Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Former Member

1.  Prerequisite

2.  Configure an SAP JCO Connection to a SAP EIS

Log on SCC, Go to Connection on the domain you want to configure:



3.  Generating a X509 certificate for SUP server

  • Generate certificate request :

sapgenpse.exe get_pse  -p SNCTEST.pse –r abc.req –x abcpin “CN=hostname_supserver,OU=org,C=FR”

  • Get certificate sign by CA:

  • Generate credential file  to initialize a new keystore for usage :

Sapgenpse seclogin –p SNCTEST.pse –O USERname –x Password03

  • Import the SUP certificate into the SUP server keystore:

keytool -import -keystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\keystore.jks -alias SUP22 -file  certnew.cer

4.  Import sup certificate into SAP EIS

Transaction STRUST:

Add to Certificate List and SAVE.

5.  Obtain SAP EIS P12

Transaction STRUST :

Deploy  SSL server standard, and select the node and click on create Certification request :

Copy it in file my.key


Wrong screen shot export it as Base 64 :

Rename it as SAP_T2J.pem

Download CA certificate named rootca.pem

Generate private key from certificate :

[root@sapT2J]#  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out SAP_T2J.pem

Generating a 2048 bit RSA private key



writing new private key to 'privateKey.key'


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:pays

State or Province Name (full name) []:dep

Locality Name (eg, city) [Default City]:city

Organization Name (eg, company) [Default Company Ltd]:mycompany

Organizational Unit Name (eg, section) []:org

Common Name (eg, your name or your server's hostname) []:sapt2j

Email Address []

[root@sapT2J]# ls

cert_T2J.cer  privateKey.key  rootca.pem SAP_T2J.pem 

Use changeit as password :

[root@sapT2J]# openssl pkcs12 -export -out SAP_T2J.pfx -inkey privateKey.key -in SAP_T2J.pem -certfile rootca.pem

Enter Export Password:

Verifying - Enter Export Password:

[root@sapT2J]# ls

cert_T2J.cer  my_key.pem privateKey.key  rootca.cer  rootca.pem SAP_T2J.pem  SAP_T2J.pfx

6.  Import Root CA in SAP EIS

Follow the steps to import the CA to Database

In the Trust Manager double click on your SSL server node. In the middle part, Certificate, click on the import certificate button, choose file format as Base64 (Change according to your scenario) and choose the Root CA exported to your local directory ( or downloaded ) and Enter

Now you will be able to see that certificate in the certificate maintenance part of your SSL server PSE:

Click on the export certificate  and on the next screen choose the Database tab

Create an entry for your new root certificate. Naming conventions apply.  In the Trust Center filed enter a name starting with ZZ or YY ( ALL CAPS). Enter the category as Root CA and enter a description and enter:

Your root CA is now in your certificate database. You can verify the root CA by clicking on the database tab.

7.  Keystore: Importing a X509 Certificate and Private Key for SAP.

Copy file SAP_T2J.pfx obtain  in c:\sapcryptolib.

keytool -v –importkeystore -srckeystore  SAP_T2J.pfx -srcstoretype PKCS12 -destkeystore    c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\keystore.jks -deststoretype JKS 

Truststore: Installing and CONFIGURING CERTIFICATES on SUP serverImport the SAP system’s certificate into the Unwires Server truststore :

keytool -v –importcert -keystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\truststore.jks  -file C:\sapcryptolib\SAP_T2J.pem

8.  Creating and Assigning a Security Configuration That Uses X.509 Credentials

Log on scc , go to Security and on tab General click on New :

Enter name and OK

Go to the new entry on left pat and in tab authentication (right part), click on new to create a  provider:


Then Delete NoSecLoginModule :


Go to General tab and validate and apply if everything is ok.


Labels in this area