform (used by both SAP Mobile Platform Server and Management Cockpit to manage certificates and keys) keystore and truststore locations are protected by a password. In production environments, the initial keystore password is set during installation. The keystore password must be the same as all the private key passwords associated with the aliases in the store.
• Keystore/Truststore Properties
  The SMP_HOME\Server\configuration\smp_keystore.jks file contains properties for the combined SAP Mobile Platform truststore and keystore.