Changing Installed Certificates Used for Encryption

SAP Mobile Server includes default certificates for all listeners. Since all installations use the same certificates by default, you must change these certificates with production-ready ones after you install SAP Mobile Platform.

TLS/SSL/HTTPS all use default certificates that require changing. Use SAP Control Center to manage certificates for the encryption of replication, DCN, OData, and DOE listeners. These listeners all use the key store (keystore.jks), and require mutual certificate authentication. To change the default certificates:

  1. Generate new production-ready certificates. Use a PKI system to ensure that the generated certificates and key pairs are signed by the certificate authority (CA) certificate that is widely trusted in your organization. SAP Mobile Platform is compliant with certificates and key pairs generated from most well-known PKI systems.
  2. Import production-ready certificates, then update the security profile to associate these files with the SAP Mobile Server encrypted port.
    1. Use SAP Control Center to import the new production certificates into the primary SAP Mobile Server keystore, if that listener requires it.
    2. Configure the listener properties.
    3. (Optional) If you are using a PKI system that includes OCSP and OCSP can be used by the listener, configure an OCSP responder. See Enabling OCSP.
Parent topic: Encrypting Synchronization for Replication Payloads
Next topic: Modifying Default Synchronization Listener Properties with Production Values
Related reference
Key Creation (createkey) Utility