Generating and Installing an X.509 Test Certificate on Unwired Server

Generate an X.509 certificate on Unwired Server to use in testing SSO connections with SAP Systems.

These instructions describe how to generate an X.509 certificate for testing SAP and SSO only. In a production environment, a different entity controls certificate management. For example, an SAP system administrator controls certificate generation and management for his or her particular environment, including maintaining the certificate list in a Personal Security Environment (PSE) with trust manager.

Note: When the CertificateAuthenticationLoginModule gets a certificate from a client, it can optionally validate that it is a trusted certificate. The easiest way to support validation is to import the CA certificate into the <UnwiredPlatform_InstallDir>/Servers/UnwiredServer/Repository/Security/truststore.jks file, which is the default Unwired Server truststore.

Use the SAPGENPSE utility to create a PSE certificate to use for testing. See http://help.sap.com/saphelp_nw04s/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm. The basic steps are:

  1. Generate the certificate from the C:\sso\sapcryptolib directory:
    sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>
  2. Copy the PSE certificate (for example, SNCTEST.pse) to the location of your installed SAP cryptographic libraries. For example, C:\sapcryptolib.
  3. Generate a credential file (cred_v2) from the C:\sapcryptolib directory:
    sapgenpse seclogin -p SNCTEST.pse -O DOMAIN\your_name_here -x password
    Note: The user generating the certificate must have the same user name as the process (mlserv32.dll or eclipse.exe) under which the Unwired Platform service runs.
Parent topic: Setting up SAP SSO Using X.509 Certificates
Next topic: Creating a Keystore and Importing an X.509 Certificate and Private Key